The UK has not ordered Facebook to provide law enforcement agencies with a way to access end-to-end encrypted messages on WhatsApp, Sky News has learnt, despite a legal power which could allow it to do so in secret.
However, the power may be used to prevent Facebook from applying the same encryption protocol to its other services, something the company plans to do despite concerns the move will blind it to child predators’ grooming victims over its platform.
The notice would allow Facebook to use a potentially weaker form of encryption to protect users’ messages, while also forcing the company to retain the ability to monitor those messages and be able to deliver decrypted conversations in response to a warrant – something it cannot do with WhatsApp.
According to sources with direct knowledge of discussions between the government and the company, the legal instrument – officially known as a Technical Capability Notice (TCN) – was not used to force Facebook to include what critics describe as a “backdoor” to access specific WhatsApp messages, because no technological mechanism exists to bypass the encryption protocol that WhatsApp uses.
As one former senior civil servant explained to Sky News, there are two key reasons why the government did not issue a TCN to Facebook regarding WhatsApp – despite repeated complaints about the service from successive home secretaries.
The first was that “there isn’t a reasonable method yet” for the company to provide lawful authorities access to the content of targeted messages, simply as a matter of how the technology functions.
A key legal test in the legislation requires it must be “reasonably practicable” for the communications provider to comply with a TCN in order for one to be issued.
However, the encryption protocol that Facebook uses – the Signal protocol, which is becoming an industry standard – has been robustly designed and repeatedly audited by cryptographers to ensure it prevents third parties from accessing the message content.
The second reason, the former civil servant added, was political: “We aren’t sure TCNs will work on American companies, and politicians tend not to want to try and find out.”
While the technological challenge posed by messages encrypted using the Signal protocol is currently insurmountable, the fear about US-based companies dismissing complaints from foreign jurisdictions appears to be shrinking.
According to sources with knowledge of diplomatic meetings between political envoys from the Five Eyes intelligence alliance, concerns about Facebook’s plans are gaining the crucial support of the American government.
Through its own monitoring, Facebook submits thousands of reports to US authorities every year about predators using its platforms to attempt to groom children online, and millions of reports about images and videos featuring child abuse.
These child protection authorities estimate that 70% of Facebook’s reports will be lost if the company allows predators and their potential victims to communicate using an end-to-end encrypted service that the company itself can no longer monitor.
Facebook has not disputed this figure, although it argues that it can use the same tools that it uses with WhatsApp – looking for indications of child abuse in the metadata of messages – to detect and tackle predators.
In response to England’s children’s commissioner, who on Tuesday expressed her concern the company’s encryption plans would put children at risk, a spokesperson for the company said: “Child exploitation and grooming have no place on our platforms.
“Facebook has led the industry in developing new ways to prevent, detect, and respond to abuse and we will continue to work with law enforcement to combat criminal activity.
“End-to-end encryption is already the leading technology used by many services to keep people safe and, when we roll it out on our other messaging services, we will build on our strong anti-abuse capabilities at WhatsApp.
“For example, through a combination of advanced technology and user reports, WhatsApp bans around 250,000 accounts each month suspected of sharing child exploitative imagery.”
Security sources who spoke to Sky News said there is an important difference between Facebook banning users based on abuse content contained in profile pictures and group names – or on other metadata signals the company could develop – and law enforcement agencies being able to safeguard children and bring prosecutions against offenders with evidence in court.
They added there was also a very significant difference between WhatsApp and Facebook’s other services. People talking on WhatsApp have almost always been introduced through some other way. The chance of a child predator randomly typing in a phone number and finding a vulnerable child who will respond to them is extremely low.
However, Facebook as a platform is designed to help users find other people who have similar characteristics to them. If a Facebook user acts like a vulnerable child, then the platform will introduce them to vulnerable children – something child predators are known to take advantage of.
According to Home Office policy advisers, if the UK’s new Online Harms bill doesn’t introduce an obligation for Facebook to retain its own ability to monitor for child abuse – potentially by making its chief executive, Mark Zuckerberg, personally liable in incidents where the lack of this ability interrupts an investigation – then a TCN could be used to effectively issue an injunction against the company rolling out end-to-end encryption across its social networking services.
There is a concern that such a TCN may not successfully impact the company’s decision to implement the encryption if it was made in isolation by the British government, but it could be successful if similar actions were taken by multiple countries working in concert.
To this end, the British government has engaged in a diplomatic strategy of signing multiple joint statements challenging Facebook’s plans and conducting envoys to the US.
Sky News has spoken to multiple people with knowledge of these envoys to the US, where British officials have addressed technology companies – including Facebook – and American politicians about the issues of encrypted communications and terrorist content on social media.
Those on the British government side complained to Sky News that – over the course of several years – they have seen “no meaningful progress” on the encryption issue, even as the companies adopted novel technologies to tackle the spread of terrorist propaganda and child abuse material on their platforms.
“End-to-end encryption was always the elephant in the room” at talks on countering this material, one participant told Sky News, while another described the companies as “difficult and intransigent” from the UK government’s perspective.
Civil society organisations and technology industry representatives expressed similar disappointment in the value of these meetings, saying that governments were refusing to acknowledge that the technological challenges posed by extremist content were very different to the challenges posed by end-to-end encryption – and alleging an ulterior purpose for the complaints in the government desire to collect public communications.
Chloe Squires, director of national security at the Home Office, provided written testimony to the US Senate last December “to make clear why this is such an important issue for the UK government”, in a statement which repeatedly referenced Facebook moving its social networking services to use end-to-end encryption.
In her letter, Ms Squires explained how TCNs worked: “Technical capability notices can’t be used to require companies to provide unfettered access to the communications of their users. However, they can provide a legal basis to ask a company to establish a lawful access mechanism to encrypted communications.”
She added: “The technical difference we are talking about is whether the provider of a service retains a technical capability to access the content of communications that are already encrypted over that service. It is not the difference between messages being end-to-end encrypted or not encrypted at all.”
Preceding Ms Squires’ testimony, an open letter addressed directly to Mr Zuckerberg, and signed by British, American, and Australian officials, stated: “Companies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes.
“We therefore call on Facebook and other companies to […] not to implement the proposed changes until you can ensure that the systems you would apply to maintain the safety of your users are fully tested and operational.”
Broader international agreement on the issue was stated in a Council of the European Union conclusion on combating child sexual abuse, which urged technology companies “to ensure lawful access for law enforcement […] to digital evidence, including when encrypted”.
The most recent joint statement regarding Facebook’s plans was published this October, signed by all of the members of the Five Eyes intelligence alliance, as well as a coalition including India and Japan.
In the eyes of the British government, each of these statements has moved the debate on in terms of the language used to explain the risks posed by Facebook’s plans, and to express the coalition’s desire that those plans be halted, as well as through the number of international signatories who could potentially issue similar orders to Facebook within their own jurisdictions.
As a Home Office spokesperson told Sky News: “We remain deeply concerned that Facebook’s end-to-end encryption plans will remove their ability to proactively detect and report child sexual exploitation and abuse.”
“We are not alone in these concerns. International governments, child protection organisations and, most recently, the Children’s Commissioner have all called on Facebook not to press ahead, putting millions of children’s safety at risk,” they added.