back to article WhatsApp boss says no to AI filters policing encrypted chat

The head of WhatsApp will not compromise the security of its messenger service to bend to the UK government's efforts to scan private conversations. Will Cathcart, who has been at parent company Meta for more than 12 years and head of WhatsApp since 2019, told the BBC that the popular communications service wouldn't downgrade …

  1. Anonymous Coward
    Anonymous Coward

    Genossen, wir müssen alles wissen!

    "Another downside is that the definition of what is filtered may gradually change over time, and before you know it: everyone's conversations are being automatically screened for things politicians have decided are verboten."

  2. steviebuk Silver badge

    It not true AI

    "The UK government is proposing that app builders add an automated AI-powered scanner in the pipeline"

    The government as always doesn't know what its talking about. Most AI in business is marketing bullshit, designed to make the company money at the expense of the user, much like Microsoft's "AI" code writer. The the "AI" to scan everyone's chatter and decide what to flag up isn't something the "AI" is aware of, it won't say "That seems like illegal content but hidden to avoid my scans" no, it will be based on what it has been trained on. What's to stop someone training it poorly & how many times will it flag false positives. Too many for a human to then check so people will just be automatically accused by "The AI which is never wrong".

    All that will happen is another message app will appear with end2end encryption back in with no scanning.

  3. Christoph

    Other Disadvantages

    The government enforced program on your phone will be optimised for thorough scanning, not for conserving your battery. You will have no control over it draining all the power just when you need your phone.

    Not only can they expand what is scanned, they can update the program to do other things. "Oh, there's a terrorist threat, so we had to make it send all your messages to us in clear, together with your exact location at all times"

    1. Anonymous Coward
      Anonymous Coward

      Let's start

      By making all MP's phone contents, texts, call logs & browsing history open to public scrutiny by having their data published on a real-time feed on a public website.

      1. Andy The Hat Silver badge

        Re: Let's start

        At least a GCHQ director thinks scanning his feeds is ok, and someone at an organisation owned by GCHQ agrees with him ... Perhaps the Government who "owns" GCHQ will think the same ... oh, they do?

        Have they just suggested all politicians have mandatory scanning of communications under the control of the current Government? Dangerous or what?

        1. Anonymous Coward
          Anonymous Coward

          Re: Let's start

          Does he though, or is he just saying that?

          Saudi Arabia used Pegasus software against Jamal Kashoggi (the journalists they cut up in a Turkish embassy). His Whatsapp messaging to Saudi dissidents, is what got him into trouble. Turkey released one sided audio of a twenty minute video call between the killers and someone in Saudi Arabia (again it would likely be Whatsapp). You tell me WhatsApp is secure? Pull the other one, it falls off because its been hacked through with a bone saw!

          This GCHQ bloke has access to the same Pegasus software (and a whole lot more), and if he needed to intercept a device, the technical means exist and he has it. If he has suspicion, evidence and legal basis*, then nothing is stopping him. He can legally install his spyware on that device.

          * Keep in mind, his remit is so wide, he can spy on lots of people (politicians included) without even a warrant or evidence.

          Likewise it's trivial to scan unencrypted messaging, and is already done. The technical means already exist. So this push only seems to be for the legal basis for mass scanning of encrypted messaging.

          Which makes me think, they're already doing that and are keen to push through the legal basis. They seem desperate, yet it doesn't give them much more than they already have.

          A whistleblower would be nice.

          1. Anonymous Coward
            Anonymous Coward

            Re: Let's start

            > You tell me WhatsApp is secure?

            Technically, and as far as I can tell from my limited knowledge, yes, WhatsApp is probably secure enough to keep the contents of your message confidential.

            The phone it runs on, on the other hand…

      2. mhoulden

        Re: Let's start

        Whatsapp is already used quite heavily by MPs. Degrading the encryption would make it much easier for their group chats to end up somewhere like Pastebin. But I'm sure they've got nothing to hide from public scrutiny.

        1. Anonymous Coward
          Anonymous Coward

          Re: Let's start

          > Degrading the encryption

          I share your general sentiment, but if you pay attention to the article what's being proposed is not to degrade the encryption.

          The idea is to bypass it.

  4. Anonymous Coward
    Anonymous Coward

    This won't end well

    Given how far the UK has collectively shoved it's head up it's arse, I would have thought Whatsapp would know what side their bread is buttered. Remember they are overseen by Nadine Dorries which is a testament to the importance the UK places on them.

