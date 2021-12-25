https://www.techradar.com/vpn/vpn-privacy-security/creating-apps-like-signal-or-whatsapp-could-be-hostile-activity-claims-uk-watchdog
Developers of apps that use end-to-end encryption to protect private communications could be considered hostile actors in the UK.
That is the stark warning from Jonathan Hall KC, the government's Independent Reviewer of State Threats Legislation and Independent Reviewer of Terrorism Legislation, in a new report on national security laws.
In his independent review of the Counter-Terrorism and Border Security Act and the newly implemented National Security Act, Hall KC highlights the incredibly broad scope of powers granted to authorities.
He warns that developers of apps like Signal and WhatsApp could technically fall within the legal definition of "hostile activity" simply because their technology "make[s] it more difficult for UK security and intelligence agencies to monitor communications."
He writes: "It is a reasonable assumption that this would be in the interests of a foreign state even if though the foreign state has never contemplated this potential advantage."
The report also notes that journalists "carrying confidential information" or material "personally embarrassing to the Prime Minister on the eve of important treaty negotiations" could face similar scrutiny.
While it remains to be seen how this report will influence future amendments, it comes at a time of increasing pressure from lawmakers against encryption.
While the report's strong wording may come as a shock, it doesn't exist in a vacuum. Encrypted apps are increasingly in the crosshairs of UK lawmakers, with several pieces of legislation targeting the technology.
Most notably, Apple was served with a technical capability notice under the Investigatory Powers Act (IPA) demanding it weaken the encryption protecting iCloud data. That legal standoff led the tech giant to disable its Advanced Data Protection instead of creating a backdoor.
The Online Safety Act is already well known for its controversial age verification requirements. However, its most contentious provisions have yet to be fully implemented, and experts fear these could undermine encryption even further.
On Monday, Parliament debated the Act following a petition calling for its repeal. Instead of rolling back the law, however, MPs pushed for stricter enforcement. During the discussion, lawmakers specifically called for a review of other encrypted tools, like the best VPNs.
The potential risks of the Act's tougher stance on encryption were only briefly mentioned during the discussion, suggesting a stark disconnect between MPs and security experts.
Olivier Crépin-Leblond, of the Internet Society, told TechRadar he was disappointed by the outcome of the debate. "When it came to Client Side Scanning (CSS), most felt this could be one of the 'easy technological fixes' that could help law enforcement greatly, especially when they showed their frustration at Facebook rolling end-to-end encryption," he said.
"It's clearly not understood that any such software could fall prey to hackers."
It is clear that for many lawmakers, encryption is viewed primarily as an obstacle to law enforcement. This stands in sharp contrast to the view of digital rights experts, who stress that the technology is vital for protecting privacy and security in an online landscape where cyberattacks are rising.
"The government signposts end-to-end encryption as a threat, but what they fail to consider is that breaking it would be a threat to our national security too," Jemimah Steinfeld, CEO of Index on Censorship, told TechRadar.
She also added that this ignores encryption's vital role for dissidents, journalists, and domestic abuse victims, "not to mention the general population who should be afforded basic privacy."
With the battle lines drawn, we can expect a challenging year ahead for services like Signal and WhatsApp. Both companies have previously pledged to leave the UK market rather than compromise their users' privacy and security.