- Current and former Facebook executives have disputed reports from The Times and Bloomberg claiming a new UK-US treaty would force tech firms to hand over encrypted messages from services like WhatsApp.
- The two reports, citing confidential sources, triggered speculation that the US and UK governments had essentially forced WhatsApp to agree to a “backdoor.”
- But security experts said the treaty was about speeding up a little-known legal process in order to give UK courts and police faster access to information held by the big American tech firms, in relation to serious criminal investigations. They said it wasn’t about breaking end-to-end encryption.
- WhatsApp boss Will Cathcart said he was surprised by the reports and that the company was “not aware of discussions that would force us to change our product.”
- A UK home office spokeswoman said the US and UK are “committed to signing a world-leading Data Access Agreement that will speed up law enforcement’s ability to investigate and prosecute terrorists, child sexual abusers and other criminals.”
- Visit Business Insider’s homepage for more stories.
The reports, published over the weekend and citing confidential sources, reveal that a new UK-US treaty is due to be signed next month.
Per Bloomberg, the treaty would “compel social media firms to share information to support investigations into individuals suspected of serious criminal offenses including terrorism and pedophilia.”
The Times reported that police would specifically be able to gain access to “encrypted messages.”
The reports triggered widespread speculation online that the two governments had effectively pressured WhatsApp into inserting a “backdoor”, an intentional flaw that would allow outsiders to gain access to encrypted messages. Hacker News, an influential site that is widely read in Silicon Valley, posted a link to the story with the caption: “US and UK agree to force WhatsApp backdoor.”
A backdoor or break in end-to-end encryption would be explosive. WhatsApp and other social media apps employ the technology, promising that only people who send and receive messages can actually read their contents. It’s a major selling point to privacy-conscious users.
But the treaty won’t involve breaking end-to-end encryption or backdoors, according to WhatsApp chief Will Cathcart and Facebook’s former chief security officer Alex Stamos. Instead, it’s about speeding up a little-known legal process and giving UK police and courts faster access to much the same information from tech companies that US courts can access. That includes data such as phone numbers or timestamps, but doesn’t include the encrypted content of messages.
In the UK, several high-profile cases have brought politicians into conflict with social media companies. That’s because most of these firms are based in the US and obtaining private messages for UK investigations involves a lengthy legal process. The bureaucratic procedure is called a Mutual Legal Assistance Treaty (MLAT), which takes on average 10 months to pass.
Among these cases was the murder of 13-year old Lucy McHugh, which was hindered after the suspect Stephen Nicholson refused to hand over his Facebook password to police, who hoped messages between the two could prove vital evidence. After applying to the US courts prosecutors were able to obtain a log of Nicholson’s messages with McHugh, but not the contents of the messages themselves. Nicholson was convicted of murder and rape in July.
In another instance, two Snapchat executives were grilled by UK lawmakers over the case of Breck Bednar, a 14-year old who was murdered in 2014. Lewis Daynes, then 18, was convicted of Bednar’s murder. This year Bednar’s sister received gloating Snapchat messages purporting to be from his killer. Snapchat was unable to immediately hand over data tied to the account sending the taunts. “We welcome any efforts that help to speed up the Mutual Legal Assistance Treaty (MLAT) process whilst allowing for appropriate judicial oversight and avoiding conflicts of law,” a Snapchat spokeswoman told Business Insider at the time.
According to Stamos, the new UK-US treaty would give UK investigators faster access to this kind of information.
“This agreement would allow UK courts to issue requests equivalent to US courts, but it DOES NOT grant them access to anything a US court can’t get already,” he wrote on Twitter. “Orders for wiretaps of products like WhatsApp can get some data, like IP addresses, phone numbers, contact lists and avatar photos. It cannot get encrypted messages and attachments.”
Stamos also pointed to the CLOUD Act, a law which came into effect in March 2018 and allows the US government to make special data access agreements with countries who meet a set of criteria. These include a requirement that the country will target “serious crime” rather than crack down on free speech.
Will Cathcart, the head of WhatsApp, also appeared to dispute the reporting on Hacker News.
“We were surprised to read this story and are not aware of discussions that would force us to change our product,” he wrote.
Asked about backdoors, he added: “We are completely opposed to this. Backdoors are a horrible idea and any government who suggests them is proposing weakening the security and privacy of everyone.”
A UK Home Office spokeswoman told Business Insider: “The UK and US are committed to signing a world-leading Data Access Agreement that will speed up law enforcement’s ability to investigate and prosecute terrorists, child sexual abusers and other criminals.”
A Facebook spokesman said in a statement:
“We believe in the right for people to have a private conversation online. End-to-end encryption helps protect that right and is fundamental to the value we provide to over a billion people every day. We oppose government attempts to build backdoors because they would undermine the privacy and security of our users everywhere. We also respect the role law enforcement has in keeping people safe. Government policies like the CLOUD Act allow for companies to provide available information when we receive valid legal requests and do not require companies to build back doors.”
Although the new treaty does not appear to impact end-to-end encryption, British home secretary Priti Patel has previously exerted pressure on tech firms over encrypted messages.
“Tech firms should not develop their systems and services, including end-to-end encryption, in ways that empower criminals or put vulnerable people at risk,” Patel said in a statement following a meeting of the Five Eyes nations in July.