The UK is planning a new attack on end-to-end encryption, with the Home Office set to spearhead efforts designed to discourage Facebook from further rolling out the technology to its messaging apps.
Home Secretary Priti Patel is planning to deliver a keynote speech at a child protection charity’s event focused on exposing the perceived ills of end-to-end encryption and asking for stricter regulation of the technology. At the same time a new report will say that technology companies need to do more to protect children online.
Patel will headline an April 19 roundtable organised by the National Society for the Prevention of Cruelty to Children (NSPCC), according to a draft invitation seen by WIRED. The event is set to be deeply critical of the encryption standard, which makes it harder for investigators and technology companies to monitor communications between people and detect child grooming or illicit content, including terror or child abuse imagery.
End-to-end encryption works by securing communications between those involved in them – only the sender and receiver of messages can see what they say and platforms providing the technology cannot access the content of messages. The tech has been increasingly made standard in recent years with WhatsApp and Signal using end-to-end encryption by default to protect people’s privacy.
The Home Office’s move comes as Facebook plans to roll out end-to-end encryption across all its messaging platforms – including Messenger and Instagram – which has sparked a fierce debate in the UK and elsewhere over the supposed risks the technology poses to children.
During the event, the NSPCC will unveil a report on end-to-end encryption by PA Consulting, a UK firm that has advised the UK’s Department for Digital Culture Media and Sport (DCMS) on the forthcoming Online Safety regulation. An early draft of the report, seen by WIRED, says that increased usage of end-to-end encryption would protect adults’ privacy at the expense of children’s safety, and that any strategy adopted by technology companies to mitigate the effect of end-to-end encryption will “almost certainly be less effective than the current ability to scan for harmful content.”
The report also suggests that the government devise regulation “expressly targeting encryption”, in order to prevent technology companies from “engineer[ing] away” their ability to police illegal communications. It recommends that the upcoming Online Safety Bill – which will impose a duty of care on online platforms – make it compulsory for tech companies to share data about online child abuse, as opposed to voluntary.
The Online Safety Bill is expected to require companies whose services use end-to-end encryption to show how effectively they are tackling the spread of harmful content on their platforms – or risk being slapped with fines by communication authority Ofcom, which will be in charge of enforcing the rules. As a last resort, Ofcom could demand that a company use automated systems to winnow out illegal content from their services.
The NSPCC says that this set-up does not go far enough in reining in encryption: in a statement released last week, the charity urged the digital secretary, Oliver Dowden, to strengthen the proposed regulation, preventing platforms from rolling out end-to-end encryption until they can demonstrate that they can safeguard children’s safety. Facebook currently tackles the circulation of child sex abuse content on WhatsApp by removing accounts displaying forbidden images in their profile pictures, or groups whose names suggest an illegal activity. WhatsApp says it bans more than 300,000 accounts per month that it suspects of sharing child sexual abuse material.
“Ofcom will have to meet a series of tests before it could take action on a regulated platform,” says Andy Burrows, NSPCC’s head of child safety online policy. “That is about being able to require evidence of serious and sustained abuse, which is going to be practically very difficult to do because of end-to-end encryption will take away a significant amount of the reporting flow.”
Burrows declined to comment directly about the event with the Home Secretary, and whether any policy announcement will be made then. In an email, a Home Office spokesperson wrote that “end-to-end encryption poses an unacceptable risk to user safety and society. It would prevent any access to messaging content and severely erode tech companies’ ability to tackle the most serious illegal content on their own platforms, including child abuse and terrorism.”
“The Home Secretary has been clear that industry must step-up to meet the evolving threat,” the spokesperson says.
Since Facebook’s announcement on the extension of end-to-end encryption in 2019, Patel has grown increasingly impatient and vocal about the dangers of the technology – publicly calling on Facebook to “halt plans for end-to-end encryption”, and bringing up the subjectin meetings with her US counterparts and the Five Eyes intelligence alliance of English-speaking countries.
While Dowden is working jointly with the Home Office – taking part in conversations with Facebook on the matter – in an online press conference on March 10 he said that end-to-end encryption will not be dealt with in the Online Safety Bill.
The comment has caused concern among observers. According to a person familiar with policy discussions, technology companies are now increasingly worried that the Home Office could issue a Technical Capability Notice (TCN) against Facebook – that is: an injunction forbidding the company from switching to end-to-end encryption.
A TCN would allow investigators with a warrant to keep obtaining decrypted conversations on Instagram and Facebook Messenger, the platforms of main concern because they potentially allow unsolicited messaging between adults and children. In December last year, Sky News reported, quoting Home Office policy advisors, that a TCN would have become an option if the Online Safety Bill did not demand that Facebook kept its ability to spot child abuse – a scenario that would arguably materialise if Facebook had its way with encryption.
Jim Killock, executive director at digital rights organisation Open Rights Group, says he is “worried that the Home Office will be considering using a secret order (TCN) to force Facebook to limit or circumvent their encryption.”
“Facebook would be gagged from saying anything,” Killock adds. Although the action would be targeted to Facebook only, he thinks that such a move would set a precedent.
One industry source who has spoken with government figures is sceptical that such a radical scenario will come to pass, pointing out that encryption has routinely been in the Home Office’s crosshairs since Theresa May’s tenure as home secretary started in 2010, but that the technical difficulty – and the unpopularity – of outlawing encryption eventually always prevailed over the rhetorical posturing.
In a statement, a Facebook company spokesperson said that end-to-end encryption is “already the leading security technology used by many services to keep people safe from having their private information hacked and stolen.” Company executives have previously admitted that the increased rollout of end-to-end encryption will reduce the amount of child abuse reports it makes to industry monitoring groups.
“Its full rollout on our messaging services is a long-term project and we are building strong safety measures into our plans,” the spokesperson added.
Gian Volpicelli is a senior editor at WIRED. He tweets from @Gmvolpi
More great stories from WIRED
💊 A dying child, a mother’s love and the drug that changed medicine
😷 Coronavirus vaccines are making some long Covid sufferers feel better
🎧 Upgrading your headphones on a budget? We tested all of Amazon’s cheapest sets