  5. Anonymous Coward
    Anonymous Coward

    I suspect this may all be theatre.

    Since when have the No Such Agency and friends allowed something properly encrypted to get so big without having a sneaky little backdoor/vulnerability of their own built in? ($NSA_KEY, anyone?) Unless of course it's already in Android binaries and/or the silicon.

    We'd never be allowed Internet without all the Black Boxen and fibre taps to keep an eye out for unauthorised democracy.

    1. Anonymous Coward
      Anonymous Coward

      Re: I suspect this may all be theatre.

      I saw something recently (was it a Dave Plummer's Garage video?) that explained that "NSA Key" doesn't mean what people think it means

    2. Anonymous Coward
      Anonymous Coward

      Re: I suspect this may all be theatre.


      Google App Signing, lets Google add any software to any app, sign it as if from the original company and deliver it as an upgrade.

      The various claims for app signing, (e.g. delivering a 'targetted app for each device' nope the app developer still has to code different versions for different 'types' of device and there is no genuine reason to have different versions on two identical types of devices. 'Securing the key from being stolen' nope, key is now in two places, and one of them you no longer control), none of these claims made sense.

      So the backdoor mechanism is already implemented, already rolled out.

      The legal basis is what's missing here.

      That's what I think this is all about. Tory government out soon, they've been doing something illegal, and want a legal basis put in place ASAP. Ass covering.

      Which would then explain the involvement of the GCHQ spooks in the marketing.

      A spy agency turned against its own people. Demonizing its own people to justify illegal surveillance.

      1. Anonymous Coward
        Anonymous Coward

        Re: I suspect this may all be theatre.

        You mean politicized like the FBI?

  6. Pascal Monett Silver badge

    Of course Child Protection groups are all for this

    Think of the children, eh ? How can you disagree with that, you monster ?

    Yeah, well think of the journalists in a dictatorship. Think of my access to my bank account.

    Sexual abuse, in any form and at any age, is abhorrent and I absolutely disapprove.

    But if that means that some dictatorships will be able to find and kill journalists that are just doing their jobs, well I'm sorry, but the police need to up their game before I'll accept murder in exchange for child safety.

    Not to mention that I seem to recall having read that actual cases of CSAM represent 0.2% of all reported cases.

    The needs of the many is strong, point-to-point encryption. The needs of the few is better police work.

    1. Anonymous Coward
      Anonymous Coward

      Re: Of course Child Protection groups are all for this

      "actual cases of CSAM represent 0.2% of all reported cases"

      Genuinely curious: do you have a citation for that?

      1. Pascal Monett Silver badge

        Actually, I do.

        1. Anonymous Coward
          Anonymous Coward

          Ah, having dug a bit I think you meant to link to this article. This states that 0.2% of applications for surveillance warrants were related to CSAM. But this does also reinforce the point that the "think of the children" argument is a red herring.

          1. Pascal Monett Silver badge
            Thumb Up

            Indeed, you are right.

            I just linked to the article for which I posted a response, forgetting that it linked to that article.

            Thanks for the refresher.

    2. OhForF' Silver badge

      Re: Of course Child Protection groups are all for this

      >Some children's rights groups have been vehement that the need to protect children from exploitation should not be compromised by the argument for absolute privacy in communications.<

      When two basic rights conflict which each other there will always be the need to check the circumstances to figure out which should take precedence. Neither security ('terrorism') nor protecting children from exploitation nor privacy is a "super basic right" that will automatically take precedence over other basic rights.

      So far i haven't seen a convincing argument why it is necessary to completely abolish privacy in communication to protect children from abuse.

      Automatically scanning all messages without any evidence or sufficient reason to think it contains illegal material is in no way more acceptable than collecting (meta) data about our communication without sufficient reason. Human rights courts have already ruled on the later.

      Why do governments think they need to spy on the general public which they claim to represent?

      1. David Hicklin Bronze badge

        Re: Of course Child Protection groups are all for this

        "Automatically scanning all messages without any evidence or sufficient reason to think it contains illegal material"

        That would be the equivalent of opening and reading every letter sent through the post !

  7. Ali Dodd

    This is meta so a translation

    ""What's being proposed is that we – either directly or indirectly through software – read everyone's messages. I don't think people want that.""

    or more accurately:

    "We've tried it because we can make so much money out of your info if it worked, however our AI is shit and we don't have enough headcount to cope with the volume to do it without people noticing and complaining"

    Meta never cares about privacy, never has never really will - YOU are the product they are selling.

