The non-profit organization behind the Signal messaging app is prepared to leave the UK if the country requires encrypted communications providers to modify their products to ensure user messages do not contain material harmful to children.

“We would absolutely walk out of any country if the choice was between staying in the country and undermining the strict privacy promises we make to people who trust us,” Signal CEO Meredith Whittaker told Ars. “The UK is no exception.”

Whittaker’s comments came as the UK Parliament is in the process of drafting legislation known as the online security invoice. The bill, introduced by former Prime Minister Boris Johnson, is sweeping legislation that requires virtually any user-generated content provider to block child sexual abuse material, often abbreviated as CSAM or CSA. Providers must also ensure that any legal content accessible to minors, including self-harm topics, is age-appropriate.

E2EE in the crosshairs

The bill’s provisions specifically target end-to-end encryption, which is a form of encryption that allows only the senders and recipients of a message to access the human-readable form of the content. Normally abbreviated as E2EE, it uses a mechanism that prevents even the service provider from decrypting encrypted messages. Robust E2EE that is enabled by default is Signal’s biggest selling point to its 100+ million users. Other services that E2EE offers include Apple iMessages, WhatsApp, Telegram, and Meta’s Messenger, although not all of them provide it by default.

Under a provision of the Online Security Act, service providers are prohibited from providing information that is “encrypted in such a way that it is not possible for [UK telecommunications regulator] Ofcom to understand it, or produces a document that is encrypted in such a way that it is not possible for Ofcom to understand the information it contains”, and when the intention is to prevent the British surveillance agency from understanding that information.

In Impact evaluation drafted by the UK Department for Digital, Culture, Media and Sport explicitly says that E2EE is within the scope of the legislation. One section of the evaluation reads:

The government supports strong encryption to protect user privacy; however, there are concerns that the move to end-to-end encrypted systems, when public safety concerns are not taken into account, is eroding a number of existing online security methodologies. This could have significant consequences for the ability of tech companies to address tampering, CSA material sharing, and other harmful or illegal behavior on their platforms. Companies will need to regularly assess the risk of harm to their services, including risks related to end-to-end encryption. They would also need to assess the risks before any significant design changes, such as moving to end-to-end encryption. Service providers shall take reasonably practicable steps to mitigate the risks they identify.

The bill does not provide a specific way for E2EE service providers to comply. Instead, it funds five organizations to develop “innovative ways in which sexually explicit images or videos of children can be detected and addressed within end-to-end encrypted environments, while ensuring user privacy is respected.”