The UK government’s recent warning against the implementation of end-to-end encryption (E2EE) in Meta’s social media platforms is the latest page in the ongoing war of state versus privacy.
With Parliament recently passing the Online Safety Bill, which seeks to address a sweeping number of potentially harmful forms of content, the debate has now turned to how social media platforms can combat this content while also protecting user privacy.
Mark Zuckerberg, founder of Facebook and executive chairman of Meta, has been talking of implementing E2EE across its range of social media platforms, including Facebook, Messenger, and Instagram for several years now. Only recently however has he put in place concrete plans for blanket encryption, with Messenger being announced to receive it by default before the end of the year.
Balancing privacy against the weight of harmful content
The UK government argues that such universal encryption would damage its ability to combat child sexual abuse imagery (CSAM). According to the Home Office, “Facebook and Instagram account for over 85% of the global referrals of child sexual abuse instances from tech companies,” and recent statements made by home secretary Suella Braverman suggest technology exists that would allow E2EE to be implemented while also combatting the sharing of CSAM.
The popularity of personal device security, from encryption to VPNs, has been on the rise globally due to increased cyber-literacy and the prevalence of malware, hacking and phishing.
The basic premise of end-to-end encryption is simple, only you and the person you are messaging should be able to read your message. How then, can a message be scanned for harmful content while also protecting the privacy of both users?
The answer provided by the UK government and the Home Office is rather vague. There is, according to Suella Braverman, technology that exists “that will safeguard children but also protect user privacy”, but no elaboration has been made on the specific form of technology.
The SafetyTech competition run by the Home Office in 2021 showed that this form of technology is “technically feasible”, but experts such as Awais Rashid, professor of cyber security at the University of Bristol, believe that the implementation of this technology would not only infringe on user privacy, but may also violate human rights.
The general premise behind this “feasible” technology is that scanning would take place before encryption, so as to identify any harmful content, with the message then being encrypted and sent as normal. This form of technology would need to be implemented as part of the social media platform itself, meaning that every message sent – regardless of content – would be scanned. This removes the privacy and security provided by encryption, as these messages need to be stored and analysed to make sure they are safe, and as the history of data breaches have shown- no form of data storage is 100% secure.
Moreover, encryption would no longer provide such strong protection from malicious actors, as a backdoor has been kindly provided by the social media platform itself.
How will this affect you?
As many will remember from the fallout over the 2016 Investigatory Powers Act (affectionately known as the Snoopers Charter), this is not the first time the government has sought unprecedented access to personal information.
Where the Snoopers Charter employed safeguards “ensuring that any interference with privacy is strictly necessary, proportionate, authorised and accountable”, the Online Safety Bill forcing platforms to employ some form of content scanning by default, synonymous with everyone living in glass houses so that big brother can see who is throwing stones.
The effect of the Online Safety Bill could also impact businesses. For example, companies operating in the UK who use E2EE-enabled messaging services to communicate between staff and clients, such as WhatsApp, Signal, and Telegram, would also be subject to having their messages scanned and stored by their platforms. This would potentially add a new threat to the security of data stored by businesses, as they could be open to a new avenue of attack of which they have no control.
But it’s not like these messaging providers don’t have a choice. The economic impact of these platforms withdrawing service from the UK would be huge, let alone the public uproar from those in the UK.
Such a scenario would only be the worst case, as the government has reiterated on multiple occasions that it is seeking to work with Meta to resolve this issue. Whether the UK government will water down its latest bill or Meta will take a stand remains to be seen, and the battle of state versus privacy is far from over.