Taipei, Taiwan – From the United States to the United Kingdom, politicians are pointing to the scourge of child sex abuse to justify a renewed effort to undermine end-to-end encryption.
In Asia, human rights groups and privacy advocates are worried the same Western-led campaign against encrypted communications risks undermining the privacy of millions of people living under the shadow of authoritarian governments.
Keep readinglist of 4 items
Although law enforcement agencies worldwide have for decades had powers to carry out targeted wiretapping of criminal suspects, cybersecurity experts broadly agree that it is impossible to bypass encryption on a case-by-case basis without fundamentally compromising the overall security of a platform.
That means that efforts to fight child exploitation in the US or UK could have serious knock-on effects for users of encrypted messaging services like WhatsApp and Signal – which have more than 2.4 billion users combined worldwide – in jurisdictions where dissent is strictly policed and speech is weakly protected.
“You can imagine that once the UK does away with encryption, it will be easier for criminals and other governments alike to try to hack into platforms and private communications,” said Charles Mok, a former legislator in Hong Kong, where authorities have carried out a sweeping crackdown on dissent that has practically wiped out the pro-democracy opposition and silenced critical media.
“It’s like the police telling people not to lock their doors so the police can conveniently come in and search, and who benefits from that the most? The criminals,” Mok, now a visiting scholar at Stanford University’s Cyber Policy Center, told Al Jazeera.
“You either build a foolproof platform or there is one hole, a few holes, and soon enough everyone can crack it in.”
The UK’s Online Safety Bill would compel tech firms to “proactively” prevent the spread of harmful content such as child pornography by scanning private communications on its services – a technical impossibility with end-to-end encryption, which keeps even tech providers in the dark about what is shared on their platforms.
Similar efforts are under way in the US, where a bipartisan group of lawmakers is pushing the EARN IT Act, which would make tech companies liable for child exploitation material shared on their platforms.
While the legislation does not specifically address encryption, critics say it would effectively force tech companies to choose between offering encrypted services and facing costly legal claims.
Some critics fear that Western laws targeting encryption could become models for undemocratic governments in the region such as Thailand, where the military administration of Prayuth Chan-ocha has used NSO Group’s Pegasus spyware to surveil protesters and activists.
“The alarming example or development in the United Kingdom could give the Thai government an example and a justification to introduce similar laws that would violate the rights to privacy,” Pravit Rojanaphruk, a Thai journalist who works as a senior staff writer for the Thai news outlet Khaosod English, told Al Jazeera.
“Some Thais use Signal because they are concerned that the Thai government may be eavesdropping, so there’s little to no trust when it comes to the Thai government. The latest example or development in the UK is indeed not a good sign and we could see the government in Thailand as well as others in the region emulate the example of the British government,” Rojanaphruk added.
Encryption has long been viewed as an important safeguard for dissidents in authoritarian regimes.
In 2015, encryption and the anonymity it provides to users were recognised by the United Nations Special Rapporteur on freedom of opinion and expression as key tools in “circumventing censorship” and ensuring the right to freedom of expression.
Sam Goodman, director of policy and advocacy at the UK-based Hong Kong Watch, which monitors human rights in the former British colony, said the Online Safety Bill would create a much more difficult environment for NGOs and activists despite its “admirable” goals.
“I think [the bill] is a mistake and actually will be very detrimental to the kind of work that organisations like Hong Kong Watch does because ultimately, we use Signal to keep in touch with activists, and we use Signal to talk to sources much like journalists do,” Goodman told Al Jazeera.
“If you end end-to-end encryption, it makes our work even more dangerous than it is already and it makes it very unlikely that we will be able to do our work, whether that’s sourcing information on the ground, or whether that’s talking to activists overseas who want secure communication. It will make that work near to impossible.”
Rights groups such as Electronic Frontier Foundation and Human Rights Watch have echoed such concerns.
“The vast majority of users who rely on encryption have no connection to wrongdoing,” Frederike Kaltheuner, director for technology and human rights at Human Rights Watch, told Al Jazeera.
Signal, WhatsApp owner Meta, and five other messaging services that rely on end-to-end encryption to safeguard users’ privacy have issued an open letter against the UK bill, which is currently being debated in the country’s upper house of parliament, saying that global service providers could not facilitate a “British internet” separate from the rest of the world.
While Signal previously suggested it would leave the UK if the legislation passed, Meredith Whittaker, president of the Signal Foundation, said the company would aim “to deploy proxies and other methods to continue providing service” as it has done in Iran.
“The same would happen in the UK should Signal not be able to maintain normal service,” Whittaker told Al Jazeera. “The thing we will never do is lower our privacy and encryption standards in any way.”
WhatsApp has also threatened to leave the UK if the bill becomes law, citing untenable conditions.
There are also questions about whether encryption-busting legislation is workable or can achieve its goals.
In 1993, the US government announced the launch of the “Clipper chip” program to embed chips in privacy hardware add-ons for mobile phones, allowing the authorities access to encrypted voice calls. Design flaws and public pushback led the government to abandon the initiative in 1996.
More than 30 years later, some tech experts say proposals like the UK’s Online Safety Bill are just as unworkable.
A 2022 survey of 1,300 IT experts by the British Computer Society revealed that 46 percent of respondents did not think the UK bill was workable and only 19 percent thought it would make the internet safer. Another 58 percent said the bill would harm freedom of speech.
In 2021, Apple dropped plans to scan its cloud services for child sex abuse images after blowback from privacy advocates, saying that law enforcement efforts should focus on how abuse could be “headed off before it occurs.”
Even so, encrypted messaging services have repeatedly found themselves in governments’ crosshairs in recent years.
In 2020, politicians from the “Five Eyes” intelligence network – the US, UK, Canada, Australia and New Zealand – as well as India and Japan released a joint statement calling for tech companies to give intelligence agencies a so-called back door into encrypted messaging apps amid “severe risks to public safety”.
In 2021, India enacted “traceability requirements” for encrypted apps requiring them to provide information on “message originators” at the request of the government, although WhatsApp is suing the government in a bid to block the legislation. Similar efforts to undermine end-to-end encryption are under way in Turkey and Bangladesh.
While governments in past years often raised the threat of terrorism to justify moves against encrypted communications, authorities have more recently invoked the need to protect children from sexual predators.
Michelle Donelan, the then-UK Secretary of State for Digital, Culture, Media and Sport, said last year the protection of children was “at the heart” of the Online Safety Bill.
“I know how worrying it can be as a parent or guardian trying to protect your child online, when you cannot always see who they are talking to or what sites or apps they are visiting,” Donelan said in December in an open letter to parents.
“So I want to reassure every person reading this letter that the onus for keeping young people safe online will sit squarely on the tech companies’ shoulders. You or your child will not have to change any settings or apply any filters to shield them from harmful content. Social media companies and their executives in Silicon Valley will have to build these protections into their platforms – and if they fail in their responsibilities, they will face severe legal consequences.”
Jyoti Panday, a New Delhi-based researcher at the Internet Governance Project at the Georgia Institute of Technology, said it was alarming to see democratic countries like India and the US and authoritarian countries like Turkey and China following the same playbook.
“You expect this in Turkey, but with India claiming to be the ‘mother of democracy,’ and the UK, which always talks about human rights and international law, it’s kind of unexpected to see these demands coming from democratic governments,” Panday told Al Jazeera.
“It doesn’t bode well for where we are headed … because what is the difference now between Chinese control over its domestic population and its communications environment and how India is approaching it and how the UK is approaching it?”