05 April 2017

Thoughts on Whatsapp and terrorism - by Helen Goldthorpe

Following the recently-deemed terrorist attacks in Westminster, London, calls were made for the ban of end-to-end encryption, such as that used by Whatsapp, the messaging platform indirectly blamed for being a tool of use by the alleged terrorists.

This leaves many with the question: do those in positions of political power still think it unnecessary to understand technology?

The Lawyer Monthly has interviewed several security specialists, researchers and legal professionals on the ins and outs of Whatsapp’s privacy protection debate. Among them is Helen Goldthorpe, an associate at Shulmans LLP who specialises in commercial and IT law.

Helen has given the following views on the matter:

Since the Westminster attack, the inability to access WhatsApp messages has angered the intelligence services and Home Office, which have called for backdoor access to content. However, with no messages stored on its servers and with end-to-end encryption, the company stands firm on its position that it’s not technically possible to facilitate this without undermining its security protocols. As security is at the heart of its offering, WhatsApp is in fact under obligations to keep information secure in accordance with the Data Protection Act. When GDPR comes into force in 2018, WhatsApp will be perfectly placed for compliance with the “Privacy by Design” obligations it imposes, in addition to the new draft ePrivacy Regulation which will extend current laws on the security of electronic communications to “over the top” providers such as WhatsApp.

A second reason why WhatsApp is likely to be comfortable with the fact that it cannot currently access the content of messages is that this helps it to argue that the app is merely a “conduit” for messaging, preventing it having any liability under defamation, copyright infringement, anti-terrorism and other laws. Whilst its terms and conditions forbid the use of the service for instigating or encouraging illegal conduct, it is not in its interest to either actively monitor messages, or to amend them to remove such content. Even if it could, doing so may impose liability on WhatsApp if it is deemed to have knowingly distributed or published the content. By ensuring that it does not have access to the messages, WhatsApp minimises the risk of liability.

Although a release of data to the intelligence services under a warrant would not necessarily breach data protection laws, the legal position and market demand for security have led to the creation of a system where this isn’t technically feasible. Given that WhatsApp is unlikely to voluntarily make its system less secure, legislation (which arguably already exists in the Investigatory Powers Act 2016) would need to require the company to create a backdoor. In order to be useful, a legal obligation to store the messages after delivery may also be required. As well as leading to technical and commercial difficulties and a risk of simply moving the problem elsewhere, any such obligation is likely to be the subject of legal challenge. The Investigatory Powers Act 2016 itself replaces a law which was successfully challenged on privacy grounds.

The full article can be read online on The Lawyer Monthly’s website.

If you want to discuss this topic further, please contact Helen Goldthorpe on 0113 288 2829 or at hgoldthorpe@shulmans.co.uk.