Signal CEO: We are “1,000% not participating” in UK legislation to weaken encryption

raising / Signal app on a phone.

Getty Images

The nonprofit responsible for the Signal messenger app is ready to leave the UK if the country requires providers of encrypted communications to change their products to ensure that user messages do not contain material that could harm those child.

“We will absolutely exit any country if the choice is between staying in that country and undermining the strict privacy promises we make to the people who rely on us,” Signal CEO Meredith Whittaker told Ars. “The UK is no exception.”

Whittaker’s comments come as the UK Parliament is in the process of drafting legislation known as the Online Safety Bill. The bill, introduced by former Prime Minister Boris Johnson, is a large piece of legislation that requires almost any provider of user-generated content to block child sexual abuse material, commonly abbreviated as CSAM or CSA. Providers must also ensure that any legal content accessible to minors—including self-harming topics—is age appropriate.

E2EE in the crosshairs

The bill’s provisions specifically target end-to-end encryption, which is a form of encryption that allows only the senders and receivers of a message to access the human-readable form of the content. Commonly abbreviated E2EE, it uses a mechanism that prevents even the service provider from decrypting encrypted messages. Robust E2EE enabled by default is Signal’s biggest selling point to its more than 100 million users. Other services that offer E2EE include Apple iMessages, WhatsApp, Telegram, and Meta’s Messenger, although not all of them provide it by default.

Under a provision of the Online Safety Bill, service providers are prohibited from providing information that is “encrypted in such a way that it is not possible for [UK telecommunications regulator] Ofcom to understand it, or make a document encrypted in such a way that it is not possible for Ofcom to understand the information it contains,” and if the purpose is to prevent the British watchdog agency from understanding such information .

An impact assessment drawn up by the UK Department for Digital, Culture, Media & Sport clearly states that E2EE is within the scope of the legislation. One section of the assessment states:

The Government supports strong encryption to protect user privacy, however, there are concerns that a move to end-to-end encrypted systems, if the safety issues of publicly ignored, undermining many existing online safety measures. There could be significant consequences for technology companies’ ability to deal with grooming, CSA material sharing, and other harmful or illegal behavior on their platforms. Companies should regularly assess the risk of harm to their services, including risks around end-to-end encryption. They should also assess the risks ahead of any significant design changes such as a move to end-to-end encryption. Service providers must take reasonably practicable steps to mitigate the risks they are aware of.

The bill does not provide a specific way for providers of E2EE services to comply. Instead, it is funding five organizations to develop “new ways in which images or videos of child sex can be viewed and addressed within end-to-end encrypted environments, while ensures that user privacy is respected.”

Leave a Comment