  8. Anonymous Coward
    Anonymous Coward

    Levy and Robinson -- Comedians Facing Both Ways At Once!!

    Quote: "We do not seek to suggest that anonymity on commodity services is inherently bad....."

    Really? It actually looks like the long-term STASI goals are actually:

    (1) Make private encryption (and the possession of encryption tools) completely illegal

    (2) Make service providers responsible for blocking any message that looks like encryption

    (3) Make service providers responsible for reporting anything that looks like encryption to "the authorities"

    In the mean time, a "not inherently bad" confection can be whipped up using chacha20, Diffie/Helman, gcc and know....private encryption before private messages enter any public channel.

    .....makes E2EE completely moot! well as being under OUR control.....and not available for inspection by anyone in Cheltenham!

    1. Anonymous Coward
      Anonymous Coward

      Re: Levy and Robinson -- Comedians Facing Both Ways At Once!!

      ...and there's always steganography!!!!

  9. Graham Cobb Silver badge

    Time for WhatsApp to put its money where its mouth is

    This is a good message from the boss of WhatsApp. However, he knows as well as we do that governments will eventually just impose these requirements on them, despite what he says, and that they will have no choice but to implement the demands.

    What we need is for Meta to put its money where its mouth is:

    1) Provide an open API which makes it easy for 3rd party apps to send messages using WhatsApp and to handle displaying received messages. Allow a good, integrated user experience to be provided by a 3rd party app with integration with WhatsApp contact lists, etc.

    2) Sponsor a standardised way for 3rd party apps to handle encryption - like GPG email - to allow interoperation so we can each choose our own app and publish keys like we do for email.

    This would take a tiny amount of effort from them, would enable them to dodge these sorts of requirements, and avoid people moving to smaller, niche messaging systems.

    P.S. While they are about it: providing an easy-to-use GPG email app on their platforms, integrated with WhatsApp and Facebook messaging as well as SMTP email, would be useful.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time for WhatsApp to put its money where its mouth is


      Quote: "...and publish keys..."

      No need for that......someone somewhere will be using the published key(s) as an entry point for an attack.

      MUCH better....

      (1) Each party publishes a public Diffie/Helman token

      (2) Each message is encrypted by the sender using a random, throw-away private Diffie/Helman token (but see item #3)

      (3) The public token of the throw-away pair in item #2 is transmitted with the encrypted message

      (4) The recipient uses their private token (from item #1) and the public token from item #3 to decrypt the message in item #3

      In this scheme:

      (5) There are zero published and zero persistent encryption keys -- the keys are calculated as needed and then thrown away

      (6) The D/H tokens tell a snoop nothing at all about the actual encryption key, and nothing at all about the encryption protocol

      (7) Implementing this scheme within an application means that none of the users either know (or need to manage) the keys

      (8) Note that a user only needs to manage the D/H tokens in item #1....everything else is managed in the application

      (9) And note that the actual encryption keys are random and different for every message (even when a message is sent to multiple recipients)

      Note items #5 and #9. I'm sure that potential snoops like this a lot less than schemes with "published keys"!!!

      1. Allan George Dyer

        Re: Time for WhatsApp to put its money where its mouth is

        @AC - Have I missed something? With no published or persistent keys, there is no way of telling who sent you a message, or even if it was the same person as the previous message.

        1. Anonymous Coward
          Anonymous Coward

          Re: Time for WhatsApp to put its money where its mouth is


          Quote: "...With no published or persistent keys, there is no way of telling who sent you a message..."

          (1) So...the AC failed to mention that all this Diffie/Helman stuff is PERFECTLY possible using email as transport!

          (2)......and anyway, are you absolutely sure you know who sent the last ORDINARY email in your direction?

          1. Anonymous Coward
            Anonymous Coward

            Re: Time for WhatsApp to put its money where its mouth is

            > the AC failed to mention that all this Diffie/Helman stuff is PERFECTLY possible using email as transport!

            Or XMPP for that matter… which already supports end to end encryption. In two different flavours, depending on what your needs are.

            1. Anonymous Coward
              Anonymous Coward

              Re: Time for WhatsApp to put its money where its mouth is


              From "...the XMPP developer community is actively working on end-to-end encryption..."

              XMPP: That's fine....perfectly good and perfectly useful.

