The story so far: During a visit to the U.K. last week, WhatsApp’s head Will Cathcart said that WhatsApp would not comply with the country’s proposed Online Safety Bill (OSB) which will in effect outlaw end-to-end (E2E) encryption. Mr. Cathcart said that it was the first time a “liberal democracy” was attempting to block a “secure product”.
What is end-to-end encryption?
E2E encryption ensures that a message can only be decrypted by the intended recipient using a secure decryption key that is unique to each sender-recipient pair and to each of their messages. Decryption, even by the messaging service provider, is impossible. Even if the platform’s servers are compromised, without the intended recipient’s decryption key, only a garbled string of characters will be available. Over the last few years, E2E encryption has been steadily gaining ground. It is offered by default on WhatsApp, Signal, Apple’s iMessage and FaceTime and is an option on Meta’s Messenger and Telegram.
What is the Online Safety Bill?
The Online Safety Bill is a proposed British legislation that seeks to improve online safety by placing certain “duty of care” obligations on online platforms.
Most of the criticism is directed against clause 110 of the OSB which empowers the British telecommunications regulator, the Office of Communications, to issue notices to most kinds of internet service providers, including private messaging apps and search engines, to identify and take down terrorism content that is communicated “publicly” and Child Sex Exploitation and Abuse (CSEA) content that is communicated “publicly or privately”, and to prevent such content from being communicated in the first place. Although the OSB does not mandate removal of E2E encryption, it would de facto mean breaking it as messaging apps would have to scan all messages that are sent on their platform to flag and take down terrorist and CSEA content. Since the clause also requires the platforms to “prevent” terrorism and CSEA content from being communicated using the platforms, it would mean that WhatsApp would have to implement a client-side scanning mechanism to scan content on users’ devices before it is even encrypted. For this, they would need to rely on algorithms that are not very sophisticated and do not understand context. For instance, in 2021, Google automatically blocked a father’s account in San Francisco and reported him to the local police because he had shot videos of his toddler son’s infection in intimate areas to share with his son’s doctor during the pandemic.
Privacy and free speech advocates, as well as multiple members of the British Parliament, view this Bill as a disproportionate step that allows the state to mandate bulk interception and surveillance.
What have other platforms said?
Last month, Signal’s president Meredith Whittaker told the BBC that Signal “would absolutely, 100% walk” if forced to weaken the privacy of its messaging platform. In a blog post, she wrote, “[encryption] is either broken for everyone, or it works for everyone. There is no way to create a safe backdoor.” Matthew Hodgson, the CEO of British Company Element that runs Matrix-based E2E encrypted messenger, said that if the OSB was passed, he may have to exit the U.K. entirely and shift his company’s headquarters.
What if the platforms don’t comply?
If platforms do not comply, they may face penalties of up to £18 million or 10% of the platform’s global revenue of the preceding accounting year, whichever is higher. Currently, the Bill has been passed by the House of Commons and a House of Lords committee is examining the Bill. Once the committee’s report is ready, it will go back to House of Lords for a third reading.
Did India enact a similar law?
Through the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Indian government made it mandatory for messaging platforms with more than five million users in India to “enable the identification of the first originator” of a message, or what is commonly called traceability. This is not the same as asking for scanning and flagging of all encrypted content; it is about getting to the first person who sent a message that may have been forwarded multiple times. In India, WhatsApp did not threaten to leave the market. It instead, sued the Indian government over the traceability requirement. This is mainly because India, with 487.5 million WhatsApp users, is home to 22% of the platform’s 2.24 billion monthly active users. WhatsApp’s penetration rate in India is over 97% while in the U.K., it is at about 75%. Moreover, the U.K., with 40.4 million users accounts for little less than 2% of global users. Even Mr. Cathcart said it would be “an odd choice” to compromise the app’s security for just 2% of its user base.
Aditi Agrawal is a Delhi-based technology journalist. She covers issues related to technology policy, privacy, cybersecurity and surveillance. You can find her on Twitter @Aditi_muses.