Documents show governments seeking to hack services like Whatsapp and Signal
For the last two years European governments have been conducting a behind-closed-doors discussion about hacking WhatsApp. A trove of heavily redacted documents gives a rare insight into a debate with profound implications for the privacy of tens of millions of people.
The previously unreported documents highlight the risks inherent in authorities accessing services that a majority of Europeans use for their most intimate communications.
Politicians around the world have promised technical solutions which can allow police access to messages to fight terrorism and limit the distribution of images related to child abuse, without compromising the security of encrypted services like WhatsApp and Signal. But the unredacted sections of these formerly confidential documents suggest that no such solution exists.
While privacy advocates and industry figures have argued that politicians are setting an impossible task, the documents offer a rare glimpse of government ministries admitting to the same difficulty — and concluding that more phone hacking via undisclosed software exploits is the likely result.
We analysed nearly 700 pages of emails, memoranda and meeting minutes released under Freedom of Information laws by the Dutch Ministry of Justice. The trove of documents also references discussions with a number of European governments, as well as cooperation with the European Commission.
We constructed a timeline and identified key conversations and interlocutors within the documents and interviewed experts on lawful intercept and legal intercept and hacking regimes. We then shared our findings with partner organisations: NRC in the Netherlands, IRPI in Italy and Reporters United in Greece for further reporting.
In the Netherlands, justice ministry officials argued for a law giving companies like WhatsApp the same legal obligations as phone services. “That big stick is necessary to make progress,” they insisted. But as our Dutch partners NRC reported, they became embroiled in a bitter dispute with colleagues in the Ministry of Economic Affairs, who feared companies would just leave the country rather than be forced to comply.
Cracks also emerged within the government as civil servants fretted that today’s European police innovations would be tomorrow’s dictator’s playthings. Any weakening of the encryption technology used by WhatsApp and its counterparts, they feared, would not remain in the hands of a few well-chosen EU countries, and companies which built interception systems for EU governments would also want to market them elsewhere.
“Human rights defenders, journalists and dissidents may become extra vulnerable,” an official in the justice ministry warned a colleague in foreign affairs.
Officials also worried about increasing risks of espionage by hostile states and activity by malicious third parties. In a background document on intercepting digital communication, dated June 2021, the Netherlands’ Cyber Security Council raises fundamental questions: “Which countries are allowed to use this tapping infrastructure for which offences? Can hacks be used in cases such as murder and manslaughter and child pornography, but not in more politically sensitive allegations of terrorism or subversive activities? Who manages that?”
To keep up to date with Lighthouse investigations sign up for our monthly newsletter
Our investigations don’t end when we publish a story with media partners. Reaching big public audiences is an important step but these investigations have an after life which we both track and take part in. Our work can lead to swift results from court cases to resignations, it can also have a slow-burn impact from public campaigns to political debates or community actions. Where appropriate we want to be part of the conversations that investigative journalism contributes to and to make a difference on the topics we cover. Check back here in the coming months for an update on how this work is having an impact.