Governments' Increasing Crackdown on Encrypted Chat Apps

The UK's proposed Online Safety Bill would introduce new rules that would hold big tech, social media platforms, and messaging service providers accountable for the content displayed.

These online platforms would be required to use “accredited technology” to identify and remove child sexual abuse material (CSAM) or terrorist content from any public or private message communicated via its platform.

In other words, the bill would allow online media companies and big tech firms to scan all user-generated content. That includes private messages, pictures, videos, or personal details shared with family, friends, and colleagues.

For non-compliance, the bill proposes substantial fines, a countrywide ban, or jail time for executives. It's feared (expected) that to avoid the harsh punishments, platforms will resort to screening all user content, all of the time.

Of course, this doesn't work for platforms that use end-to-end encryption. By design, they don't have access to their users ' content.

Therefore, in order to comply, they have a choice, either weaken or remove end-to-end encryption, install client-side scanning, or...

Stop operating in the UK— an option that popular encrypted chat apps, WhatsApp and Signal have said they will take instead of undermining their user's privacy.

The Bill has undergone extensive scrutiny and amendments in Parliament and is currently with the House of Lords for further review but the aim is to have the communication surveillance law implemented by summer/autumn 2023.

READ MORE: The UK's Online Safety Bill: Safety or Surveillance?

USA: EARN IT, Stop CSAM Act, and Kids Online Safety Act (KOSA)

There are three bills being considered in the States, all of them causing deep concern over encryption and privacy. They are:

• EARN IT, Eliminating Abusive and Rampant Neglect of Interactive Technologies Act
• STOP CSAM, Strengthening Transparency and Obligation to Protect Children Suffering from Abuse and Mistreatment Act
• KOSA, Kids Online Safety Act

These laws overlap in the sense that they would each require website operators to actively search for child sexual abuse material, and would essentially create civil and criminal legal liability for any internet platforms that don't.

Platforms would risk being liable even if they didn't have any knowledge of harmful content being shared via their services. What this means is that online platforms will be forced to scan private messages and user content.

To do that, there can be no encryption in place or it has to be weakened, which essentially renders it useless.

These mandates to employ content filters violate the First Amendment as scanning and filtering technology is never 100% correct. Along with blocking the intended harmful content, they will also block lawful and constitutionally protected speech.

For example, there have already been instances of fathers being locked out of their online accounts for sharing diagnostic photos of their children with a family doctor.

Another loud criticism of these proposals is that increasing the amount of content to be scanned, will make finding perpetrators of child exploitation crimes harder.

The process, already likened to finding a needle in a haystack, will be made even more difficult as the laws will only serve to increase the size of the “haystack”.

In response to STOP CSAM, The Center for Democracy and Technology has said that,

“...the STOP CSAM Act risks inundating...law enforcement with useless reports, squandering resources that should be directed towards combating child exploitation, while also putting vulnerable young people at risk of having their communications censored and surveilled, and cutting them off from crucial vectors for information and support.”

Europe: Child Sexual Abuse Regulation (CSAR)

Similarly to the UK's bill, the EU's proposed Child Sexual Abuse Regulation (CSAR) requires online platforms to reduce abusive content by monitoring user communication.

If significant risks of online sexual child abuse persist after these measures, law enforcement agencies can issue detection orders.

The CSAR goes beyond reviewing data and checking against existing child abuse databases by suggesting the use of algorithms to guess what other images might constitute abuse.

It even plans to employ artificial intelligence to review text messages and predict future child abuse based on communication patterns.

The European Digital Rights (EDRi) network has co-authored an entire paper outlining the issues with the proposed solution.

The paper entitled “A Safe Internet For All: Upholding Private And Secure Communications”, explains how the CSAR “threatens the safety, security, privacy and free expression of everyone that uses the internet globally – including the very children that it aims to protect.”

By treating everyone in the UK as a potential child abuser, the bill is essentially a large-scale violation of the fundamental rights of Internet users, including the right to privacy.

The EDRi also share the same “giant haystack” concerns, that the overly-complicated and bureaucratic proposal would impede the investigation and prosecution of perpetrators of child sex abusers.

The paper also highlights the practical issues of enforcement.

Firstly, the age of consent differs across the Member States of the EU, and secondly, the scanning technologies used are often flawed with a high rate of false alarms which would waste valuable resources and damage innocent people.

