Home Office letter to Meta on end-to-end encryption released following FOI request

The Home Office has disclosed, in response to my Freedom of Information request, a letter that it sent to the US technology company Meta in July 2023.

The letter opposed Meta's plans to roll out end-to-end encryption (E2EE) by default on Facebook, Messenger and Instagram Direct.

Suella Braverman, then the Home Secretary, told MPs that the plans were "a huge boon to anyone who wants to hurt a child":

The information that Meta and other tech companies give to UK law enforcement helps to protect around 1,200 children and leads to over 100 arrests of suspected child abusers every month. However, Meta plans to roll out end-to-end encryption soon, without safeguards, and it will no longer proactively detect and alert authorities to child grooming and abuse material on Facebook, Messenger and Instagram Direct. This will be a huge boon to anyone who wants to hurt a child. The Online Safety Bill will hold tech firms to account, but indifference to abuse is intolerable. I have written to Mark Zuckerberg – together with my right hon. Friend the Minister for Security, the right hon. Member for Tonbridge and Malling (Tom Tugendhat), children's charities and campaign groups – to outline our profound concerns.

Braverman's attack on Meta was a key piece of government theatre during the passage of the UK's Online Safety Act:

A government source said: "Meta's introduction of end-to-end encryption without the safeguards which are currently in place will provide an online haven for paedophiles, organised criminals and fraudsters. It's crucial for the safety of our children and citizens that they think again. The whole of government is clear about the terrible threat that this poses and the home secretary and security minister are pushing hard to drive this message home to Meta. There will be no let-up."

— Braverman fights Meta encryption plans 'that aid paedophiles' (The Times, 30 July 2023)

Also in July, 68 UK-affiliated researchers and scientists working in the fields of information security and cryptography signed an open letter to highlight "alarming misunderstandings and misconceptions around the Online Safety Bill and its interaction with the privacy and security technologies that our daily online interactions and communication rely on."

The Online Safety Act gives the regulator Ofcom powers to require internet service providers to use "accredited technology" to identify and take down Child Sexual Exploitation and Abuse (CSEA) and/or terrorism content – including content communicated privately via a service.

However, there is a virtual consensus among tech companies and technology experts that, with regard to services that communicate using end-to-end encryption, this technology does not exist – E2EE means the service provider cannot access the content of the communication.

This debate came to a head in September, during the final stages of the passage of the Bill. The Home Office released a public statement again urging Meta not to roll out end-to-end encryption on its platforms, alongside guidance on E2EE and child safety.

The Home Office statement referenced the Home Secretary's July letter to Meta:

This new development comes after the Home Secretary outlined her concerns to Meta in a letter co-signed by technology experts, law enforcement, survivors and leading child safety charities in July 2023.

In her letter, the Home Secretary emphasised the government is supportive of end-to-end encryption, but not without safety measures that would enable the detection of grooming and child sexual abuse material.

She also made specific requests for detailed evidence of how they would maintain vital child safety protections in messaging channels under end-to-end encryption.

The company was unable to provide this evidence, and as a result, the Home Secretary is concerned that robust child safety measures are not in place under the proposed plans.

I was surprised to see from this statement that the July letter had been co-signed by "technology experts". The Home Secretary's original statement to MPs mentioned only "children's charities and campaign groups". I was interested to know which technology experts had put their heads over the parapet to support the feasibility of the Home Secretary's demands.

Apparently nobody. As far as I can tell, from the unredacted letter released to me by the Home Office, none of the signatories has a technology background.

The Home Office took more than three months to respond to my FOI request. Had the Home Office responded within the statutory 20 working day period, the letter to Meta would have been disclosed while the Home Secretary responsible for it, Suella Braverman, was still in office.

In early December, Meta announced that it would go ahead with default encryption of all Facebook and Messenger chats. Plans for default encryption of Instagram direct messages are apparently also on track.

Update 1 February 2024: the ICO has published a decision notice finding that the Home Office failed to complete its deliberations on the balance of the public interest within a reasonable time and therefore breached section 17(3) of FOIA.