Internet News

Encrypted chat apps like Signal and WhatsApp are one of the best ways to keep your digital conversations as private as possible. But if you're not careful with how those conversations are backed up, you can accidentally undermine your privacy.

When a conversation is properly encrypted end-to-end, it means that the contents of those messages are only viewable by the sender and the recipient. The organization that runs the messaging platform--such as Meta or Signal--does not have access to the contents of the messages. But it does have access to some metadata , like the who, where, and when of a message. Companies have different retention policies around whether they hold onto that information after the message is sent.

What happens after the messages are sent and received is entirely up to the sender and receiver. If youre having a conversation with someone, you may choose to screenshot that conversation and save that screenshot to your computers desktop or phones camera roll. You might choose to back up your chat history, either to your personal computer or maybe even to cloud storage (services like Google Drive or iCloud, or to servers run by the application developer).

Those backups do not necessarily have the same type of encryption protections as the chats themselves, and may make those conversations--which were sent with strong, privacy-protecting end-to-end encryption--available to read by whoever runs the cloud storage platform youre backing up to, which also means they could hand them at the request of law enforcement.

With that in mind, lets take a look at how several of the most popular chat apps handle backups, and what options you may have to strengthen the security of those backups.

How Signal Handles Backups

The official Signal app doesnt offer any way to back up your messages to a cloud server (some alternate versions of the app may provide this, but we recommend you avoid those, as there dont exist any alternatives with the same level of security as the official app). Even if you use a device backup, like Apples iCloud backup, the contents of Signal messages are not included in those .

Instead, Signal supports a manual backup and restore option. Basically, messages are not backed up to any cloud storage, and Signal cannot access them, so the only way to transfer messages from one device to another is manually through a process that Signal details here . If you lose your phone or it breaks, you will likely not be able to transfer your messages.

How WhatsApp Handles Backups

WhatsApp can optionally back up the contents of chats to either a Google Account on Android, or iCloud on iPhone, and you have a choice to back up with or without end-to-end encryption. Here are directions for enabling end-to-end encryption in those backups. When you do so, youll need to create a password or save a 64-digit key.

How Apples iMessages Handles Backups

Communication between people with Apple devices using Apples iMessage (blue bubbles in the Messages app), are end-to-end encrypted, but the backups of those conversations are not end-to-end encrypted by default. This is a loophole we've routinely demanded Apple close.

The good news is that with the release of the Advanced Data Protection feature , you can optionally turn on end-to-end encryption for almost everything stored in iCloud, including those backups (unless youre in the U.K., where Apple is currently arguing with the government over demands to access data in the cloud, and has pulled the feature for U.K. users).

How Google Messages Handles Backups

Similar to Apple iMessages, Google Messages conversations are end-to-end encrypted only with other Google Messages users (youll know its enabled when theres a small lock icon next to the send button in a chat).

You can optionally back up Google Messages to a Google Account, and as long as you have a passcode or lock screen password, the backup of the text of those conversations is end-to-end encrypted. A feature to turn on end-to-end encrypted backups directly in the Google Messages app, similar to how WhatsApp handles it, was spotted in beta last year but hasnt been officially announced or released.

Everyone in the Group Chat Needs to Get Encrypted

Note that even if you take the extra step to turn on end-to-end encryption, everyone else you converse with would have to do the same to protect their own backups. If you have particularly sensitive conversations on apps like WhatsApp or Apple Messages, where those encrypted backups are an option but not the default, you may want to ask those participants to either not back up their chats at all, or turn on end-to-end encrypted backups. Ask Yourself: Do I Need Backups Of These Conversations?

Of course, theres a reason people want to back up their conversations. Maybe you want to keep a record of the first time you messaged your partner, or want to be able to look back on chats with friends and family. There should not be a privacy trade-off for those who want to save those conversations, but unfortunately you do need to weigh whether or not its worth saving your chats with the potential of them being exposed in your security plan .

But also its worth considering that we dont typically need every conversation we have stored forever. Many chat apps, including WhatsApp and Signal , offer some form of disappearing messages, which is a way to delete messages after a certain amount of time. This gets a little tricky with backups in WhatsApp. If you create a backup before a message disappears, itll be included in the backup, but deleted when you restore later. Those messages will remain there until you back up again, which may be the next day, or may not be many days, if you dont connect to Wi-Fi.

You can change these disappearing messaging settings on a per-conversation basis. That means you can choose to set the meme-friendly group chat with your friends to delete after a week, but retain the messages with your kids forever. Google Messages and Apple Messages dont offer any such feature--but they should, because its a simple way to protect our conversations that gives more control over to the people using the app.

End-to-end encrypted chat apps are a wonderful tool for communicating safely and privately, but backups are always going to be a contentious part of how they work. Signals approach of not offering cloud storage for backups at all is useful for those who need that level of privacy, but is not going to work for everyones needs. Better defaults and end-to-end encrypted backups as the only option when cloud storage is offered would be a step forward, and a much easier solution than going through and asking every one of your contacts how or if they back up their chats.

