Messaging companies warn UK over law impacting end-to-end encryption

Six of the world’s most popular messaging companies published an open letter on Tuesday warning that a law being considered in Britain risks “the privacy of billions of people around the world” by compromising end-to-end encryption.

Senior figures from Element, OPTF/Session, Signal, Threema, Viber, WhatsApp and Wire joined forces under the banner of “those who care about keeping our conversations secure” to criticize the U.K.’s Online Safety Bill.

Initially known as the Online Harms Bill, the proposed law is intended to reconstitute how the United Kingdom regulates online platforms. However, it has been controversial since its proposal almost two years ago, and has still not become law.

The current draft of the bill, which is being scrutinized in the House of Lords from Wednesday onwards, includes a provision obliging technology companies to identify illegal content being distributed over their platforms, such as images of child sexual abuse.

For companies that provide end-to-end encryption, however, there is no way to identify this content as it transits through the company’s infrastructure.

As a solution, the British government has suggested that these businesses use accredited client-side scanning technology, which monitors users’ messages for this content before encrypting it.

The open letter describes the technology as “nullifying the purpose of end-to-end encryption … and compromising the privacy of all users.” WhatsApp and Signal previously threatened to leave the United Kingdom rather than be bound by the law.

Client-side scanning systems have become a favorite idea for governments seeking to address the spread of child abuse images online without outright banning end-to-end encryption.

The concept gained popularity after being proposed by Apple in August 2021, although the proposal was immediately controversial. Fourteen of the world's most respected information security experts joined forces to criticize Apple and describe the inherent security risks of client-side scanning in a paper titled Bugs in Our Pockets.

The experts warned that allowing governments to scan end-user devices for arbitrary illegal content “would be an extremely dangerous societal experiment.”

Apple subsequently delayed introducing the feature.

But the need to tackle the spread of child abuse images online remains acute for officials working in law enforcement and security.

Researchers from GCHQ, Britain’s cyber and signals intelligence agency, attempted to address some of the experts’ concerns in another paper proposing several ways to ensure the security of a system that still deployed client-side scanning.

However officials from the British government have not endorsed the GCHQ paper, nor suggested that its protections would be adopted for any such system. Even if officials were to do so, it is not clear that the messaging companies would agree with its findings.

Tuesday’s open letter states: “The Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws.”

The messaging companies urged the British government to “urgently rethink the Bill” and said: “Weakening encryption, undermining privacy, and introducing the mass surveillance of people’s private communications is not the way forward."