Why the UK’s Encryption-Busting Online Safety Bill Is Wishful Thinking

With its new Online Safety Bill, the UK government is about to ban WhatsApp, Signal, iMessage, and any other encrypted messaging app from the country. 

The new UK legislation is attempting yet another impossible end-run around encryption. It is dressed up to look like a set of laws that will keep people safe while using social media. And while it does not explicitly require that social media and messaging networks drop encryption, the law gives powers to the UK's regulatory body, OFCOM, which it can use to do so. And that's not even the worst part. The bill attempts to circumvent encryption by requiring messaging apps to monitor the messages and photos on your device and then report any illegal activity to the authorities. 

"The proposed bill would require any service provider who operates a platform in the UK to proactively monitor users' content for the presence of certain illegal content. When it comes to platforms that use end-to-end encryption (e.g., WhatsApp), the bill would likely require using a technology known as 'client-side scanning' to enable these platforms to remove illegal content or allow it to be reported to law enforcement authorities. Client-side scanning is not specifically required by the bill, but there are no other known means for complying with this law," DT Alemayehu, an IP, technology, and entertainment attorney, told Lifewire via email. 

UK's Legislation Would Break Encryption

Encryption is pretty straightforward. Something is either encrypted or it isn't. Governments around the world have long insisted that they should be given some kind of back door key so that they, and only they, can snoop on encrypted traffic. But that's flat-out impossible. If the encryption is weakened to allow snooping, then it is weakened—full stop—and therefore useless. And even if it were somehow possible, how long would it take for those magic keys to leak out of government offices?

Further, encryption isn't just for messaging apps. If it was compromised, you couldn't do online banking, shopping, or anything requiring a secure connection, because it would no longer be secure. Weakening encryption would destroy the online economy, while any serious bad actors would just switch to another communication method, leaving the government to snoop only on regular folks. 

WhatsApp and Signal, along with several other platforms and privacy advocates, have co-authored an open letter warning of the bill's threats to privacy and security. And while the bill does not explicitly call for a weakening of encryption, it would certainly end up that way. Even the United Nations is against it. If companies were to comply, this would break encryption for the entire internet, not just for the UK.

"The UK's online safety bill is an existential threat to safe and private communications," Signal's president Meredith Whittaker said on Twitter. 

Perhaps the UK government knows this and intends to use the new legislation as a stick to get what it wants another way. Do you remember when Apple outlined its plans to scan the photos in your iPhone's photo library for child sexual abuse materials (CSAM)? One clause in the new legislation would require the same thing, only for your messages. And, of course, once this is possible, your messages could be scanned for anything the government or law enforcement agencies want. 

No Operations in the UK

Signal, WhatsApp, and others have explicitly stated that they will cease operations in the country if the Online Safety Bill passes as is. It would, as we have mentioned, be technically impossible for them to comply while still providing their current and promised services.

Imagine that a law was passed to force all prepared foods to contain meat. What would vegan and vegetarian food makers do in this situation? They'd have to shut down or pull out of the country. Like Signal and WhatsApp, they could not comply without completely changing their business model. 

"If the UK actually passes this law, service providers like Meta would simply pull their app out of the UK market. The UK represents a small fraction of any one platform's user base. It wouldn't make sense, from a business standpoint, to so drastically violate the value proposition of your platform that you alienate the overwhelming majority of your users," says Alemayehu.

And that's the risk. By trying to circumvent one of the fundamental technologies of the internet, a government risks annexing its country from that internet. You literally cannot have a WhatsApp that operates internationally but also allows only the UK government to access only British citizens' messages. So the alternative is a separate WhatsApp network designed specifically for the UK or no WhatsApp at all for British citizens.