WhatsApp, Signal and other messaging services have urged the UK government to reconsider the Online Safety Bill (OSB). The bill gives the Office of Communications (or Ofcom), the UK’s communications regulator, the power to ask platforms to monitor users to identify and remove child abuse material.
Companies are concerned that the new law will undermine the apps’ end-to-end encryption — something the meta-owned company and Signal have consistently encouraged. End-to-end encrypted chats can only be read on the sender and recipient app.
“Our position remains clear. We will not refrain from providing private, secure communications. Today we join other encrypted messengers in rolling back the UK’s flawed online safety law,” Signal said in a tweet.
The company also shared a letter signed by Will Cathcart, head of WhatsApp at Meta, Meredith Whittaker, president of Signal, and representatives from apps Threema, Element, Wire and Session.
Here is what the letter reads
For everyone who cares about security and data protection on the Internet.
As end-to-end encrypted communications services, we urge the UK Government to address the risks that the Online Safety Act poses to everyone’s privacy and security. It’s not too late to ensure that the bill is consistent with the government’s stated intention to protect end-to-end encryption and respect the human right to privacy.
Around the world, businesses, individuals, and governments face ongoing threats from online fraud, fraud, and data theft. Malicious actors and hostile states routinely challenge the security of our critical infrastructure. End-to-end encryption is one of the strongest lines of defense against these threats, and as key institutions become more dependent on Internet technologies to conduct core operations, the stakes have never been higher.
As it stands, the bill could break end-to-end encryption and open the door to routine, general, and indiscriminate surveillance of personal messages from friends, family members, co-workers, executives, journalists, human rights activists, and even politicians themselves, the ability of anyone to to communicate securely, fundamentally undermined.
The draft law offers no explicit protections for encryption and, if implemented as written, could authorize OFCOM to attempt to enforce proactive scanning of private messages on end-to-end encrypted communications services, thereby defeating the purpose of the end-to -End encryption will be nullified and endanger the privacy of all users.
In short, the law poses an unprecedented threat to the privacy and security of all UK citizens and the people they communicate with around the world, while emboldening hostile governments who may seek to craft knock-on legislation.
Proponents say they appreciate the importance of encryption and privacy, but also claim it’s possible to monitor everyone’s messages without undermining end-to-end encryption. The truth is that this is not possible.
We’re not the only ones who share concerns about the UK bill. The United Nations has warned that the UK government’s efforts to enforce backdoor requirements “represent a paradigm shift that raises a host of serious issues with potentially dire consequences”.
Even the UK government itself has acknowledged the privacy risks posed by the text of the bill, but has said its “intent” is not for the bill to be interpreted in that way.
Global providers of end-to-end encrypted products and services cannot weaken the security of their products and services to accommodate individual governments. There can be no “British Internet” or a UK-specific version of end-to-end encryption.
The UK government urgently needs to reconsider and revise the law to encourage businesses to offer their residents more privacy and security, not less. Weakening encryption, undermining privacy, and introducing mass surveillance of people’s private communications is not the way forward.
Signed by those who care about the security of our conversations:
Matthew Hodgson, CEO, Element
Alex Linton, Director, OPTF/Session
Meredith Whittaker, President, Signal
Martin Blatter, CEO, Threema
Ofir Eyal, CEO, Viber Will Cathcart, Head of WhatsApp at Meta Alan Duric, CTO, Wire
Here’s what the UK government has to say
The government said it was possible to have both privacy and child safety.
“We support strong encryption, but this must not come at the expense of public safety. Tech companies have a moral duty to ensure they don’t blind themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms,” the BBC quoted a government official as saying.
“The Online Safety Act in no way prohibits end-to-end encryption, nor does it require encryption weakening services,” the official added.