Tech companies and NGOs urge rewrite of Online Safety Bill to protect encrypted comms

Technology companies offering encrypted messaging services have urged the government to make urgent changes to legislation going through Parliament that threatens to undermine the privacy of encrypted communications.

In an open letter, WhatsApp, Signal, Threema and other encrypted messaging services called for the UK government to rethink measures in the Online Safety Bill that could weaken the security of encrypted communications around the world.

The National Union of Journalists, which represents journalists in the UK, has also warned that the bill could undermine the safety of communications between journalists and their confidential sources.

The Online Safety Bill, which begins its committee stage in the House of Lords tomorrow (19 April 2023), faces a number of amendments from peers who have raised concerns about aspects of the legislation.

WhatsApp, owned by Meta, said in a statement that the bill could force technology companies to break end-to-end encryption on private messaging services, affecting the privacy of billions of people.

The bill, as currently drafted, could “open the door to routine, general and indiscriminate surveillance of personal messages” and put the communications of journalists, human rights activists, politicians and ordinary citizens at risk, the open letter states.

The Home Office argues that new powers are needed in the Online Safety Bill to ensure that technology companies and law enforcement agencies can identify child sexual abuse content on encrypted platforms.

The bill will give the regulator, Ofcom, powers to require communications companies to install technology capable of identifying child abuse images on encrypted communications services.

The regulator will be able to impose fines of up to £18m or 10% of turnover, whichever is greater, for companies that do not comply.

“We support strong encryption, but this cannot come at the cost of public safety. Tech companies have a moral duty to ensure they are not blinding themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms,” a Home Office spokesman said in a statement.

“Weakening encryption, undermining privacy and introducing mass surveillance of people’s private communications is not the way forward”

The Home Office is advocating technology known as client side scanning, which would be installed on people’s phones or computers to intercept and identify messages that might contain abuse material or terrorism content before they are encrypted.

But technology companies and leading computer scientists have argued that it is not possible to surveil people’s messages without undermining end-to-end encryption and putting the privacy of their communications at risk.

The open letter has been signed by the leaders of seven technology companies:

• Matthew Hodgson, CEO, Element
• Alex Linton, director, OPTF/Session
• Meredith Whittaker, president, Signal
• Martin Blatter, CEO, Threema
• Ofir Eyal, CEO, Viber
• Will Cathcart, head of WhatsApp, Meta
• Alan Duric, CTO, Wire

The letter argues that end-to-end encryption offers one of the strongest possible defences against malicious actors and hostile states, along with persistent threats from online fraud, scams and data theft.

“As end-to-end-encrypted communication services, we urge the UK government to address the risks that the Online Safety Bill poses to everyone’s privacy and safety. It is not too late to ensure that the bill aligns with the government’s stated intention to protect end-to-end encryption and respect the human right to privacy,” the letter states.

The UK government has acknowledged the privacy risks in the text of the bill, but has said its “intention” is not for the bill to be interpreted in a way that could allow the government backdoor access to encrypted messages.

The tech companies state in the open letter that they are unable to weaken the security of their communications services to suit individual governments. “There cannot be a version of end-to-end encryption that is specific to the UK,” the letter states.

The technology companies are urging the government to rethink the bill to encourage companies to offer “more privacy and security” to UK residents, “not less”.

“Weakening encryption, undermining privacy and introducing mass surveillance of people’s private communications is not the way forward,” the technology companies stated.

BCS, The Chartered Institute for IT, said weakening encryption of secure messaging apps in online safety legislation would damage public trust in technology. 

BCS CEO Rashik Parmar said: “There is grave concern that the Online Safety Bill’s requirements around identifying illegal content could break the principle of end-to-end encryption with the promise of a magical backdoor.

“Once a backdoor has been compromised, data and content protected by the encryption becomes accessible. This is exactly what many bad actors would welcome.”