The writer is former chief executive of the UK’s National Cyber Security Centre and now professor at Oxford university’s Blavatnik School of Government
Just as the phrase “government by WhatsApp” enters the British political lexicon, the platform itself might be on its way out of the UK. So too might Signal — WhatsApp’s not-for-profit, privacy-obsessed competitor — which has become the messaging app of choice for security-conscious officials across the west. Apple, provider of iMessage, is quieter, but no less unhappy.
The problem is a set of new government measures intended to counter the horrors of online child sexual exploitation. These provisions — contained in relatively obscure parts of the much-delayed online safety bill — would give Ofcom, the communications regulator, the power to require messaging platforms to adopt “accredited technology” to detect (and potentially block, and report) illegal images. This is all due for debate in the House of Lords after Easter.
Ministers insist these measures can be implemented without weakening the overall security of messaging services. Service providers and many privacy experts vehemently disagree. If you allow responsible democracies to scan messages for child abuse images, you risk allowing autocracies to use the same tools to scan for political dissent. You can’t just weaken security for the good guys, they argue. Will Cathcart, the head of WhatsApp, said on a recent trip to London that if he was asked to choose between complying with UK law and protecting the privacy of users worldwide, he would simply withdraw the platform from a country that makes up just 2 per cent of all users.
So could the UK, an aspiring tech superpower, really join China, North Korea, Syria and Iran on the list of countries where WhatsApp is effectively banned? Remarkably, it’s possible, though still unlikely. What’s more probable is that parliament will pass a hugely controversial power that damages Britain’s reputation for online security — and then never use it.
This is the latest spat in an online security dispute that’s as old as the internet. These days, messaging services are designed in a way that seals their contents away from the state, through what’s known as end-to-end encryption. This upends a centuries-old principle of what’s known as “lawful access”, first introduced by Oliver Cromwell in 1657, when he set up the General Post Office with the proviso that the state could, with a lawful warrant, intercept any communication it wanted. No longer.
This causes obvious problems for security and intelligence agencies, particularly in counter-terrorism and combating child sexual exploitation. So countries such as the UK and Australia have taken on powers to direct the tech giants to alter their technology to let state authorities in. As far as we know, these powers have never been used because there has never been a mechanism for providing government access without weakening security.
But this time, it’s different, says the government: in the online safety bill, officials have come up with a way forward called “client-side scanning”. This scans devices using a technique known as “neural hashing” for illegal content. Because it happens on the device, rather than through the provider, it does not interfere with the end-to-end encryption between sender and receiver.
Not so, say the platforms — and many experts agree. In late 2021, 14 of the world’s most venerated cryptographers published an excoriating critique of the technique entitled Bugs in Our Pockets. In essence, it says the technique doesn’t solve the problem that if you build a door, you can’t restrict entry to it. Swiftly after its publication, Apple, under huge pressure from privacy and security advocates, abandoned plans to introduce client-side scanning.
Officials sought to counter these concerns with an impressive paper from GCHQ experts about how the technology works and interacts with platforms. But the government did not then go on to set out how client-side scanning would work in law without compromising security. The possibility of being forced to introduce this function prompted WhatsApp’s warning that it will let itself be blocked in the UK. Signal will certainly leave if asked to do so.
Surely then, parliamentarians should be shown the details of a workable draft regulation before voting? If not, this controversial power will be driven through, but likely never used. Cue another bitter and damaging row about Britain’s perceived hostility to encryption, but with no actual benefit to those fighting online harms. If peers do not ask the government to think again, parliament will be legislating for a unicorn — and not the billion-dollar tech company kind.