“The UK’s Online Safety Bill isn’t about safety or privacy, it’s both.”
These were the words Stephen Almond, Director of Technology and Innovation at the Information Commissioner’s Office (ICO), used to describe the controversial proposed legislation during a talk at the annual IAPP’s conference in London on March 9th.
“What happens when private messages are being asked to be monitored?” was the question raised immediately after by Monica Horten, Policy Manager at UK-based digital campaigning organization Open Rights Group. She continued by pointing out how breaking into encryption would practically mean “compromising people’s privacy.”
Tension between public safety and user privacy has been dominating the debate around the new legislation trying to make the internet a safer place, especially for children.
Signal has threatened to quit UK if the Bill becomes law in its current form, while WhatsApp said it would rather face a ban than weaken its security.
The UK law is an existential threat to privacy & to any messaging service that provides real privacy. We need to fight this together.As I’ve repeated, Signal will do everything it can to continue providing truly private messaging to people in the UK, and everywhere. 1/ https://t.co/Mp6tSNp7IOMarch 6, 2023
Even worse, the UK isn’t the only country where end-to-end encryption is under attack.
The European Union is trying to regulate something similar with the so-called Chat Control law, which requires encrypted messaging apps to allow authorities to scan private chats for material related to child abuse or terrorism.
We talked to some of the companies behind some of the most popular encrypted software, like VPN services and secure email providers, to understand what’s at stake for the security of their users online. Here’s what they said.
What is encryption?
By definition, encryption is the process of scrambling data into an unreadable form in order to protect it from unauthorized access. This means that no one, even the provider itself, can see what users send to each other.
It then sounds like an oxymoron the proposal of “scanning private encrypted messages,” de-facto annulling what this technology aims to do in the first place.
The reality is that governments have long been seeing encryption as an obstacle to law enforcement investigations.
The idea of a “responsible encryption” is something that was coined by US deputy attorney general Rod Rosenstein in 2017. What this means is that using encrypted private chats is OK, but authorities should be able to access those to fight back crime and terrorism – for everyone’s sake, of course.
Now, the threats against encryption seem to be as real as never before.
According to the providers behind encrypted services, undermining such a technology isn’t going to make the internet safer. Quite the opposite, actually.
“If you don’t have encryption, you cannot have privacy when you speak to someone using a device,” said Jan Jonsson, CEO at Mullvad, one of the most secure VPN providers on the market. “It’s an essential part.”
Short for Virtual Private Network, VPNs are based on encryption to secure people’s connections and all their data leaving a device. And, even though such a software isn’t yet the target of these regulations, Jonsson thinks they could potentially become in the future.
Democratic values are under siege
All the providers we talked to also believe that undermining encryption will consequently compromise the values upon which worldwide democracies are based on.
This could ultimately make the lives of citizens more unsafe, building up the base for a blanket mass surveillance society.
“It’s overwhelming how politicians in the in the 21st century still think that we need to have the Crypto Wars, still need to break encryption and still haven’t understood how important the right to privacy is for a democracy,” the founder of encrypted email provider Tutanota, Matthias Pfau, told TechRadar.
If the European Commission’s law proposal #chatcontrol becomes reality, a new EU center for mass surveillance will be built. Here are some name proposals from us: Ministry of Truth, Soma or maybe Secret Archives of the Universal State. More suggestions, anyone?March 10, 2023
Jonsson from Mullvad also argued that a lack of privacy could end up halting the process of development in a democratic country – as much offline as it is online.
“If you have the right to privacy in your home, you should also have the possibility to have a private room on the Internet,” he said. “It doesn’t make any sense to have two different views and laws between online and offline. It isn’t going to work.
“There are only two reasons to promote such laws. Either politicians don’t know what they are doing, or that’s just an excuse to monitor the whole population.”
Will the law really stop criminals?
Another point critics have been stressing is the degree of effectiveness of such a system in practical terms. Providers repeatedly pointed out the concrete possibility for criminals to find ways around this.
“It’s like trying to put a genie back in its bottle,” Matthew Hobson, CEO and CTO at UK-based secure communications company Element, told TechRadar. “You cannot try to legislate encryption and, if you do, it will just make life miserable and unsafe for your citizens. Meanwhile, everybody else will just ignore it and keep using encryption anyway via an illegal app.”