Under the new regulation, vulnerable groups who rely on online communities and websites for help and information could find themselves further marginalized and targeted. Already, speech surrounding LGBTQ topics and identity is blocked by filter technologies intending to block sexually explicit content.

India: New law bans 14 encrypted chat apps

While the Western world is busy with its proposals, India's government is already taking action against encryption and specifically, encrypted chat apps.

At the beginning of May 2023, the Ministry of Electronics and Information Technology (MeitY) banned 14 end-to-end encrypted chat apps for being a threat to national security.

The list of apps includes:

• Crypviser
• Enigma
• SafeSwiss
• Wickr Me
• MediaFire
• Briar
• BChat
• Nandbox
• Conion
• IMO
• Element
• Second Line
• Zangi
• Threema

The justification for the ban was that the apps had allegedly been used by terror groups to communicate.

Under Section 69A of the Information Technology Act 2000, the government can direct online intermediaries like ISPs and telecom service providers to block content deemed a threat to national security and sovereignty.

However, according to a response posted by Element, the ban was approved due to the app being decentralized and having no representation in India. Whatever the real reason, innocent Indian citizens are being stripped of their ability to communicate in private, app by app.

It's also worth mentioning that at the end of 2022, the Indian government also introduced a new law that required all VPNs in the country to keep logs of all their users.

READ MORE: Where Are VPNs Banned or Restricted & What To Use Instead

Australia, Telecommunications Assistance and Access Act

Australia has also already been active in attacking encryption. The Telecommunications Assistance and Access Act passed in 2018, allows Australian law enforcement agencies to compel businesses to provide user information, data, and private messages.

While the Act doesn't allow agencies to ask for telecommunication services to build weaknesses into encrypted services, they can request assistance using already the service's existing capabilities, or request the build of a new snooping capability.

Here are the three ways law enforcement can make a request to telecoms companies:

• Technical assistance request (TAR): A voluntary request for tech companies to use their existing capabilities to access user content and communications.
• Technical Assistance Notice (TAN): A compulsory notice to force a provider to use those already existing capabilities.
• Technical Capability Notice (TCN): A mandatory notice that forces providers to create a new capability to grant access.

What this looks like in practice can vary depending on the case and the communication device or technology in question.

For example, a suspect could be sent a software update notice from their messenger app which inadvertently uploads keylogging software onto their device, or takes screenshots. These capabilities don't “technically” break encryption but they do completely undermine it.

In 2020, Australia made a statement of its support for strong encryption, but in the same breath, called for technology companies to work with the government to let them snoop. It's also worth noting that Australia is one of the original Five Eyes countries, along with the UK, USA, New Zealand, and Canada.

Encryption matters

There is a massive misconception that encryption backdoors or other workarounds will only be used by law enforcement. This is complete naivete. The slightest opening will be exploited by bad actors. And it won't be just hackers and cybercriminals, but also disgruntled employees, domestic abusers, and hostile governments.

Weakening encryption also damages those who need protection. The UK and US proposals outlined above are intended to make the online world safer, but in fact, they could end up making things worse for many.

Abused minors and adults rely on private and secure channels to report what's happening and get access to certain websites for the help they need. With encryption compromised and legal content being incorrectly blocked, they are ultimately left alone.

The issue is that it is impossible to show how many dangers have been prevented with the help of encryption. When nothing bad happens, there is no news.

Encryption is critical for child safety. Most kids own a smartphone by the time they are seven years old. These devices and the communications made on them contain tonnes of personal information.

This information can be things like their current location, where they are going to be at a certain time, the route they take to school, their hobbies, a home address, or contact details of family members.

If devices and encrypted chat apps are forced to remove encryption or weaken it to allow communication surveillance, that information will be easier to access and could compromise a child's privacy and safety.

These proposals may be intended to protect children yet they could destroy the very tools that do just that, and in the process, put us all at risk.

Communication surveillance goes against the basic and fundamental human right to privacy by removing the ability to have private conversations. End-to-end encrypted chat apps aren't just for those with something to hide.

Not only do they allow for safe and private communication between friends and family, but they also allow journalists to communicate privately with contacts, whistleblowers to expose wrongdoing safely and anonymously, vulnerable people to seek help or report abuse, and LGBTQ+ people to live their lives while protecting their privacy.

At the end of the day, wanting to have a private conversation is not a crime!

READ MORE: Compare the Best Encrypted Chat Apps