WhatsApp refuses to weaken encryption, would rather leave UK

WhatsApp will not comply with the UK’s Online Safety Bill when it passes legislation as is. In fact, WhatsApp would rather cease serving UK users, which make up 2% of its global market, than weaken its end-to-end encryption (E2EE).

Will Cathcart, head of WhatsApp at parent company Meta, made these claims in a briefing with the UK press on Thursday, March 9. He reportedly met with legislators to discuss the Bill, which Cathcart described as the most concerning online regulation in the Western world.

“The reality is, our users all around the world want security,” said Cathcart, The Guardian reported.

“Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users.”

The Bill includes a provision requiring companies to use “accredited technology” to scan messages for anti-terrorism and child protection purposes. It doesn’t say how such scans could be done, yet companies are liable for the content shared on their platforms.

At the moment, organizations cannot scan end-to-end encrypted messages. So, the only way they can comply with the Bill is to make private messages scannable. This means breaking E2EE.

And breaking E2EE in order to scan for terrorism and child sexual abuse images, also means breaking encryption for the crooks too, as it will likely introduce backdoors that create vulnerabilities for attackers and hostile states to exploit. This also precedes state-mandated surveillance on a mass scale, with privacy and security risks affecting entire societies.

“If a country like the UK pushed for that [breaking encryption] on the internet, that would shape what other countries all around the world ask for on different topics on different issues,” Cathcart said, reports Politico.

Client-side scanning (CSS), a technology that can intercept and filter messages before being sent, was seen as an alternative to weakening end-to-end encryption. Still, a study argued it doesn’t guarantee “efficacious crime prevention nor prevents surveillance”. Akin to wiretapping, CSS can give governments access to private content. Its potential for abuse will not be left unnoticed.

WhatsApp refusing to comply would subject it to fines of up to 4% of Meta’s annual turnover. However, this wouldn’t happen if WhatsApp pulls out of the UK market—a possibility that Signal, another popular private messaging app, has already threatened to do.

Wired reports that WhatsApp has reported more CSAM to the National Center for Missing and Exploited Children (NCMEC) than all other tech giants combined. Internet Watch Foundation’s head of policy and public affairs, Michael Tunks disagreed: “There’s a problem with child abuse in end-to-end encrypted environments.”

“The bill does not seek to undermine end-to-end encryption in any way,” he said. “The online safety bill is very clear that scanning is specifically about CSAM and also terrorism. The government has been pretty clear they are not seeking to repurpose this for anything else.”

The Online Safety Bill will be returning to Parliament this summer.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.