This week’s deliberate leak of 100,000 WhatsApp messages sent between the retiring MP Matt Hancock (Con-West Suffolk) and his cabinet colleagues and scientific advisers offers several lessons for the future. Hancock was the health minister during the first year of the covid-19 pandemic, but forced to resign in June 2021, when he was caught on a security camera snogging an adviser in contravention of the social distancing rules.
The most ignored lesson relates to cybersecurity, and is simple: electronic messages are always at risk of copying and disclosure.
This leak happened to coincide with the revival of debates around the future of strong encryption in the UK. First, the pending Online Safety bill has provisions that taken together would undermine all encrypted communications. Simultaneously, a consultation on serious and organized crime proposes to criminalize “custom” encryption devices. A “dictionary attack”, Tim Cushing calls this idea at Techdirt, in that the government will get to define the crime at will.
The Online Safety Bill is the more imminent problem; it has already passed the House of Commons and is at the committee stage in the House of Lords. The bill requires service providers to protect children by proactively removing harmful content, whether public or private, and threatens criminal liability for executives of companies that fail to comply.
Signal, which is basically the same as WhatsApp without the Facebook ownership, has already said it will leave the country if the Online Safety bill passes with the provisions undermining encryption intact.
It’s hard to see what else Signal could do. It’s not a company that has to weigh its principles against the loss of revenue. Instead, as a California non-profit, its biggest asset is the trust of its user base, and staying in a country that has outlawed private communications would kill that off at speed. In threatening to leave it has company: the British secure communications company Element, which said the provisions would taint any secure communications product coming out of the UK – presumably even for its UK customers, such as the Ministry of Defence.
What the Hancock leak reminds us, however, is that encryption, even when appropriately strong and applied end-to-end, is not enough by itself to protect security. You must also be able to trust everyone in the chain to store the messages safely and respect their confidentiality. The biggest threat is careless or malicious insiders, who can undermine security in all sorts of ways. Signal (as an example) provides the ability to encrypt the message database, to disappear messages on an automated schedule, password protection, and so on. If you’re an activist in a hostile area, you may be diligent about turning all these on. But you have no way of knowing if your correspondents are just as careful.
In the case at hand, Hancock gave the messages to the ghost writer for his December 2022 book Pandemic Diaries, Isabel Oakeshott, after requiring her to sign a non-disclosure agreement that he must have thought would protect him, if not his colleagues, from unwanted disclosures. Oakeshott, who claims she acted in the public interest, decided to give the messages to the Daily Telegraph, which is now mining them for stories.
Digression: whatever Oakeshott’s personal motives, there is certainly public interest in these messages. The tone of many quoted exchanges confirms the public perception of the elitism and fecklessness of many of those in government. More interesting is the close-up look at decision making in conditions of uncertainty, which to some filled with hindsight looks like ignorance and impatience. It’s astonishing how quickly people have forgotten how much we didn’t know. As mathematician Christina Pagel told the BBC’s Newsnight, you can’t wait for more evidence when the infection rate is doubling every four days.
What they didn’t know and when they didn’t know it will be an important part of piecing together what actually happened. The mathematician Kit Yates has dissected another exchange, in which Boris Johnson queries his scientific advisers about fatality rates. Yates argues that in assessing this exchange timing ise everything. Had it been in early 2020, it would be understandable to confuse infection fatality rates and case fatality rates, though less so to confuse fractions (0.04) and percentages (4%). Yates pillories Johnson because in fact that exchange took place in August 2020, by which time greater knowledge should have conferred greater clarity. That said, security people might find familiar Johnson’s behavior in this exchange, where he appears to see the Financial Times as a greater authority than the scientists. Isn’t that just like every company CEO?
Exchanges like that are no doubt why the participants wanted the messages kept private. In a crisis, you need to be able to ask stupid questions. It would be better to have a prime minister who can do math and who sweats the details, but if that’s not what we’ve got I’d rather he at least asked for clarification.
Still, as we head into yet another round of the crypto wars, the bottom line is this: neither technology nor law prevented these messages from leaking out some 30 years early. We need the technology. We need the law on our side. But even then, your confidences are only ever as private as your correspondent(s) and their trust network(s) will allow.
Illustrations: The soon-to-be-former-MP Matt Hancock, on I’m a Celebrity.