Cloud Hosting

Billions of people around the world use a messaging app equipped with end-to-end encryption, such as WhatsApp, Telegram, or Signal. In theory, end-to-end encryption means that only the sender and receiver hold the keys they need to decrypt their message. Not even an apps owners can peek in.

In the eyes of some encryption proponents, this privacy tool now faces its greatest challenge yetlegislation in the name of a safer Internet. The latest example is the United Kingdoms Online Safety Bill, which is expected to become law later this year. Proposed laws in other democratic countries echo the U.K.s. These laws, according to their opponents, would necessarily undermine the privacy-preserving cornerstone of end-to-end encryption.

On its face, the bill isnt about encryption; it aims to make the Internet less unpleasant. The bill would give the U.K.s broadcasting and telecoms regulator, Ofcom, additional policing powers over messaging apps, social-media platforms, search engines, and other services. Ofcom could order providers to take down harmful content, such as hateful trolling, revenge porn, and child pornography, and fine those service providers for failing to comply.

The authorities are looking for needles in a haystack....Why would they want to vastly increase the haystack by scanning one billion messages a month of everyday people? Joe Mullin, Electronic Frontier Foundation

The specific segment of the Online Safety Bill that worries encryption advocates is Clause 110, which entitles Ofcom to issue takedown orders for messages whether communicated publicly or privately by means of the service. To do this, the bill obliges services to monitor messages with accredited technology that has received Ofcoms stamp of approval.

Observers believe that there is no way for service providers to comply with Clause 110 takedown orders without compromising encryption. Representatives from Meta (which owns WhatsApp), Signal (which pioneered the Signal encryption protocol that WhatsApp also uses), and five other firms signed an open letter in opposition to the bill:

What does proactive scanning look like in practice? One example could be Microsofts PhotoDNA, which the company says was designed to crack down on images of child pornography. PhotoDNA assigns each image an irreversible hash; authorities can compare that hash to other hashes to find copies of an image without actually examining the image itself.

According to Joe Mullin, a policy analyst at the Electronic Frontier Foundation (EFF), a nonprofit that opposes the bill, services could comply with Clause 110 by mandating that PhotoDNA or similar software run on their users devices. While this would leave encryption intact, it would also act as what Mullin calls a backdoor, allowing for an apps owners or law-enforcement agencies to monitor encrypted messages.

In an app that has end-to-end encryption, such a system might work something like this: Software like PhotoDNA, running on a users device, might create a hash for each message or each media file a user can see. If the authorities flag a particular hash, an apps owner could scan the sea of hashes to pinpoint groups or conversations that also hold that hashs corresponding message. Then, whether voluntarily or under legal obligation, the owner might share that information with law enforcement.

While this method wouldnt break encryption, Mullin and other privacy advocates still find the idea of client-side monitoring to be unacceptably intrusive.

Another strong possibility is that to avoid the creation of such backdoors, services will be intimidated away from using encryption altogether, Mullin believes.

The U.K.s Department for Science, Innovation and Technology did not respond to a request for comment. However, earlier this month, a spokesperson of a different U.K. government office denied that the bill would require services to weaken encryption.

The U.K. bill isnt the only one raising privacy advocates concerns.

Since 2020, U.S. lawmakers from both major parties have pushed the so-called EARN IT Act. In the name of cracking down on child pornography, the bill would open the (currently closed) door for lawsuits against Internet services who fail to remove such material. The bill does not mention encryption, and its elected backers have denied that the act would harm encryption. The bills opponents, however, fear that the threat of legal action might encourage services to create backdoors or discourage services from encrypting messages at all.

In the European Union, lawmakers have proposed the Regulation to Prevent and Combat Child Sexual Abuse. In its current form, the regulation would allow law enforcement to send detection orders to tech platforms, requiring them to scan messages, media, or other data. Critics believe that by mandating scanning, the regulation would undermine encryption.

In March, WhatsApps boss Will Cathcart said the app would not comply with the bills requirements

EFFs Mullin, for his part, believes that other methodsallowing users to report malicious posts within an app, analyzing suspicious metadata, even traditional police workcan crack down on child sexual abuse material better than scanning messages or creating backdoors to encrypted data.

The authorities are looking for needles in a haystack, Mullin says. Why would they want to vastly increase the haystack by scanning one billion messages a month of everyday people?

Elsewhere, Russia and China have laws that allow authorities to mandate that encryption software providers decrypt data, including messages, without a warrant. A 2018 Australian law gave law-enforcement agencies the power to execute warrants ordering Internet services to decrypt and share information with them. Amazon, Facebook, Google, and Twitter all opposed the law, but they could not prevent its passing.

Back in Westminster, the Online Safety Bill is just a few hurdles away from assent. But even the bills passing probably wont mean the end of the saga. In March, WhatsApps boss Will Cathcart said the app would not comply with the bills requirements.

From Your Site Articles

Related Articles Around the Web

Read more:
Could These Bills Endanger Encrypted Messaging? - IEEE Spectrum