LONDON — Deep in the recesses of Britain’s Hogwarts-like houses of parliament, a Facebook lobbyist-turned-Lord is trying to foment a rebellion.
This week Richard Allan played host to a motley crew of civil rights campaigners and technologists in a room just off the wood-paneled second chamber where he has sat as a Lord ever since being ennobled by Nick Clegg, a protégé he helped scale the heights of British politics and Silicon Valley.
The gathering — which saw the outspoken president of encrypted messaging app Signal, Meredith Whittaker, jet in from New York to attend — had one aim: To convince British lawmakers to reconsider a single section within Britain’s sprawling 302-page proposal to police internet content, known as the Online Safety Bill.
It won’t be easy.
Allan, a genial, white-bearded quinquagenarian who previously spent more than a decade as Facebook’s top EU lobbyist before recruiting Clegg, a former U.K. deputy prime minister, to the company, has already tried, and failed, to get the government to apply more safeguards to the proposed powers, which would allow U.K. comms regulator Ofcom to force digital service providers to monitor messages for content linked to child sexual abuse and terrorism.
Allan’s friends in tech are similarly perturbed.
Signal’s Whittaker has said she’d rather her service was blocked in the United Kingdom than slap monitoring tech on the apps. Will Cathcart of Meta-owned WhatsApp has hinted the service would make the same call. They say any move to scan message content poses an existential threat to the end-to-end encryption that protects messaging platforms like theirs from prying eyes.
On Wednesday, Whittaker and other privacy campaigners falsely claimed that London was pulling back from its bid to access encrypted messages — claims that were swiftly rebuffed by senior government ministers.
“The tech companies make a good case that client-side scanning would effectively break encryption,” said Allan, referring to the technique most often proposed as a way to monitor for illegal content in encrypted environments. It involves scanning messages and images on people’s device before they are sent via end-to-end encryption.
“They’re right to say that it creates a vulnerability. The promise of end-to-end encryption is that it’s only you and intended recipients that see the message. I’ve not seen a solution yet that doesn’t break that promise,” added Allan, who’s been a rare moderate voice in what has been a polarized and at times vitriolic debate.
The U.K.’s Online Safety Bill, which threatens fines of up to £18 million or 10 percent of annual global turnover for companies, and even jail time for senior execs, has already been at the center of several political fights.
Since proposals were first published four years ago, the bill has endured repeated changes in government policy — driven by four prime ministers and five digital ministers — and has at times riven deep splits within the governing Conservative Party, often on questions over the impact on free speech online.
The U.K.’s Online Safety Bill has already been at the center of several political fights | Marco Bertorello/AFP via Getty Images
But with the bill now in its final stretch, a fight over this single provision — called section 122 — looks set to dominate ahead of a November deadline. The outcome will reverberate around the world, as similar proposals to prise open encrypted chats advance in the European Union and elsewhere.
For its part, the British government says the powers are necessary to police an explosion of child sexual abuse imagery online and pre-empt a more widespread rollout of encryption technology on platforms like Facebook and Instagram. Child protection groups predict the changes by Meta could reduce the amount of reporting of online child abuse content by some 70 per cent.
But for critics like Signal’s Whittaker, that argument is a smokescreen for a decades-long attack on encryption by law enforcement and national spooks, and a pretext for mass surveillance.
It’s a battle that has united her with rivals like WhatsApp’s Cathcart, as well as a ragtag band of technologists, cryptography nerds, privacy campaigners and libertarians in an awkward alliance that has little in common apart from a deep worry that the British bill could set a dangerous global precedent.
“The U.K. is first, it’s the tip of the spear,” said Whittaker. “Other jurisdictions will just copy paste this.”
The origin story
July 7, 2022 will be remembered as the day Boris Johnson resigned as the United Kingdom’s Prime Minister. Matthew Hodgson remembers it for different reasons.
“I was doing a House of Lords panel, which nobody turned up to because of the drama with Boris,” said the CEO of U.K.-based secure messaging app Element, which is used by the likes of the U.K. Ministry of Defense and German armed forces. “I was comparing notes with civil society and the alarm bells just really started ringing.”
