This article is more than 1 year old

Signal says it'll shut down in UK if Online Safety Bill approved

Plan to scan encrypted content to protect children could drive businesses away

Encrypted chat service Signal says it will stop operating in the UK if the British government goes ahead with its Online Safety Bill.

The Online Safety Bill contemplates bypassing encryption using device-side scanning to protect children from harmful material, and coincidentally breaking the security of end-to-end encryption at the same time. It's currently being considered in Parliament and has been the subject of controversy for months.

The bill as currently formulated would obligate social media companies to prevent children from being exposed to harmful content online and would hold executives criminally liable for harms like failing to remove illegal content or failing to censor posts implicated in cyberbullying or self-harm.

The legislation contains what critics have called "a spy clause." [PDF] It requires companies to remove child sexual exploitation and abuse (CSEA) material or terrorist content from online platforms "whether communicated publicly or privately." As applied to encrypted messaging, that means either encryption must be removed to allow content scanning or scanning must occur prior to encryption.

Signal draws the line

Such schemes have been condemned by technical experts and Signal is similarly unenthusiastic.

"Signal is a nonprofit whose sole mission is to provide a truly private means of digital communication to anyone, anywhere in the world," said Meredith Whittaker, president of the Signal Foundation, in a statement provided to The Register.

"Many millions of people globally rely on us to provide a safe and secure messaging service to conduct journalism, express dissent, voice intimate or vulnerable thoughts, and otherwise speak to those they want to be heard by without surveillance from tech corporations and governments."

"We have never, and will never, break our commitment to the people who use and trust Signal. And this means that we would absolutely choose to cease operating in a given region if the alternative meant undermining our privacy commitments to those who rely on us."

Asked whether she was concerned that Signal could be banned under the Online Safety rules, Whittaker told The Register, "We were responding to a hypothetical, and we’re not going to speculate on probabilities. The language in the bill as it stands is deeply troubling, particularly the mandate for proactive surveillance of all images and texts. If we were given a choice between kneecapping our privacy guarantees by implementing such mass surveillance, or ceasing operations in the UK, we would cease operations."

In response to Whittaker's remarks, Dr Monica Horten, policy manager for freedom of expression at Open Right Group, urged the UK government to drop the clause.

"The spy clause in the Online Safety Bill will give Ofcom the power to ask private companies to scan everyone’s private messages on behalf of the government," Horten said in a statement. "Quite simply, it is state-mandated private surveillance of the kind that we see in authoritarian regimes.

"Signal’s announcement highlights just how seriously these proposals will threaten encryption and undermine our right to communicate securely and privately.

"If Signal withdraws its services from the UK, it will particularly harm journalists, campaigners and activists who rely on end-to-end encryption to communicate safely."

The UK is targeting encryption on another front, too. Last month, the UK Home Office opened consultation on a set of proposals to address serious and organized crime.

One of these contemplates criminalizing the manufacture or possession of "sophisticated encrypted communication devices," an ill-defined category that encompasses the software and hardware used on supposedly secure (and since seized) phone networks like ANOM, EncroChat, Phantom Secure, and Sky Global.

"These sophisticated devices provide access to encrypted communication platforms used by serious and organized criminals to plan their illicit activities," the Home Office argues. "The highly encrypted nature of such devices and the way they have been modified create considerable barriers to law enforcement agencies collecting intelligence and evidence in respect of serious crimes."

Back in the Land of the Free

US officials frequently have expressed similar fears that encryption will leave them in the dark, and have likewise tried to promote unworkable rules to ensure only "the good guys" get protected by encryption.

The proposed UK ban would be aimed at "bespoke devices … where the software/hardware has been developed to anonymize its users and their communications and its user base is assessed to be almost certainly criminal."

It would not apply to off-the-shelf, commercial mobile phones "nor the encrypted messaging apps available on them." So in theory, Signal would not be implicated. But other security technologists take issue with the Home Office proposals.

In a blog post on Thursday, Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, published her response to the government's request for comments (which the Home Office won't do until June 2023, and then only in summary form) and elaborated on her concerns.

"Where’s the line between 'bespoke devices' and 'commercially available mobile phones [and] the encrypted messaging apps available on them'?" she asks. "People must be put on notice of what is and isn't criminal so they can comport their behavior accordingly. A lax definition coupled with strict criminal liability makes a mockery of due process."

Pfefferkorn is unsparing in her skewering of the Home Office's approach, characterizing it as a continuation of "UK's long, ignoble history (RIPA, DRIPA, IP Act) of surveilling people." And she twists the knife by turning to the commercial consequences of overbroad restrictions.

"If you get this wrong, you’ll end up criminalizing a lot of people whose only offense is using or selling a phone that is too abnormal for the Government’s official tastes," she writes. "Either you’re an obedient consumer who uses what Samsung, Google, Apple, and Meta have to offer, or you’re a criminal. Good luck developing your moribund tech industry with that attitude."

At least Northern Ireland and Scotland will be spared. The Home Office legislative proposals, if adopted, will apply only to England and Wales. ®

More about

TIP US OFF

Send us news


Other stories you might like