The heads of three major messaging apps have exclusively told The Standard that the Online Safety Bill, which is facing one of its final votes this week, will lead to the mass surveillance of every private online message and will destroy London’s reputation as a place to do business if the bill passes into law.
WhatsApp, Signal, and Element also say Prime Minister Rishi Sunak can forget about the UK becoming a technology superpower if that happens, as tech firms will leave London and no-one will want to start a business here.
“If the Online Safety Bill does not amend the vague language that currently opens the door for mass surveillance and the nullification of end-to-end encryption, then it will not only create a significant vulnerability that will be exploited by hackers, hostile nation states, and those wishing to do harm, but effectively salt the earth for any tech development in London and the UK at large,” Meredith Whittaker, president of not-for-profit secure messaging app Signal told The Standard.
“Passing the bill as-is sends the clear message that the UK Government would rather make law based on magical thinking, than honour longstanding expert consensus when it comes to issues of complex technology.”
The messaging app firms’ warning comes ahead of the report stage of the Online Safety Bill by the House of Lords on Thursday, July 6, which the tech firms fear brings the bill close to being passed into law.
A survey of 2,000 UK citizens carried out by Chiswick-based secure messaging app Element, which is popularly used by governments, has found that 70 per cent of the public do not believe that scanning all online messages will stop criminal activity, while almost half of respondents believe it will make the UK more vulnerable to cyberattacks from nation states like Russia and China.
A third of Londoners said they believed their messages will no longer be private from the Government if the Online Safety Bill is passed.
It’s going to be an incredibly chilling effect on the whole London tech scene. If I’m going to start a company, I’m not going to do it in London any more
A Government spokeswoman said: “We are unambiguously pro-innovation and pro-privacy, however, we have made clear that companies should only implement end-to-end encryption if they can simultaneously prevent abhorrent child sexual abuse on their platforms.
“The Online Safety Bill does not give Ofcom or the Government any powers to monitor users’ private messages. As a last resort, and only when stringent privacy safeguards have been met, the Online Safety Bill will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content.”
The Standard understands that some tech firms are holding meetings with Downing Street this week.
WhatsApp, Signal, and Element all say that if they are forced by Ofcom to install third-party software to scan users’ messages or to do it themselves, they will refuse to comply.
“No-one, including WhatsApp, should have the power to read your personal messages,” Will Cathcart, head of WhatsApp at Meta told The Standard.
Signal said it will build proxy servers to enable UK citizens to continue to communicate safely, the way women in Iran do, since encrypted messaging apps are banned there, while Elements said its open-source protocols will likely lead to citizens making their own alternative apps.
Last week, Wikipedia published an open letter asking the Government and Parliament to exempt “public interest projects” — such as Wikipedia — from the proposed Online Safety Bill.
The three messaging apps all told The Standard that the language relating to mass surveillance powers for identifying and removing child sexual abuse material (CSAM) was only added to the Online Safety Bill in September, but it is “much more vague” than the Investigatory Powers Act 2016, which at least “contains checks and balances” to protect the public’s privacy and security when it comes to combating terrorism.
Do you really want your private messages spied on?
The Government and children’s charities claim paedophiles are using private messaging apps to groom children and share illegal content, completely unnoticed by service providers.
The tech industry, on the other hand, says protecting users’ privacy is key and that firms shouldn’t be able to scan private messages sent by the public. They use a cybersecurity technology called end-to-end encryption in their messaging apps, which prevents anyone outside of the parties receiving messages from viewing them.
Ms Whittaker, a former US Federal Trade Commission (FTC) executive, took part in a debate on Channel 4 with former tech minister Damian Collins on Monday afternoon and said that she was troubled by the Government’s “confusing” stance on breaking encryption.
“Damian agreed that we cannot break encryption. He even admitted he uses Signal but, when I pressed him on changing the text in the bill, he said no, we can’t do that — you just have to trust,” she said.
