Signal: If UK Government Undermines Encryption It Can Kiss Messaging Service Used By Its Employees Goodbye
If anyone can call a government's bluff, it's Signal. It's a nonprofit, which means it doesn't need to make a bunch of shareholders happy by capitulating to ridiculous government demands in order to retain market share.
Governments really can't threaten Signal. It doesn't collect or retain user information, so it can't hand this data over no matter how much or how hard government agencies demand it.
When governments start threatening to undermine or criminalize encryption, the encrypted messaging service is more than willing to walk away from those markets, rather than weaken/remove encryption just so it can keep serving users in these countries. While that doesn't do much good for Signal users in countries where encryption is being eyed for vivisection, it does protect the rest of its users everywhere else in the world. Once encryption is undermined - no matter where it takes place - it threatens the security and privacy of every user.
The government of India has been steadily increasing its direct control of the internet, including social media and messaging services. To achieve this control, the Indian government needs to backdoor or ban encryption. In response to this threat, Signal has promised to exit the market, rather than produce a weaker (or unencrypted) version of its service for the Indian market, which is one of the world's largest.
The UK government is now receiving the same declaration from Signal the Indian government did when it started directly threatening encryption. The UK government has been trying to undermine encryption for years, with each passing year bringing with it new proposals and new levels of desperation from legislators.
Whatever the UK government decides to do, Signal isn't interested in collaborating with it if it says encryption has to go.
Asked if the Online Safety Bill could jeopardise their ability to offer a service in the UK, [Signal president Meredith Whittaker] told the BBC: It could, and we would absolutely 100% walk rather than ever undermine the trust that people place in us to provide a truly private means of communication.
We have never weakened our privacy promises, and we never would."
The UK government, however, continues to live in denial. It claims its proposed changes to the Online Safety Bill would not ban end-to-end encryption." That may be so but the proposal is intended to weaken end-to-end encryption by either compelling encryption-breaking by providers or creating backdoors for law enforcement access. As usual, the government claims this is for the children.
The Online Safety Bill does not represent a ban on end-to-end encryption but makes clear that technological changes should not be implemented in a way that diminishes public safety - especially the safety of children online.
It is not a choice between privacy or child safety - we can and we must have both."
Except that it is. And the choice isn't about privacy, it's about security. You can either have a secure system or you can have this fairy tale lots of government officials believe: something that allows cops in but keeps bad guys out.
[Whittaker] added: Encryption is either protecting everyone or it is broken for everyone."
She said the Online Safety Bill embodied" a variant of this magical thinking.
And the government knows this. Last year, its own Information Commissioner's Office issued its own report on the government's encryption war, coming down firmly on side of strong, uncompromised encryption... for the children.
E2EE [end-to-end encryption] serves an important role both in safeguarding our privacy and online safety," said Stephen Bonner, the ICO's executive director for innovation and technology. It strengthens children's online safety by not allowing criminals and abusers to send them harmful content or access their pictures or location."
If you want to protect children, the last thing you should do is weaken the encryption that protects their connections and communications. That's the point the ICO made. But the other parts of the government seem to think they know best and are ignoring this advice to press forward with efforts intended to weaken or backdoor encryption.
If the UK government won't listen to the UK government, maybe it will listen to the UK government? Plenty of its employees like to use encrypted services featuring self-destructing messages (including Signal), presumably to keep their communications out of the hands of public records requesters. Will these legislators and officials be willing to work against their own interests by chasing Signal out of the country with anti-encryption mandates? Or will they decide to safeguard their own interests (and the some of the public's interests too, albeit inadvertently) by shutting down these proposals before the become law?