The reason for the alarm: section 122. Though the section had long been on the face of the legislation in some form, the previous day the then Home Secretary Priti Patel had squarely put end-to-end encryption in the crosshairs of the bill.
By the fall, alarm bells had started ringing further afield. “Someone pinged me in fall 2022, and said the Online Safety Bill was an issue,” said Whittaker, who started as Signal president in September 2022 after more than a decade at Google — where she was instrumental in organizing widespread walkouts to protest issues such as the way the company dealt with sexual harassment — and a stint as an adviser to U.S. Federal Trade Commission Chair Lina Khan.
Whittaker quickly began to mobilize, conscious that what was happening in the U.K. could quickly snowball into a global threat to end-to-end encrypted communications, her app’s raison d’être. In February she flew to Berlin to hold closed door meetings with researchers and civil society figures to plot how to punch back against proposals both in London and Brussels that threaten to undermine the privacy preserving tech.
By March she had done the once unthinkable: bringing in Will Cathcart from Meta-owned WhatsApp to bat for them. Interactions between the rival tech execs had been sparse before then, but they found common cause in fighting the Online Safety Bill.
“Historically we didn’t have diplomatic comms going on,” said Hodgson, who was part of the core group including Whittaker and Cathcart fighting section 122. “It was this existential threat that forced us to get into touch.”
Cathcart traveled to London in March to single out Britain’s framework as the single biggest threat to encryption in the West | Justin Tallis/AFP via Getty Images
The group then went on the offensive.
First to get boots on the ground was WhatsApp, with Cathcart traveling to London in March to single out Britain’s framework as the single biggest threat to encryption in the West in a roundtable with reporters from several outlets, including POLITICO.
At around the same time, Whittaker went on record to the BBC to say she would rather see Signal blocked in the U.K. than accept any undermining of the encryption on the platform. Cathcart subtly echoed those calls, raising the prospect of a twin pull-out by the two popular messaging apps from the U.K.
Then in April, in an almost unparalleled show of unity from the digital competitors, the trio penned an open letter alongside execs at other encrypted messaging apps warning that the British proposals presented “an unprecedented threat” to privacy.
Next, it was Whittaker’s turn to jet into London. There, she took on Damian Collins, a former U.K. tech minister and key architect of the bill, in a debate in July on Channel 4 News. Displaying a canny grasp for the British media landscape, she also penned an op-ed attacking the bill in the Telegraph, an influential right-wing paper that is closely aligned with the governing Conservative Party.
As well as turning to traditional outlets to get the message across, Whittaker and Cathcart haven’t pulled their punches on social media either, posting a steady stream of Tweets from their personal profiles attacking the bill. Just last month, Whittaker engaged in a Twitter spat with James Bethell, a Conservative member of the House of Lords, after he described attacks on the bill as “patronising tech-blather.”
Now, with the bill expected to pass before the King’s Speech in November, tech execs like Whittaker are descending on London in a bid to force through last minute protections for encryption into the bill.
“The window of opportunity for change is closing or has closed,” said the CEO of encrypted comms service Proton, Andy Yen, who is also in London this week to lobby on U.K. tech legislation.
A lobbying bonanza
By this summer, the full contours of the techies’ influence operation had come into focus.
“We need to get people out of the technology and into areas they understand like their living room and a CCTV camera,” said Cathcart at a conference in June, laying out how the tech companies planned to pushback against proposals like the Online Safety Bill.
“I think people have much stronger intuition about the right balance between tools for law enforcement to fight crime and fundamentally reshaping society through mass surveillance if you get away from the phone and get to something they’ve understood for more than 10, 20 years.”
The strategy has belatedly started to make inroads.
Apple has recently come out swinging despite earlier reticence to join the fray | Sascha Steinbach/Getty Images for Apple
Just before the U.K. parliament went on recess in June, Robert Stevenson, a Labour Party peer who had previously urged lawmakers to pass the bill saying Britain was “at war” with the tech giants, called for a pause because he wasn’t sure “where the balance lies” on the encryption question.
