Dropsafe

by Alec Muffett

“Mercury Shrugged” — how can end-to-end #encrypted messenger platforms threatening to “take their ball home” be “…a threat to ‘the nation state?’” #OnlineSafetyBill #MercuryShrugged @SignalApp @WhatsApp

[EDIT: Updated July 2023]

The secure messenger platforms are promising to leave the UK. This will impact everyone, bad and good, politicians included.

Over the past two weeks we have seen both Signal, and now WhatsApp [and now Apple] threaten to withdraw their service from the UK because (and let’s be precise about this) the Online Safety Bill, as drafted, empowers OFCOM to demand that client-side-scanning technologies must be deployed in the client applications, which breaks the end-to-end security promise that literally defines the value proposition of the software.

And then you see tweets like this, from the former policy guy at NSPCC who clearly is still attempting to grind an axe:

are we comfortable watching a… industry push to assert… their primacy over nation states

The thing is: it’s not an “industry push” — end to end security in communications software has been coming since 1991 (with the publication of PGP) if not 1975/ish with the paper which kicked-off the development of public key encryption.

And the notion that Signal is somehow a huge corporation, defies both belief and reality.

But here’s a question for you: is Meta / WhatsApp / Facebook [/ Apple]— or any other company — obligated to offer a service within a country on anything other than their own terms? Should they be forced not merely to submit to the surveillance whims of each and every nation? Should they be forced to adopt particular protocols in order to support those nations whims?

From where in the nation state primacy handbook, comes the power to require a corporation – or a federated community, or an individual – to offer a service within their jurisdiction, and be forced to offer it on terms which the particular state at hand considers to be desirable?

With the exception of some arguable “anti-tipping-off” statutes (re: ongoing investigations) – I cannot think of any. And I aver that this is because code is speech, and compelled speech is generally revolted-against in all democratic societies.

In any case: it’s food for thought, not least “if some people are presenting this pejoratively, as an argument in favour of the online safety bill, at precisely what point will they stop telling people, services and companies, what they must do and how they must do it?”

Update / Postscript

Whilst I am here: Andy is wrong to conflate WhatsApp’s malware detection with the proposals for client-side scanning which the Online Safety Act proposes; there are issues of scale, control, intent and implementation, all of which make the two incomparable.

Draft Extract

Comments

2 responses to ““Mercury Shrugged” — how can end-to-end #encrypted messenger platforms threatening to “take their ball home” be “…a threat to ‘the nation state?’” #OnlineSafetyBill #MercuryShrugged @SignalApp @WhatsApp”

  1. Simon Farnsworth

    There’s also a traedoff that I don’t see considered enough; CSAM crimes are divided into three groups (and a single person can be in more than one of these groups):

    Consumers, who buy and/or use CSAM for their own purposes, but neither distribute nor create.
    Distributors, who don’t use CSAM for their own purposes, nor create it, but do spread it.
    Creators, who don’t distribute CSAM or use it for their own purposes, but do make fresh CSAM.

    In terms of harm done, creators are obviously the most significant, followed by distributors, with consumers coming third (since a distributor causes multiple consumers to see a single image, with the associated psychological harm to the victim from each consumer). Further, if all we had were consumers, there would be no CSAM for them to consume, and we’d never find them.

    The trouble with the dragnet approach that mass surveillance doesn’t distinguish the three groups; it just looks for the binary of CSAM/no CSAM.

    But in traditional CSAM policing, the three groups get treated differently – consumption gets you active surveillance to find the distributors who supply you, distribution gets monitored for long enough to be confident that you’re not being supplied by a creator, discovery of a creator gets the whole lot pulled in.

    Is the dragnet approach actually going to find more creators and distributors? Or is it inflating the numbers because it’s catching more consumers than ever before? If the former, then it has some merit – but if it’s just the latter, then it’s increasing numbers without actually helping children.

    Reply
  2. The Impending Crisis of Messenger Communications in the Westminster Bubble – dropsafe

    […] also know that those apps are going to walk out of the United Kingdom if it presses ahead with illiberal and misconceived proposals to permit Ofcom (hello again!) to […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts