Home Office vs. WhatsApp Encryption

Tuesday 2 May 2017

Last month, the British government's home secretary Amber Rudd launched a crusade against the encrypted messaging service WhatsApp. Because WhatsApp was reportedly used by Khalid Masood – the man responsible for the Westminster terror attack – Rudd suggested that she would like encryption to be banned, saying that “a secret place for terrorists to communicate” could not be permitted.

For several years the government has been pushing a similar line, arguing that there can be no “safe space” allowed for terrorists to communicate. The position is controversial because the real outcome of such a policy would mean no “safe space” for anyone to communicate; terrorists are not the only people who use WhatsApp. The service has more than a billion users, the majority of whom are ordinary citizens who just want to be able to chat privately and securely with friends and family.

Rudd's statement cast a shadow of blame over WhatsApp for Masood's atrocity. But because he was not under surveillance at the time of his attack, and is believed to have acted alone, even if WhatsApp were not encrypted it is unlikely that the security services would have been in a position to prevent his rampage. And it was not the case that his communications were entirely beyond the reach of the police, as Rudd implied they were. Investigators were reportedly able to recover WhatsApp messages from his phone in the aftermath of the incident.

These facts did not stop Rudd's posturing, however. She used the incident as an opportunity to call a meeting in the Home Office with what she described as a “fairly long list” of technology companies. Among those invited were internet giants Google, Microsoft, Twitter, and Facebook, whose policy officials published a joint letter after the gathering pledging a commitment to do more to remove terrorist propaganda from their services. But who else attended the meeting is a mystery. Curiously, the Home Office's security and counter-terrorism department is refusing to release the details, and told me last week in response to a Freedom of Information Act request that the names have to stay secret on national security grounds:

Disclosure of the information in scope of your request would reveal those organsistions [sic] that are working with the Home Office to combat terrorism especially in the online space. By releasing the names, we are informing the public which sites host the most content and therefore potentially providing information that could make it easier for those searching for this material to locate it on the internet. This would serve to undermine the Prevent Strategy, and hence weaken and prejudice the national security of the UK. There is a serious terrorist threat to the United Kingdom and disclosure of the information requested could put national security at risk by jeopardising or negating the Government’s efforts to prevent acts of terrorism and terrorist related crime.

It added that information is also subject to commercial confidentiality agreements:

Releasing the information about individuals provided in confidence would breach confidential commercial relationships with the Home Office and could result in breach of confidence action against the Home Office. It would also damage our standing in dealing with individuals who would not have confidence to engage with us in future, and may decide to take action against us.

Both of these claims are perplexing. First of all, it is hard to understand how merely naming a technology company could somehow increase the terror threat or encourage people to seek out terrorism-related content that is hosted by it. Any disturbed individual who is looking for a bomb-making manual or Islamic State propaganda magazine can find it with a few cursory Google searches if they so wish. That is the nature of the internet. The Home Office will not make the problem any better or worse by disclosing the names of technology companies it is meeting with.

The second point, on confidentiality, is equally tenuous. Companies that the government has “commercial relationships” with are paid for by the taxpayer. Therefore, there is no good reason why the details of the contract should not be disclosed. Quite the contrary, there is good reason that the contract should be disclosed, as taxpayers have a right to know how their money is being spent. In this instance I was not even seeking specific contractual details – I was merely asking for a list of companies that attended a meeting. But this was deemed unacceptable to the Home Office, which like many other British government departments is obsessed with secrecy and routinely refuses to release even the most banal information just because it can.

Notably, one thing the Home Office did acknowledge in its response to me was that “the meeting did not cover encryption” and instead “focused on the issue of online terrorist content.” So after the stink Amber Rudd made about banning “secret places” and cracking down on WhatsApp, for the time being she seems to have backed down on the issue.

I am appealing the decision to withhold the company names – and will update here when I have more news on the case.