A little over a year ago Rishi Sunak's government commissioned a review to consider the censorship of online pornography in the UK. The review goes way beyond simply requiring age verification to keep out the under 18s as implemented via the Online 'Safety' Act. It considers all aspects of the censorship of online porn available in the UK.

The review is authored by Gabby Bertin, a conservative peer, promoted by David Cameron. Her relevant background is from campaigning in the sphere of domestic abuse.

Inevitably the majority of 'evidence' invited for the review was from anti-porn campaigners and those that would advantage from the set up of an internet censorship process for adult websites. Much of the language of the report directly uses feminist tropes such as twisting the word 'violent' to mean non violent content that offends feminist axioms.

The author of course introduces her report: "I'm not a prude ...BUT... She writes:

I want to be clear that I do not approach this subject from a prudish or disapproving position. I am a liberal Conservative and a proponent of free speech. I believe that people should be able to do whatever they want if it doesn't harm anyone -- and that includes safely consuming adult content that has been made by consenting adults. ...BUT... we need to strike the right balance between protecting those principles and protecting society, particularly the most vulnerable, from potential risks. And the time has now come to take a stand on this and call out what is really happening and the damage it is doing.

Of course she then goes on to outline a few Trojan horses that would inevitably lead to the banning of blocking of most adult websites available in the UK.

Here is a summary of the chapters of the report most relevant to censorship.

Recommendation 1: 'legal but harmful' content to be banned from publication

Bertin has gotten a bit tied up in contradictory language for this section. Some material is cut by the BBFC because it is illegal in the UK, eg as defined as Extreme Pornography (eg bestiality and real injury). Other material is cut by the BBFC under it's own BBFC guidelines. Initially Bertin defines such content as 'legal but harmful' and then goes to call for the publication of such material to be made illegal to publish.

The BBFC details 'legal but harmful' content as follows:

• material (including dialogue) likely to encourage an interest in sexually abusive activity, which may include adults role-playing as non-adults

• the portrayal of sexual activity which involves real or apparent lack of consent and any form of physical restraint which prevents participants from indicating a withdrawal of consent

• the infliction of pain or acts which are likely to cause serious physical harm, whether real or (in a sexual context) simulated. Some allowance may be made for non-abusive, consensual activity

• penetration by any object likely to cause physical harm

• sexual threats, humiliation, or abuse which do not form part of a clearly consenting role-playing game

And Bertin adds her own additions to the list:

• content that shows racism or could encourage racist attitudes

• content where a performer or creator has withdrawn their consent to being in a film

• stolen content that has been shared without the performer’s knowledge or consent

Bertin goes on to suggest two options for implementing the above censorship:

1. Let Ofcom define a 'Safe Pornography Code of Practice' that defines content to banned and also the process to be implemented to censor such content.
2. Implement the ban via the government creating a criminal publication offence to ban such material with detailed censorship rules written by the Crown Prosecution Service.

Bertin also suggests two extra censorship ideas under this section:

• keyword matching on website searches would mean that terms including girl, young, rape, drunk etc. would result in a warning message.
• paid-for porn services would require daily, weekly, or monthly spend limits on content, much like gambling services.

Recommendation 2 & 25: Content to be made illegal to possess, distribute, and publish (by adding to the definition of already banned extreme porn)

1. So-called choking content, where there is external pressure on the neck, is rife on platforms that host pornography and is a very popular category of content. People acting it out in their sex lives may face devastating consequences. Evidence shows that even a small amount of pressure to the neck can harm the brain, and there is no safe way to strangle a person.

2. Pornographic content that depicts incest should be made illegal. While it is currently a criminal offence to have penetrative sexual activity with a family member (both blood-related and adopted), it is not illegal to act out depictions of incest in pornography. It should be noted that that this would not include pornography that depicts sex between step-relations -- this is not illegal activity in the real world, however this content is rife on mainstream platforms.

Recommendation 3: The non-consensual taking and making of intimate images - whether real or deepfake - should be made an offence.

Whilst it is uncontroversial to ban real non-consensual images it seems a little unjust to bundle this up with deep fakes. It should be noted that there are large amounts of celebrity material that is already commonplace on adult websites and AI tools are already available offline that can be used to create ones own porn without any keyword restrictions as may be imposed by the gatekeepers of online services such as Gemini and ChatGPT

Recommendation 9 & 10. A separate body should conduct content audits

This body will ensure platforms hosting pornographic content are tackling illegal and prohibited content effectively.

To this end, government could appoint a body, such as the BBFC, who have experience in moderating content, to audit content from platforms hosting pornography to ensure they are tackling prohibited and illegal content. This body could expedite reports to Ofcom where there is evidence of lack of compliance (Ofcom could then deploy enforcement measures if there was non-compliance. Government would need to look to additional funding for training and/or additional resource for this body.