“It makes me believe that some of the people putting the provisions in the bill are actually aiming to undermine safety, security, and encryption, because otherwise there’s a simple solution... just clarify that this provision will never be used to create a backdoor that would be used to threaten the UK’s core infrastructure and set a precedent that will be copied by regimes across the world.”
"No way to create a backdoor that only the good guys can walk through."
— Channel 4 News (@Channel4News) July 3, 2023
Signal President Meredith Whittaker says the Online Safety Bill will cause "unprecedented paradigm-shifting surveillance" - in a discussion with @cathynewman and former UK Tech minister Damian Collins. pic.twitter.com/pJWqqaN01f
The Online Safety Bill concerns only online messages sent by UK citizens and residents, but not anything sent on messaging apps by law enforcement, the public sector, or emergency responders.
This is handy, given that The Standard understands that up to half of Government communications are still being sent over consumer apps like WhatsApp.
Signal says it is unimpressed by the Government’s claim to be placing children’s safety at the heart of its need for mass surveillance of online messages. It cites a study by the Max-Plank Institute for the Study of Crime on a German law from 2008-2010, where the German government implemented mass scanning of all citizen data online and tracked IP addresses in a bid to help identify more suspects.
While this law was found to be unlawful, the statistics collected by German police found that having access to that huge amount of data for two years did not have a deterrent effect, did not assist in clearing up crimes, and did not increase convictions.
“The UK has slashed early-intervention programmes by 50 per cent in the last decade. The UK’s own investigatory review of child social care estimated that to fully fund child social care, you would need £2.6bn over the next four years. The Government chose to fund seven per cent of that,” said Ms Whittaker.
“You hear a lot of noise from politicians claiming that protecting children is most important to them but, if we look at evidence-based reports on protecting children, it is often absent or severely limited.”
While Element chief executive and chief of technology Matthew Hodgson told The Standard, “The Online Safety Bill is effectively giving the Government the remit to put a CCTV camera in everybody's bedrooms, and the way people use their WhatsApp today is pretty personal — people use messaging apps more than they communicate with people in person.”
Element provides its encrypted “run-your-own” secure communications app solution to 30 government agencies around the world, including France, Germany, Luxemberg, as well as the US Department of Defense, the UK’s Ministry of Defence, the US Navy, Nato, and Ukraine’s defence ministry.
‘Chilling effect on the whole London tech scene’
You would think that a British tech firm that works with governments wouldn’t mind if private messages are scanned, but Mr Hodgson actually wishes he and others in the UK tech industry had spoken up sooner.
“You cannot turn scanning on and off in an app or set certain degrees without introducing a mechanism that breaks end-to-end encryption: an attacker will simply find a way to turn on the scanning and exploit it,” he explained.
“God, I wish we had been a lot more vociferous. The legislation sounded so outlandish that I thought surely someone else would step up and shoot it down. We clearly should have been in the room but there was no-one in the UK tech industry represented on the security side.”
Mr Hodgson says that the Government has not consulted with UK tech firms, only with huge multinational corporations and companies that want to sell software that scans messages, who are unsurprisingly telling lawmakers that it is possible to scan messages without breaking encryption. This is widely thought to be untrue.
The secure messaging app bosses believe that the Online Safety Bill started out as a way to target the likes of Facebook and others for failing to moderate their platforms and protect users, but the proposed legislation has turned into a monster that will have long-lasting negative impacts on the UK in ways that the lawmakers just don’t understand.
Last week, the Government proposed a series of new amendments to the Online Safety Bill, which include the possibility of criminal liability for senior technology executives.
“It’s going to be an incredibly chilling effect on the whole London tech scene,” Mr Hodgson told The Standard.
“If I’m going to start a company, I’m not going to do it in London any more — I’ll go somewhere else because they’re not going to lock me up if someone decides to do something horrible to someone else on my platform.”
He says this is similar to Brazil, where officials have Facebook executives arrested every time they ignore a request from the authorities for information.
“We need to preserve privacy and encryption. If the Online Safety Bill undermines that, the UK will become a laughing stock, a technology backwater. Half the world will point and laugh, and the other half will use it as a reason to undermine citizens’ privacy.”