End-to-end encryption (E2EE) has been a contentious issue for years - not among experts, but among politicians. Governments around the world grapple with how to balance the need for privacy and security with the desire to combat criminal activity. In the UK, the Office for Security and Counter-Terrorism (OSCT) recently issued a warning about the use of E2EE in online communication services, claiming that it can be exploited by criminals and terrorists to evade detection and commit crimes.
The OSCT has suggested that "lawful hacking" could be used as a means of accessing encrypted data during investigations. However, Tutanota, Signal, and WhatsApp all point out that this approach could leave individuals' data vulnerable to hackers and other malicious actors, as well as compromising the integrity of the communication service itself.
We argue that the OSCT's warning is overly simplistic and ignores the crucial role that E2EE plays in protecting individuals' privacy and security online.
Signal’s CEO Meredith Whittaker was the first to oppose the measures in the British government’s proposed version of the Online Safety Bill by threatening to leave the UK if the legislation passes. Signal noted that E2EE is not just about protecting individuals' communications from third-party surveillance, but also about ensuring that the messaging service itself cannot be used to monitor or manipulate users.
Next, in an open letter to UK Prime-Minister Rishi Sunak, Tutanota stated it will neither withdraw from the UK nor comply with any request to weaken encryption, but instead Mr. Sunak would have to either ban Tutanota, just like the authoritarian regimes in Iran and Russia have, or reconsider the measures in the bill and prioritize British citizens’ right to secure communications. Our letter highlighted that E2EE has been a valuable tool for human rights activists, journalists, and dissidents, helping to protect them from surveillance and persecution by authoritarian regimes.
We argue that weakening or banning end-to-end encryption would not only be ineffective in stopping criminal activity, but would also have disastrous consequences for individual privacy and civil liberties. There are already legal mechanisms in place for law enforcement agencies to ask for end-to-end encrypted data in the course of an investigation, such as warrants and court orders. These existing mechanisms strike the right balance between privacy and security, and any attempt to weaken E2EE would be a step too far, opening the doors to mass surveillance and leaving our customers exposed to malicious attacks.
The Online Safety Bill has already been passed by the House of Commons in the UK Parliament. Now it is up for decision in the House of Lords, at the committee stage.
WhatsApp, which is owned by Meta, has also taken a stand against the OSB, as reported by TechCrunch and Wired. Speaking to the BBC and the Guardian, WhatsApp’s head, Will Cathcart, described the OSB as the most concerning piece of legislation in the Western world. He also suggested the platform will not comply with a U.K. legal requirement to weaken the level of encryption it offers its users — and would instead prefer to be blocked by U.K. authorities.
Other companies like Element, which operates the decentalized Matrix protocol, along with end-to-end encrypted email provider Proton (ProtonMail) are also warning that the draft legislation contains measures that risk the security of robust encryption which is vital to keeping users’ communications safe.
The debate over E2EE and online privacy is likely to continue, as more people rely on digital communication services for their personal and professional lives. The need for strong encryption and privacy protections will only become more pressing as time goes on. It's clear that tech companies like Tutanota, Signal, and WhatsApp are committed to protecting their users' privacy and security, but the question remains whether governments will listen to their concerns and take a balanced approach to the issue. There are valid concerns that E2EE can be exploited by criminals and terrorists to evade detection and commit crimes. However, the solution is not to weaken or ban E2EE altogether.
It's worth noting that the UK is not the only country grappling with the issue of E2EE. In the US, the debate over E2EE has been raging for years, with the government and tech companies often at odds over the issue. The Australian government has also been pushing for the ability to access encrypted data, citing similar concerns around criminal activity.
What it ultimately comes down to is that it simply isn’t possible to get more security by weakening security.