The UK government’s plans to weaken encryption can “easily be exploited” by hackers and officials, experts have warned.
The proposals are part of the controversial Online Safety Bill, which is currently working its way through parliament. Ministers say the legislation would make Britain “the safest place in the world to be online,” but campaigners fear it will erode free speech and privacy.
Their prime concern involves the threat to end-to-end encrypted (E2EE) messenger apps. Under the mooted measures, telecoms regulators could force platforms to scan through private messages for illegal content.
A new clause in the legislation requires services to use “accredited technology” to stop people from encountering terrorist or child sexual abuse material. This amendment may compel apps to use government-approved tools to monitor users.
Encryption advocates argue that this undermines the purpose of E2EE, while exacerbating the risk of hacks and mass surveillance. Among the bill’s most prominent opponents is WhatsApp, which offers encrypted messaging to 40 million users in the UK, and around 2 billion globally. Will Cathcart, who heads the Meta-owned app, has threatened to block the service for British users if the rules are rubber-stamped.
“The bill provides for technology notices requiring communication providers to take away end-to-end encryption — to break it,” Cathcart told the Daily Telegraph. “The hard reality is we offer a global product. It would be a very hard decision for us to make a change where 100% of our users lower their security.”
“This will undermine user privacy.
Cathcart warns the rules would compromise privacy — a view with wide support. Gaël Duval, the creator of Mandrake Linux and the “deGoogled” Murena phone brand, says the proposals would “create a backdoor that can too easily be exploited.”
“There is no way to be selective about the data that is collected — the government either has access to information in the messaging app, or it doesn’t, and this will undermine the privacy of WhatsApp’s users in the UK,” Duval told TNW.
“What’s next? Having all phone calls listened to and processed or having mail opened and checked before distribution? What’s more, there are security implications of granting access in this way, this kind of back door could potentially grant access to hackers too.”
The proposals have also raised the eyebrows of legal experts. In November, barrister Matthew Ryder of Matrix Chambers, who was commissioned by the Index on Censorship campaign group to analyze the bill, asserted that the proposals could breach human rights laws.
“No communications in the UK — whether between MPs, between whistleblowers and journalists, or between a victim and a victims support charity — would be secure or private,” said Ryder. “In an era where Russia and China continue to work to undermine UK cybersecurity, we believe this could pose a critical threat to UK national security.”
In addition to threatening British security, some critics predict global repercussions. They warn that the mooted rules will encourage authoritarian regimes to impose their own restrictions on E2EE.
“We need a pre-agree ‘side door.’
Some technologists have called for an alternative safety measure in the bill, which is currently progressing through parliament. Andersen Cheng, CEO of cyber security firm Post-Quantum, advocates for an encryption “side door.” Cheng told TNW that this view stems, in part, from running his own encrypted messaging service — which showed up on a list of tools recommended by Islamic State.
“I believe government-sanctioned backdoors in encryption aren’t the answer — a backdoor for one is a backdoor for all, and anyone can walk through it, whether that’s the intended government agency, a hacker, or a malicious nation,” he said. “In my view, we need a pre-agreed ‘side door’ that allows you to split control and responsibility, and one you can only access if multiple parties like governments, private companies, privacy groups, and preferably courts each provide their section of the key.”
Cheng argues this can be achieved through “threshold cryptography,” which effectively chops the data into multiple frameworks. As a result, the message is only accessible when the majority of parties agree to provide their portion of the key.
Such agreements, however, may prove elusive. In the current battle over encryption, neither government nor big tech are likely to budge — and the public’s privacy is caught in the middle.