WhatsApp and other encrypted messaging apps unite against new law

Encrypted messaging services have jointly called for changes to parts of the UK Online Safety Bill (OSB).

WhatsApp, Session, Signal, Element, Threema, Viber and Wire have all signed a letter asking the government to “urgently rethink” the proposed law.

As drafted, critics say, the bill could undermine the privacy of end-to-end encryption – the technology at the heart of what these companies provide.

The government has said it is possible to have both privacy and child safety.

“We support strong encryption,” a government official said, “but this cannot come at the cost of public safety.

“Tech companies have a moral duty to ensure they are not blinding themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms.

“The Online Safety Bill in no way represents a ban on end-to-end encryption, nor will it require services to weaken encryption.”

End-to-end encryption (E2EE) provides the most robust level of security because nobody other than the sender and intended recipient can read the message information.

Even the operator of the app cannot unscramble messages as they pass across systems – they can be decrypted only by the people in the chat.

“Weakening encryption, undermining privacy and introducing the mass surveillance of people’s private communications is not the way forward,” the open letter warns.

It is signed by:

In its current form, the OSB “opens the door to routine, general and indiscriminate surveillance of personal messages”, the letter says.

And the bill “poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copycat laws”.

“Proponents say that they appreciate the importance of encryption and privacy while also claiming that it’s possible to surveil everyone’s messages without undermining end-to-end encryption. The truth is that this is not possible,” the letter says.

Mr Hodgson, of UK company Element, called the proposals a “spectacular violation of privacy… equivalent to putting a CCTV camera in everyone’s bedroom”.

Mr Cathcart has told BBC News WhatsApp would rather be blocked in the UK than weaken the privacy of encrypted messaging.

Ms Whittaker has said the same – Signal “would absolutely, 100% walk” should encryption be undermined.

And Swiss-based app Threema has told BBC News weakening its security “in any way, shape, or form” is “completely out of the question”.

“Even if we were to add surveillance mechanisms – which we won’t – users could spot and remove them with relatively low effort because the Threema apps are open source”, spokeswoman Julia Weiss wrote.

Other companies have also told BBC News of their unwillingness to comply.

Email services are exempt – but Europe-based Proton best known for its encrypted email service worries features in its Drive product may bring it within scope of the bill.

The company’s Andy Yen has suggested, as a last resort, it could leave the UK if the law comes into force unamended, as it would no longer be able “to operate a service that is premised upon defending user privacy”.

That could mean “refusing service to users in the UK, shutting down our legal entity in the UK and re-evaluating future investments in infrastructure”, Proton said.

Liberal Democrat digital-economy spokesman Lord Clement-Jones, who is backing an amendment to the bill, said: “The OSB as it stands could lead to a duty to surveil every message anyone sends.

“We need to know the government’s intentions on this.”

It was important properly encrypted services were retained, he told BBC News, and he expected Ofcom to issue a code of practice for how it intended to use the law.

The bill would enable Ofcom to make companies scan messages – text, images, videos and files – with “approved technology” in order to identify child sexual abuse material. However, the communications regulator told Politico it would do so only if there was an “urgent need” and “would need a high bar of evidence in order to be able to require that a technology went into an encrypted environment”.

It is widely assumed this will mean messages are scanned by software on a phone or other device before they are encrypted – a technique called client-side scanning.

But many services say this would mean re-engineering their products just for the UK.

“Global providers of end-to-end encrypted products and services cannot weaken the security of their products and services to suit individual governments,” the letter says.

“There cannot be a ‘British internet’ or a version of end-to-end encryption that is specific to the UK.”

The technology giants say both safety and privacy can be addressed in other ways – but children’s charities disagree.

The National Society for the Prevention of Cruelty to Children (NSPCC) called direct messaging “the front line” of child sexual abuse.