The UK’s Online Safety Bill is ready to become law. The bill, which aims to make the UK “the safest place in the world to be online,” passed through the Houses of Parliament on Tuesday and imposes strict requirements on large social platforms to remove illegal content. It will be enforced by UK telecom regulatory agency Ofcom.
Additionally, the Online Safety Bill mandates new age-checking measures to prevent underage children from seeing harmful content. It also pushes large social media platforms to become more transparent about the dangers they pose to children, while also giving parents and kids the ability to report issues online. Potential penalties are also harsh: up to 10 percent of a company’s global annual revenue. The bill has been reworked several times in a multiyear journey through Parliament.
But not only does online age verification raise serious privacy concerns — the bill could also put encrypted messaging services, like WhatsApp, at risk. Under the terms of the bill, encrypted messaging apps would be obligated to check users’ messages for child sexual abuse material.
Depending on how the rule is enforced, this could essentially break apps’ end-to-end encryption promise, which prevents third parties — including the app itself — from viewing users’ messages. In March, WhatsApp refused to comply with the bill and threatened to leave the UK rather than change its encryption policies. It joined Signal and other encrypted messaging services in protesting the bill, leading UK regulators to attempt to assuage their concerns by promising to only require “technically feasible” measures.
Reached for comment, WhatsApp owner Meta directed The Verge to a September 6th tweet by WhatsApp head Will Cathcart. “The fact remains that scanning everyone’s messages would destroy privacy as we know it. That was as true last year as it is today,” Cathcart wrote. “@WhatsApp will never break our encryption and remains vigilant against threats to do so.” Meta did not specify whether WhatsApp’s availability in the UK would be affected.
Signal president Meredith Whittaker, meanwhile, issued tentative praise for the ongoing conversation around the bill. “While it’s not everything we wanted, we are more optimistic than we were when we began engaging with the UK government. It matters that the government came out publicly, clearly acknowledging that there is no technology that can safely and privately scan everyone’s communications,” Whittaker said in a statement to The Verge. “At this point, it is imperative that we press Ofcom to incorporate the government’s strong guidance acknowledging that no technology exists that can safely and privately scan [end-to-end encryption] communications, and push them to clearly and publicly commit to not using the unchecked and unprecedented power vested in them under Clause 122 to undermine private communications infrastructure.”
Whittaker indicated that Signal was not in imminent danger of leaving the UK. “While this is not the ideal outcome, we are cautiously optimistic to see reality breaking through,” she said. “And our position remains consistent: we will continue providing Signal as a tool for meaningful private communications in the UK, and everywhere, and we will only ‘leave’ if the choice is between adulterating the privacy guarantees the people who use Signal depend on, or exiting.”
Ofcom will “immediately begin work on tackling illegal content and protecting children’s safety” and will take a “phased approach” to bringing the Online Safety Bill into force.
Update September 19th, 3:55PM ET: Added comment from WhatsApp and Signal.