No, the UK Hasn’t Just Signed a Treaty Meaning the End of End-to-End Encryption
A new UK Times report claims that “WhatsApp, Facebook and other social media platforms will be forced to disclose encrypted messages from suspected terrorists, paedophiles and other serious criminals under a new treaty between the UK and the US.”
Several other media outlets have followed up on the report, with headlines such as “UK and US set to sign treaty allowing UK police ‘back door’ access to WhatsApp and other ‘end to end encrypted’ messaging platforms”.
While the Treaty is of concern, and while there are indeed a number of very real and imminent threats to the use of secure and encrypted applications, such headlines are misleading and need clarification and context.
(TL/DR: No, this particular Treaty doesn’t mean the end of end-to-end encryption, but there’s other threats out there you should be concerned about).
What is the new “Treaty”?
The Times reports that the UK Home Secretary will sign an agreement next month “that compels US social media companies to hand over information to the police, security services and prosecutors”. Presumably, this refers agreements signed under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, signed into law in the US in 2018.
Essentially, the CLOUD Act aims to allow non-US governmental agencies to request access to data stored in the US and to allow US agencies to request data from companies based abroad.
The CLOUD Act was appended to another bill and rushed through the US legislature with minimal scrutiny just as United States v. Microsoft Corpwas being heard before the US Supreme Court in 2018. The case would have determined whether or not US law enforcement bodies could compel communications service providers to hand over data held abroad, in this case whether Microsoft would have to hand over emails and other private information associated with a particular account based in Ireland.
Privacy International intervened in the case, arguing that if the US government were to succeed in unilaterally seizing data stored abroad, it would set the stage for repeated violations of data-protection laws around the world.
The passing of the CLOUD Act, however, meant the case was deemed moot by the court.
The CLOUD Act allows the US executive to enter into agreements with other countries to allow their national agencies to make data requests directly to communications service providers located in the US, who otherwise may be prevented from complying with those requests because of US law protecting the privacy of communications.
There are some safeguards. For example, the US Department of Justice states that any countries which enter into agreement “require significant privacy protections and a commitment to the rule of law.”
This might sound reasonable enough, especially as the current system for international data requests known as the Mutual Legal Assistance Treaty is notoriously slow, but there are significant problems with the CLOUD Act (which could have been rectified within the law had more consultation and scrutiny been allowed).
For example, in the US access to communications content requires a judicial finding of probable cause, which is not the case in the UK. British agencies are also allowed to use broad thematic warrants, which are not targeted at named individuals but rather at entire groups of people. While such thematic warrants are not permitted under the CLOUD Act, the oversight of those warrants, once served on US companies, is not sufficient to guarantee this prohibition will be followed. Therefore, UK agencies could make requests based on a legal process with significantly less safeguards than the US process.
The agreement that the UK and US are about to sign may bolster some of these protections, but we do not know because we have not seen the text of the agreement. That is another reason for concern.
Overall, the CLOUD Act is controversial: to read more, see our legal commentary available here and here, or other analyses by our friends at the ACLU, EFF, and CDT.
Does the CLOUD Act mandate encryption backdoors?
The implementation of the CLOUD Act does not, however, mean that communications service providers will have to decrypt people’s communications to comply
The Department of Justice has said that the CLOUD Act is “encryption neutral” – meaning it neither requires decryption nor stops governments from ordering decryption to the extent authorized by their laws. “This neutrality allows for the encryption issue to be discussed separately among governments, companies, and other stakeholders”, according to the Department.
While the Act is neutral on this point, it’s important to remember that particularly for services such as WhatsApp, only the content of communications is end-to-end encrypted, not the metadata (the who, what, and where associated with the account and messages). This metadata, while commonly perceived to be less sensitive than content of messages, is actually just as invasive: indeed, the European Court of Human Rights recently agreed with Privacy International in our challenge to the UK’s mass surveillance regime, finding that collection of such metadata could be as intrusive than the content of the communication itself.
While the CLOUD Act doesn’t deal directly with end-to-end encryption, there are still threats to encryption coming from the UK and elsewhere
Make no mistake, government agencies are ramping up efforts to access secure end-to-end encrypted communications. Earlier this year, government representatives from Australia, Canada, New Zealand, the UK, and the US (“The 5 Eyes”) issued a statement calling on tech companies to “include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format”.
There is even an idea on the table which would see tech companies forced to secretly add a law enforcement participant to group chats. Known as the Ghost Protocol, Privacy International joinedother NGOs, security researchers, and companies earlier this year to express shared concerns about the serious threats to cybersecurity and fundamental human rights including privacy and free expression posed by the proposal.
The Ghost Protocol is one possible instantiation of the UK’s broad power under the Investigatory Powers Act 2016 to serve “technical capability notices” on service providers – even those who operate outside of the UK. These notices can be used when “necessary for securing that the operator has the capability to provide any assistance which the operator may be required to provide in relation to any relevant authorisation”, including interception warrants. They may include “obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.” So while the CLOUD Act may not threaten end-to-end encryption, UK law does.
Going forward…
Secure encryption is vital to allow people to use technology without fear of governments, corporations, criminals or others accessing their private data. As tech plays a more central role in our everyday lives, from communicating to banking to using the fridge, encryption will become even more important in the future.
While the CLOUD Act isn’t the end of end-to-end encryption, that doesn’t mean there is nothing to worry about. We will continue to monitor and challenge threats to people’s rights and cybersecurity, recognising that accurately reporting developments, especially developments that are happening purposefully out of public view, is incredibly difficult – but important.