In another coup for the techies, Apple has recently come out swinging despite earlier reticence to join the fray. It has threatened to pull FaceTime and iMessage services over the British government’s anti-encryption push. Indeed, the American tech giant spiked a previous attempt to develop tools to scan iPhone users’ messages for child sex abuse content after concluding it wasn’t possible to implement “without ultimately imperiling the security and privacy of our users.”
Techies may also take some solace from having forced the Lords Minister Stephen Parkinson to clarify the government’s position on the issue on Wednesday — even if it was a reiteration of existing policy and not a u-turn as leaked reports had billed.
But as tech companies have upped the ante on their lobbying, some of their claims have raised eyebrows.
A line they are now pushing that the Online Safety Bill poses a threat to intelligence sharing between the U.K. and its allies like Ukraine in particular has received short shrift from experts.
“Intelligence sharing is done over hugely complicated and expensive mechanisms — they shouldn’t be done over WhatsApp or Signal. There are plenty of problems with the proposals in section 122 of the Online Safety Bill but the impact on national security communications systems isn’t one of them,” said the former head of the U.K. National Cyber Security Centre, Ciaran Martin, who has been largely supportive of the fight to safeguard encrypted messaging services.
Fighting child abuse
Techies have also struggled to make a convincing case for being able to tackle child sexual abuse content on encrypted platforms.
In Whittaker’s televised debate with former tech minister Damian Collins in July, she repeatedly dodged questions about how Signal made sure users didn’t abuse the platform, highlighting the awkward truth that wrongdoing is nigh on impossible to monitor on the encrypted messaging app.
Instead, encryption defenders like Whittaker argue that mass surveillance hasn’t led to an uptick in prosecutions for child abuse offences, pointing to figures that show rates remained largely static over the last decade despite a sharp increase in reporting from tech companies.
But it is hard to get around the fact that the modern internet has changed the landscape for a problem like child sexual abuse. Pedophiles no longer need to lurk near schools; they can now approach potential victims on platforms like Facebook or Instagram from the safety of their own living rooms, and share images and videos of abuse to hundreds of people at the click of a mouse. Generative AI threatens to make the problem even worse.
It’s no surprise then that Meta’s promised rollout of end-to-end encryption on Facebook and Instagram messenger has child protection groups and law enforcement spooked. Meta says it will continue to watch out for child abuse content by, for instance, tracking suspicious signals from accounts, much as it currently polices WhatsApp.
But the National Center for Missing & Exploited Children (NCMEC), the U.S.-based NGO that tech companies report child abuse content to, estimates that the changes could wipe out as much as 70 percent of reporting of possible illegal material. WhatsApp currently submits a fraction of reports compared to Facebook and Instagram.
“We support strong encryption on platforms, but we are in no doubt that implementing end-to-end encryption will weaken their ability to keep children safe,” said Lucy Sneddon, a communications manager for the U.K. National Crime Agency.
“When acting on the intelligence leads generated from NCMEC, enforcement action was generally only possible because the information received included the actual abuse content that had been detected on online platforms. End-to-end encryption means neither the platform nor us will be able to see that content, so it puts every single referral that we receive from that platform at risk,” she added.
Britain out on its own
For encryption supporters, their efforts might be too little too late for Britain.
Few changes are expected to the Online Safety Bill before it is passed. Real solace, if it comes, will be when officials thrash out guidance for how Ofcom will use its powers. Indications so far are that it won’t use them to break encryption.
“Ofcom would need a high bar of evidence in order to be able to require that a technology that went into an encrypted environment for example, and scanned for particular types of content,” said Melanie Dawes when quizzed by POLITICO in March.
The techies acknowledge they’ve been outmuscled in the battle with child protection groups and the government, which even shelled out more than half a million pounds to top ad agency M&C Saatchi to fight its corner.
“We were late to the game, we were complacent, and we assumed saner people in government would shoot it down,” said Hodgson, the Element CEO. “We are used to relying on the German privacy lobby. Post-Brexit, that muscle had not been exercised.”
Indeed — thanks in part to the German opposition — techies are more optimistic over a similar proposal to tackle child abuse online moving through Brussels.
“The EU final text will be much better,” said Proton’s Yen. “The U.K. could end up being extreme and on its own.”
Update: This story was updated after the third reading of the Online Safety Bill in the House of Lords on September 6.