The encryption tussle between government and industry is flaring up yet again, like a persistent case of psoriasis. And before you ask: No, the underlying facts of the matter haven’t changed. Up is still up, down is still down, and it’s still a technical fantasy to think you can weaken encryption in a way that gives some people (e.g., law enforcement) access while retaining its strength for everyone else.
The latest country to try bashing its head against the wall of reality is <spins wheel> the U.K., where WhatsApp, Signal, and a host of other messaging platforms are calling for the government to reconsider parts of the Online Safety Bill which would force chat services to use “accredited technology” that scans for terrorist and child-abuse material—and, somewhat incredibly, videos of migrants crossing the English Channel from mainland Europe.
“The law could give an unelected official the power to weaken the privacy of billions of people around the world,” the companies’ leaders wrote in an open letter. “We don’t think any company, government, or person should have the power to read your personal messages, and we’ll continue to defend encryption technology. We’re proud to stand with other technology companies in our industry pushing back against the misguided parts of this law that would make people in the U.K. and around the world less safe.”
A government spokesperson told the BBC: “We support strong encryption, but this cannot come at the cost of public safety”—before adding that the bill “in no way represents a ban on end-to-end encryption, nor will it require services to weaken encryption.” Good luck squaring that circle.
According to the bill’s critics—which include a who’s who of human rights groups and security experts—the only way for companies to comply with the new rules without outright breaking their end-to-end encryption (E2EE) would be to scan the contents of messages on the device before they’re encrypted and/or after they’re decrypted. This client-side scanning may leave messages protected when in transit, but it otherwise defeats the purpose of E2EE: Making sure private means private.
Signal (these days led by ex-Googler Meredith Whittaker) has already threatened to leave the U.K. if the bill becomes law as it stands. Meta’s WhatsApp has also promised not to implement the controversial measures, which would probably also mean a British exit. The bill is currently being considered by the British Parliament’s upper house, the House of Lords, having already been passed by the lower House of Commons.
But it’s not just the U.K. Across the Channel, activists are also fighting a very similar European Commission proposal that top cryptography professor Matthew Green last year described as “the most terrifying thing” he’d ever seen. Several days ago, the European Parliament produced a damning impact assessment on that proposal, warning of “vulnerabilities for users of E2EE communication channels,” and infringements on users’ fundamental rights in ways that “cannot be justified.”
Also, the assessment noted, it’s one thing to scan for images you already know of, but the only way to scan for new child-abuse material is by using A.I.—at which point the accuracy plummets and you need a crazy amount of resources to sort through the millions of false positives.
The quest to create a government back door to encrypted data isn’t solely a European preoccupation. The first incarnation of the debate took place in the 1990s when the Clinton administration launched its ill-fated Clipper chip program. And when Apple recently introduced fully encrypted iCloud backups—while also abandoning its much-criticized attempt to introduce client-side scanning to Messages—the FBI grumbled that the move “hinders our ability to protect the American people” and argued that it and other agencies needed “lawful access by design.”
But right now, Europe is the main battleground for this endlessly recurring privacy showdown. As always, the world is watching to see who wins.
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
David Meyer
Data Sheet’s daily news section was written and curated by Andrea Guzman.