Justin Sullivan/Getty Images
show image

Jim Killock

Executive director, Open Rights Group

UK-US attack on WhatsApp encryption may have unsettling consequences

The home secretary, Priti Patel, has joined forces with her American and Australian counterparts to call on Mark Zuckerberg to drop end-to-end encryption from WhatsApp, and to shelve plans to roll it out across Facebook’s other messaging platforms. 

The move was timed to coincide with the launch of a new “UK-US Bilateral Data Access Agreement”, giving British law enforcement agencies the power to “directly demand” that US tech companies hand over data relating to serious crime.

Jim Killock, the executive director of the Open Rights Group, warns that the interventions set a dangerous precedent. 

Governments in the UK, US and Australia have been running a joint campaign to limit the use of encrypted communications for several years now. The prospect of private, hard to intercept communications sent between paedophiles and terrorists is used to justify removing or restricting everyone’s ability to be private from corporations and others who attempt to listen in to the private messages we send.

Facebook are now at the middle of this dispute, as they are considering merging their generic ‘messenger’ tool with their fully encrypted private messaging tool WhatsApp. Governments, and some child protection groups, are complaining that this will make it harder to detect child abuse images.

Perhaps. However, it is also the case that Facebook do a great deal to detect this kind of material – and there are signals to detect this kind of behaviour, even on WhatsApp. It might be the presence of certain individuals, or accounts; or it might be other regular patterns of usage that give criminals away.

When we think about calls to remove or limit encryption, we should remember that technology presents law enforcement with the greatest ever set of means to detect criminals. Everyone uses devices, networks, apps; each leave traces of data. End-to-end encryption still leaves law enforcement with the possibility of seizing and breaking into the device; or demanding passwords; or to infiltrate networks. So while such encryption is good enough to stop Facebook from reading messages to your partner, it is not a meaningful defence against government security agencies.

It is an obvious point that perhaps only the most stupid, or most peripheral kinds of criminals, are going to use tools like Facebook Messenger. Far more serious kinds of activities will be conducted using more serious privacy-friendly tools. The same kinds of tools that Hong Kong democracy activists are using to keep clear of being listened into by their government.

In any case, we ought to expect governments to demand things from companies that reflect the law, not the policy preferences of ministers. It is a very inconsistent and terrifying thing that governments feel they can bully individual companies into making technology choices that may not be in our interest – rather than asking for legal powers and duties through which we can hold government to account.

There is some debate about intermediate technologies that do not remove encryption, for instance, for devices to store a local set of ‘hashes’ to block certain images being shared. Such ideas are never without problems – they can be extended, so why not block copyright material, or defamation, or anything the government believes is fake news; or if the list gets very big, then perhaps all images get checked against a centralised database before they are shared. At which point we have an enormous censorship machine and encryption is not worth the name.

We should be willing to listen, in case sensible ideas can be found, but also understanding that sensible and limited ideas are not really what government security agencies are after.

Government security agencies will not be happy until any and every communication is easily available to them. Don’t be fooled: Home Office ministers like Priti Patel will always talk about the worst possible criminals, but behind that spin lies a desire to detect and read the communications of climate protesters, Brexit and anti-Brexit awkward squads, immigrants, asylum seekers, trades unionists, journalists who speak out against state abuse of authority, and whistleblowers who embarrass governments. While some people might trust Priti Patel with our human rights (although I am not persuaded) far fewer of us want to wage war on the privacy of Hong Kong’a democracy activists, which is the inevitable result of this push against encryption.

Ask yourself this: are we the people, accountable to government, or is the government accountable to us? If we answer the encryption question wrongly, then we are on a swift path to unaccountable state power enabled by pervasive digital communications.