The End of End-to-End Encryption
WhatsApp, the instant messaging service with more than 1.3 billion users worldwide, uses end-to-end encryption as a security feature. When you send a message, the content or data in it is encrypted, which means it is turned into an unreadable code that can only be mathematically deciphered by those who have the secret key. End-to-end encryption provides the strongest level of trust and security as only the sender and the recipient have the key, so even the owner or programmer who designed WhatApp cannot read the messages. If your message is intercepted by a third party, the message will remain illegible gibberish. Modern encryption is tough to break because the number of possible keys far exceeds the number of guesses that even today’s fastest computers can make in a reasonable time. It is a cheap, safe and secure method of data protection. Hence, Whatsapp users can, at least for now, be reassured that only the intended recipients can read the messages. The same goes for many other services, such as Zoom, Microsoft Teams and FaceTime.
Unfortunately, the Online Safety Bill, which has already passed its second reading in the House of Commons will force companies to compromise on these security features.
Although the original intent of the Bill, which promises to prevent users from being exposed to harmful content such as terroism and child abuse, is a noble one, the Bill has wide-ranging implications on security features like end-to-end encryption.
Clause 103(2) of the draft legislation allows the Office of Communication (OFCOM) to issue a notice requiring service providers to use ‘accredited technology’ to identify child abuse content, whether communicated publicly or privately. Clause 92(4) then makes it an offence for the provider to give ‘information which is encrypted such that it is not possible for OFCOM to understand it, or produces a document which is encrypted such that it is not possible for OFCOM to understand the information it contains’. Schedule 12 of the Bill further stipulates that failure to comply can lead to fines of up to £18 million or 10% of global revenue.
The regulatory framework and the penalties will necessitate companies to weaken encryption in order to intercept communications and avoid violating the duty of care placed on them. Lawmakers have claimed that the Bill does not remove the end-to-end encryption as it simply requires companies to install ‘encryption backdoors’ to allow ‘exceptional access’ to law enforcement agencies. This is however technologically impossible, as end-to-end encryption by definition does not allow third parties to hold the key to encryption.
It is easy to miscategorise the issue as a classic dilemma between privacy and security, but the truth is that the Bill promotes neither. There is not a backdoor that will only let the ‘good guys’ in. Creating a backdoor for law enforcement will also create an opening for criminals and hostile actors to exploit. In 2015, Juniper Network Inc. discovered an unauthorised code in their firewall ScreenOS that allowed hackers to decipher encrypted information to gain access to the network of their customers. A probe into the cause suggested that there was an intentional flaw in the encryption algorithm Dual_EC, which was deliberately designed to include a backdoor enabling the US National Spy Agency to eavesdrop on overseas clients of Juniper. The opening has rendered the system vulnerable to cyberattacks. The lesson to learn from this incident is that any backdoor in the encryption algorithm is a security risk.
Adding to security risk is the extremely broad discretionary power given to the Secretary of State. The government might assure the public that email services, at least for now, are exempted from the Bill. However, clause 174(9) empowers the Secretary of State to add or remove services from the exemption list, so the scope of the legislation might broaden in the future. This will create a chilling effect; service providers who are currently exempted might opt to weaken encryption to conform to the potential effect of the Bill in the future.
The Government promised that the Online Safety Bill would deliver their manifesto commitment to make the UK the ‘safest place in the world to be online’; but in actuality the legislation undermines both privacy and security, leaving individuals and companies vulnerable to data leakage. By compelling the removal of end-to-end encryption, the Bill effectively spells the end of private conversation. As UN Special Rapporteur on freedom of expression David Kaye said, ‘national laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology’. The Online Safety Bill in its current form does not promote safety. It needs to be re-drafted to be compatible with end-to-end encryption.
Theodore Ka Fai Fung is an intern at Adam Smith Institute. Currently a law student at King’s College London, he is a strong advocate for holding the government accountable. Throughout his internship, he researched into the impact of the Online Safety Bill on encryption, as well as the effect of the electronic monitoring of protestors proposed in the Public Order Bill on civil liberties.