The messaging firm says it will stand up for encryption – even if that means pulling out of the country – as the UK’s Online Safety Bill slowly makes its way into law.
Signal's announcement that it would pull out of the UK if it goes ahead with plans to weaken encryption highlights the problems with the country's Online Safety Bill.
The non-profit messaging firm's app was estimated to have more than 40 million monthly users in 2021 and more than 100 million downloads on Google Play, with features including end-to-end encryption and disappearing messages.
It's widely used by journalists, activists and others – to whom, says president Meredith Whittaker, the company has a responsibility.
"We would absolutely 100% walk rather than ever undermine the trust that people place in us to provide a truly private means of communication," Whittaker told the BBC. "We have never weakened our privacy promises, and we never would."
The Online Safety Bill has been under discussion for years, generating controversy all that time. It's been pitched very strongly by the UK government as a way of dealing with child sexual abuse material or terrorism content on the internet, and requires social media and messaging platforms to identify and take down such offending material, as supervised by regulator Ofcom.
In order for this to be possible, the bill bans messaging that is “encrypted such that it is not possible for Ofcom to understand it, or produces a document which is encrypted such that it is not possible for Ofcom to understand the information it contains.”
Right from the start, it was made clear to legislators that it's not possible to maintain encryption for the good guys while leaving a back door open for Ofcom and law enforcement. However, the provision, as it stands, means that companies must either do this or scan content before it's encrypted – so-called client-side scanning.
This technique was proposed by Apple in 2021 as part of plans to help detect child sexual abuse material. It involves searching individual device iCloud photo libraries for illicit content using a technology called NeuralHash, comparing them with known prohibited material, and reporting suspect images to the police.
But Apple later pulled the plug after criticism that the technique often didn't work, and that there was a serious risk of abuse by repressive governments.
And these concerns still remain.
"The spy clause in the Online Safety Bill will give Ofcom the power to ask private companies to scan everyone’s private messages on behalf of the government. Quite simply, it is state-mandated private surveillance of the kind that we see in authoritarian regimes," said Monica Horten, policy manager for freedom of expression at the Open Rights Group.
"Signal’s announcement highlights just how seriously these proposals will threaten encryption and undermine our right to communicate securely and privately. If Signal withdraws its services from the UK, it will particularly harm journalists, campaigners and activists who rely on end-to-end encryption to communicate safely."
Of course, Signal is by no means the only service in the UK to use end-to-end encryption, with others including Apple iMessages, WhatsApp, Telegram, and Meta's Messenger. Virtual private networks (VPNs) and secure email services could be affected too.
And while the big hitters haven't threatened to withdraw services in the UK, Signal is certainly not the only firm to do so, with Matthew Hodgson, chief executive of secure messaging firm Element, telling the BBC that it might have to cease some of its own.
Meanwhile, encrypted email service Tutanota says it will refuse to comply with the regulations, but has also ruled out withdrawing services of its own accord.
"We will not 'walk' from the UK," it said. "If prime minister Rishi Sunak and his government want to stop people in the UK using strong encryption, like [that] provided by our secure email service Tutanota, he must block access to Tutanota – just like Russia and Iran are already doing."
Bill nears approval
The bill is currently at the committee stage in the House of Lords, the upper chamber in the UK’s bicameral parliament: it needs to be approved there and then gain royal assent by April. If it doesn't, rules dictate that it would have to be scrapped and started again from scratch.
But it seems unlikely that peers, sitting members of the Lords, will rebel – at least, not in the cause of privacy and security – meaning that the bill is likely to come into force in May.
And this is when the true effects will probably emerge. The bill won't just affect the big tech platforms – it's been estimated that as many as 25,000 businesses will fall within its scope. Many will, often unknowingly, break the rules; others will cut services.
Fed constant messaging about the bill's doubtless admirable intentions to counter child sexual abuse and terrorism content, few in the UK are currently aware of its other ramifications – but it's at this point that the implications will really hit home.
More from Cybernews:
Subscribe to our newsletter