              The point is that XMPP E2EE is still under attack by people like Levy and Robinson:

              (1) Demanding client-side scanning, or....

              (2) Demanding a "backdoor" in the E2EE implementation

              But what the AC (who was talking about Diffie/Helman) was saying was something very different. Namely that a private group:

              (3) Use their own software

              (4) And encrypt their messaging before any message enters any public channel

              This approach makes both client-side scanning and "backdoors" completely moot.

    's quite possible that "their own software" might be flawed.....but it's a lot better than expecting privacy from the STASI!!!

          2. Allan George Dyer

            Re: Time for WhatsApp to put its money where its mouth is


            (1) using email as transport doesn't give me any assurance about the identity of the sender. If there is something additional (e.g. a GPG signature) giving that assurance, then that probably relies on published, persistent keys, which you claim are an attack entry point.

            (2) no, I'm not. I wouldn't use ordinary email alone for something that sensitive. Your point was?

      2. Graham Cobb Silver badge

        Re: Time for WhatsApp to put its money where its mouth is

        Unlike you, I don't consider myself an expert on cryptography (although I did meet Phil Zimmermann once - in 1979 I think).

        However, my point is to get Meta, with their effectively infinite amount of money, to pay some real experts to create real, open source, cryptography integrated with WA and to solve the key distribution problem as well, so it is both as open as, and effective as, encrypted email is today (hopefully better).

      3. Duncan Macdonald

        Re: Time for WhatsApp to put its money where its mouth is

        There is still a possible weak point in the generation of the temporary key in (2).

        A hacked version of the app that chooses its "random" temporary key from a group of 2^32 possibilities instead of the desired 2^128 or 2^256 possibilities would make the decryption of messages trivial for spy agencies while still appearing secure to the unsuspecting users.

        Icon for what should happen to the snoops =======>

        1. Anonymous Coward
          Anonymous Coward

          Re: Time for WhatsApp to put its money where its mouth is


          Thanks for the suggestion!! I've checked the source code of the D/H logic.

          All the D/H tokens are at least 8192 bits long, and the calculated secret key is about the same size.

          I'm not a professional programmer or much of a mathematician.....but I'm told that this sort of token size and key size should keep any snoops busy for a while!

          What's really surprising is that this size of number (even prime number) is well within the reach of pathetic hardware (e.g. Intel Pentium N5000 with four CPUs).

          More people need to be using D/H.......and the average low end laptop can do the business!

          1. Duncan Macdonald
            Black Helicopters

            Re: Time for WhatsApp to put its money where its mouth is

            D/H used correctly is secure - however the app is responsible for choosing the random temporary key used in a message - this key SHOULD be chosen from a large pool of possible keys (at least 2^128) - however a hacked version of the app that only chose its keys from a pool of 2^32 possibilities would still appear secure to the user but would be easy for some group like GCHQ or NSA to decrypt.

  10. FlamingDeath Silver badge

    My 2cents

    Perhaps if governments of all flavours fostered more trust in the world, we wouldn’t need encryption in the first place

    I’m not a religious type, but to know good and evil, comes personal responsibility.

    Remember, the WWW started at Cern, within a highly intelligent scientific community where trust and boundaries were, probably largely respected

  11. tiggity Silver badge

    Maybe they are in favour of it CSAM scanning as its suitable for "idle" law enforcement?

    In the UK, there have been plenty of child grooming / abuse scenarios on a massive scale e.g. Rotherham, Telford as just a couple hat have recently been in the news.

    A common theme of both those 2 was concerns being raised to the authorities, but ignored.

    Would digital CSAM scanning have stopped those abuses? Who knows, but they could have been stopped far earlier with normal policing but they were not.

    Hint to UK police, a sexually abused young girl is a victim & you should make some serious efforts to investigate her complaints, not just brand her a "child prostitute" to be ignored.

    But look at the low prosecution rates & low conviction rates for men accused of rape / sexual assault / murder (**** off with sudden mania of rough sex murder defences) against adult women. Abuse of females of whatever age seems a crime that you have a good chance of getting away with.

    The UK seems to do a lot of anti sex crime talk, but reality of the situation paints a different picture.

    Disclosure - not a woman, however some close female friends of mine have been badly failed by the UK criminal justice system in rape / sexual assault cases (including one who was, as a child, sexually abused by her father) so my views not as objective as I would like them to be on this topic knowing what they went through.

