WhatsApp: All the ways Amber Rudd can already get into a terror suspect’s phone

Does she really need new powers?


While Amber Rudd is suddenly concerned that a WhatsApp message might theoretically be unavailable for her to read, let’s first remember all the ways in which she can already get information about the likes of Khalid Masood, who carried out the Westminster attacks last week.

She has all the metadata

The UK tries to collect everyone’s metadata, so that they know who people are communicating with and when. Sometimes, as with WhatsApp, the metadata will exist at the company, and she can compel them to hand it over.

Usually the metadata is more important than the message. If Masood was talking to Daesh on WhatsApp, he wasn’t discussing pizza toppings.

The UK stores everyone’s phone records, IP addresses and email records for a year. The government has the power to add web visits as well, and may already be doing so.

She can hack his phone

GCHQ have powers to hack devices, and are well known to be highly skilled in breaking into mobile devices. They can also use their cable taps to interrupt web traffic and inject attacks.

For instance, friend requests on Facebook and LinkedIn were replaced with links that helped GCHQ gain permanent access to targets’ computers.

Once a phone or computer is hacked, WhatsApp messages can be read, just as you can read them by looking at the screen’s display data.

She has all the government’s records to check

Employment, tax and other databases are handed over to GCHQ in case they are helpful. GCHQ then data mine these to find information about possible targets.

She can intercept his communications

Not everything that people send or say is encrypted. When you use an ordinary phone, that is easy to listen to. Most data is still unencrypted. Even when content is encrypted, the metadata is usually more important.

She can tell companies to remove or limit encryption

Wait … she wants the power to ask WhatsApp to remove encryption? She does in fact claim the legal power to do this already, under a Kafka-esque sounding Technical Capability Notice.

These can tell companies to re-engineer their products so that messages can, er, be read by Amber Rudd’s underlings.

This is as scary as it sounds, and it is unclear that these have sufficient safeguards to ensure that security is not made weaker, or companies aren’t compelled to do things that would endanger their reputations, or involve lying to the public.

Changes to secure technologies along these lines are almost inevitably going to make products easier for criminals to hack.

The price of national security is therefore business and personal security.

The process to decide to weaken security products is entirely secret. And once served a TCN, companies must discuss changes to their products with the security services before implementing them.

In fact, we believe that if Amber Rudd was genuinely serious about WhatsApp, she wouldn’t be telling us about it, she would be acting in secret in order that she wouldn’t be tipping off the people she claims she needs to surveil that little extra bit.

But let’s not distract ourselves too much by Rudd’s confusion about the powers she already has.

Let’s remember that she has already weakened our security by obtaining these powers last Autumn. She’s already made it non-credible to be a UK security company offering secure communications to businesses and people across the globe.

Jim Killock is Executive Director of Open Rights Group. Follow him on Twitter @jimkillock

See: Theresa May’s Snoopers’ Charter is a ‘death sentence’ for investigative journalism

Like this article? Sign up to Left Foot Forward's weekday email for the latest progressive news and comment - and support campaigning journalism by making a donation today.