Put it simply, bad actors will always find a way to break the rules.
Criminals set to exploit backdoors
Those engaging in illegal activities online will find a way to keep doing so, and commentators are also warning of the danger of creating a backdoor into encrypted communication.
On this point, Pfau from Tutanota said: “We have to keep in mind that aggressors are becoming more and more competent, especially given the threats from Russia and China. If we break the encryption in countries like the UK, then we will open the doors for these aggressors and there will be no means to defend our digital life.”
(Image credit: Shutterstock)
That’s something Hobson is particularly worried about, too.
Element is a company providing decentralized encrypted communication systems to organizations seeking to run their own alternatives to Signal, Slack or other mainstream services. Due to its highly customizable and secure software, it’s especially popular among governmental bodies including the Ministry of Defense in Ukraine.
“You’ve basically done the work for the enemy. They can just break into the moderation system, or they can pay off one of the moderators, and suddenly they have access to all of this incredibly sensitive information that otherwise they would never have been able to get,” he said.
“This is the key example of why undermining the encryption in order to chase the bad guys actually gives the bad guys a really good route for going attacking the good guys.”
Authoritarian countries might take inspiration
Even worse than individual exploiting backdoor into encryption for their own gain, authoritarian countries around the world could draw inspiration from the UK and the EU for developing a similar system.
And, even if we want to believe the benevolent intentions of Western democracies, who’s going to vouch for Iranian, Russian or Chinese authorities on the matter?
“It’s an incredibly destructive, dangerous piece of technology,” said Hobson. “Not only does it search for child abuse and terrorism, but perhaps it could also look for ethnic traits. And, before you know it, you’ve created a system for racial profiling or worse.
“So, even if the UK’s intentions are benign, the precedent it sets and the technology it uses will absolutely be used for controlling populations and enabling human rights abuses of the worst possible kind.”
What can be done instead?
Being that the risk of compromising encryption seems to overcome the benefits, experts believe that other solutions might be more doable instead – especially around child abuse.
Either politicians don’t know what they are doing, or that’s just an excuse to monitor the whole population.
Jan Jonsson, CEO at Mullvad
For instance, Jonsson from Mullvad believe that investing in more police officers and teachers trained to cope with these incidents would create a better environment for both persecuting perpetrators and supporting victims.
Also, being that in the UK the numbers of child abuse perpetrators have increased dramatically, Hobson from Element believes that the problem should be address at its roots, instead of finding additional ways to investigate.
“The solution is not to go and put a CCTV camera in everyone’s bedroom in case they do something illegal,” he said. “I would argue that you can still do a lot of infiltration and frankly education, because it’s clearly a social problem. What you don’t do is blanket surveillance.”
While we’re waiting to see how the Online Safety Bill saga will end up, providers are getting ready to face the worse.
Signal said it would leave the UK if it was required to undermine encryption. Other services like WhatsApp and Tutanota are opting for a different route instead: waiting for the government to block their service for not obeying with the new law.
“By not complying, we want to force the UK government to actively block access to the service if they want to go through with it,” said Pfau, arguing that many services are likely to take a similar stance.
“In the end, the UK will need to put up a firewall, just like China, to make sure that their citizens can’t have secure communication.”
Outside the Great Britain, Mullvad is investing money and energy to raise awareness around the risks of the EU Chat Control.
(Image credit: Mullvad)
The VPN provider sent over 300 emails to politicians and journalists. Last week, it put up banners in Stockholm airport so that politicians could see it right after they landed before voting on the regulation. Other posters have been spreading around the streets of both Stockholm and Guttenberg, too.
“Mullvad is usually a very silent company. This is probably the first time we really got mad enough to speak out,” said Jonsson. He doesn’t exclude extending the campaign to other European countries as well if needed.
A more positive take comes from Andy Yen, Proton’s founder and CEO behind both the encrypted ProtonMail and Proton VPN, who claimed to be confident that following further debates “these proposals will probably become moderated.”
“If you look at the latest version of the Online Safety Bill, it’s already significantly improved from the first version. This is why I think that more effort on the public policy side can yield results. That’s something we watch carefully,” he said.
“We’re not going to compromise encryption, and being based in Switzerland gives us a little bit of extra protection to continue defending encryption, even in the face of such threats.”