    1. Piro Silver badge

      This is what gets me.

      There are real, no doubt still happening this very second, known by the police events of actual child abuse, but far too little is being done.

      Can we sort out what we know is going on instead of trying to break encryption fundamentally?

  12. Anonymous Coward
    Anonymous Coward

    I have said this before

    ALL governments, regardless of Labour, Conservative or Liberal hate encryption.

    Don't waste your breath arguing with anyone who wants encryption for everyone but themselves. You will just get branded as a "bad person". A classic "shut down the argument" tactic.

    Just use whatever messaging service M.P.s use. In the U.K. they mostly switched last year from WhatsApp to Signal.

  13. Jamie Jones Silver badge

    "Some children's rights groups have been vehement that the need to protect children from exploitation should not be compromised by the argument for absolute privacy in communications. "

    Fine. So let's be complete, eh? :

    1) All postal mail will be scanned before being delivered.

    2) We need to also scan all emails, web connections (is that site REALLY a bank??), and block all other connection types.

    3) No meeting other people in private places without a government agent present.

    4) No meeting other people in public places if beyond earshot, and hence allowing private conversations.

    5) English. English. English. All communications - written and oral - must be in English.

    6) All bags, holdalls, rucksacks must be transparent.

    1. Anonymous Coward
      Anonymous Coward

      I think it deserves a trial before being rolled out at a national scale. Perhaps all the members of the anti abuse groups, along with every supportive MP and the police/security services? Naturally, since they're participants in the trial, it would be damaging to the analysis if they also examined the data. Instead, all records could be made available to all members of the public for scrutiny, in real time.

      15-20 years of data should be good for the initial trial period.

  14. Captain Hogwash

    Four Horsemen of the Infocalypse

    I'm not sure why drug dealers and organised crime are always separated in this list. Are drug dealers disorganised?

    1. tiggity Silver badge

      Re: Four Horsemen of the Infocalypse

      @Captain Hogwash

      They might be disorganised if they sample their products excessively

    2. lglethal Silver badge

      Re: Four Horsemen of the Infocalypse

      If the vast majority of drug dealers that i happened to be acquainted with in my younger and foolisher days, are anything like those today, then absolutely drug dealers, at least at the lower levels, are completely unrelated to organised crime. Eventually somewhere up the ladder, there will be some contact between the people dealing to the public and the actual organised crime gangs, but as a general rule those doing the dealing to the public are not members.

      Then again my info might be somewhat outdated...

    3. yetanotheraoc Silver badge

      Re: Four Horsemen of the Infocalypse

      "terrorists, drug dealers, CSAM, and organized crime, and whoever else comes along."

      They call it the Four Horsemen to disguise their intentions in re the fifth horseman.

      1. Fifth Horseman

        Re: Four Horsemen of the Infocalypse

        Why? What do they think I have done?

  15. johnB


    Why is it "EE2E"?

    Surely "End to End Encryption" should be "E2EE"?

  16. Jou (Mxyzptlk) Silver badge

    "are verboten"

    Ou, Jeff Burt lovez hisss German ssstereotypez!!

  17. Anonymous Coward
    Anonymous Coward

    That bloke, the head of online policy blah blah

    …could he be any more miserable?

    I have the inescapable feeling that this "charity"'s business is to exploit the suffering of others to further their own (or someone else's) agenda. That's assuming it's not simply a cover for some of the nutters in control of the UK's political landscape.

  18. Anonymous Coward
    Anonymous Coward

    The Register…

    …really needs to have a chat with Patrick Breyer, a German MEP who is campaigning relentlessly against the EU version of this.

    He puts forward some very cogent and well researched arguments.

  19. StrangerHereMyself Silver badge

    Hell you are

    Of course we don't want anyone reading our messages. What the Snoops are proposing is ludicrous and a pipe-dream. It will never happen. Companies like Meta will pull the plug on WhatsApp before they let this happen.

    I'm hoping they'll make an example out of some nation, such as Australia or the UK, so I can sit back with some popcorn and enjoy watching the fall-out.

  20. Herring`


    So when some shonky ML system decides that you're a kiddy-fiddler, you get to spend time in a police cell, maybe get your name leaked to the tabloids and have local vigilantes laying siege to your house.

    Loads of people knew about Jimmy Savile but the police did nothing. If they can sit on their arses until the ordinary person like you or I get fingered by the magic AI, we will not be treated the same.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like