Companies that pass the audit could receive an accreditation of good practice. This would signal to the public, government, and ancillary services that this company is well-regulated, acting as an incentive to platforms themselves to raise their own standards.

This would also serve a public awareness angle. I have found that there is currently little public awareness about what good pornographic content looks like, or what a good platform is. This accreditation would be a way for the public to clearly know if the service they are viewing pornography on meets the accreditation or not, allowing for more informed choices.

Of course the accreditation could also serve to warn discerning porn users that the website only serves highly censored porn and may be best avoided.

Recommendation 11. Restricted porn content that is made harder to find, so that it is only available to users if they intentionally seek it out.

• Incest pornography between step-relations

• Teen 18+ category pornography

This type of content should not be served up on a homepage to a first-time user. Industry should collaborate on a watch-list of types of content in this space, restricting and down-ranking this content so that it is not available on homepages to first-time users. Government could decide to regulate this content or conduct further research on harms if there is later proof of harm or inaction in this space.

Recommendation 12. Increased, effective, and quick business disruption measures across the ecosystem of pornography.

Including ancillary services that support the platforms -- should be in place to ensure swift removal of illegal and legal but harmful pornographic content. A clear and enforceable sanctions framework, under the Online Safety Act, should also be established.

Recommendation 14. The Advertising Standards Authority (ASA) should review its approach to advertising on online pornography sites.

As detailed in Chapter 1, there is limited regulatory oversight of advertisements appearing on pornography sites. I recommend that the ASA critically reviews its approach to regulating the content of advertising on online pornography sites in the UK. This could lead to further oversight to ensure platforms are fully abiding by the code and not featuring advertisements that promote any content that would be captured under the prohibited list in Recommendation 1.

Should a platform not abide by the code, or push harmful content to viewers, strict enforcement measures should be more consistently applied.

Recommendation 21. Performer consent and age verification

Companies that host pornographic content should have consistent safety protocols, processes and safeguards in place to ensure that all performers/creators are consenting adults, are of age (18+), and have not been exploited or coerced into creating content.

Recommendation 22. Performers to be able to get their videos taken down regardless of contractual obligations

There should be clear and standardised processes across the sector to enable performers and creators to withdraw consent and to have content they appear in removed from sites. Even if a performer or creator has provided consent for the initial recording and sharing of pornographic content, they should have every right to withdraw consent at a later point (whatever the reason may be) and have that content removed.

Withdrawing consent, and therefore the content in which one appears, is not a decision that performers take lightly. There are costs associated with the creation of content, and its removal may mean that content no longer generates income, which could result in cutting off a segment of income to a performer, their co-star(s), producer or director. In some cases, if a user has purchased the content and may retain it offline, or subscribed to receive the performer’s work, this makes it more difficult for a performer’s content to be deleted completely. I acknowledge that there are obstacles to overcome due to contract law and cost recovery of film production. Nonetheless, I believe consent must supersede any other consideration. If a performer or ex-performer wants a video removed, I believe their request should be granted.

Recommendation 23. Stolen content

Platforms that host pornographic content should have robust protocols and processes to prevent and respond to stolen content. This should include easy reporting and removal of content stolen from performers.

Recommendation 29. Nudification or nudify apps should be banned.

The government should strongly consider banning apps that have been developed for users to nudify themselves or others. Alternatively, government could explore banning these apps at a device level so that users in the UK are unable to download them on their smartphone, laptops, and other devices.

I don't suppose that there are many porn websites that would survive an audit against the above rules. But of courser Bertin never thinks to ask about the practical consequences of such an industry wide ban as suggested above.

I guess that there is enough porn already in circulation that could as a last resort be passed around on memory stick to keep everyone satisfied for the next 100 years. If not, then I am sure there will be a few websites around the world that will keep going. And if all else fails then perhaps the county lines can branch out into selling contraband porn.

I think porn is now simply too commonplace and too widely accepted by society to effectively ban.

Apple has stopped offering its end-to-end encrypted iCloud storage, Advanced Data Protection (ADP), to new users in the UK, and will require existing users to disable the feature at some point in the future. The move comes following reports earlier this month that UK security services requested Apple grant them backdoor access to worldwide users' encrypted backups. An Apple spokesperson Julien Trosdorf said in a statement to The Verge:

Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users and current UK users will eventually need to disable this security feature. We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.

ADP works by protecting iCloud data with end-to-end encryption, meaning it can only be decrypted by the person who owns the iCloud account on their own devices. Removing ADP means that British users' files will be accessible to Apple, and shareable with law enforcement, though that would still require a warrant.

Some types of iCloud data are end-to-end encrypted by default, and will remain so even in the UK. This includes passwords, health data, payment information, and iMessage logs. iCloud file backups, photos, notes, and voice memos are among the data types that will no longer be encrypted.

Trosdorf tells The Verge that UK users will be given an amount of time to disable ADP to keep using their iCloud account, though the company has not said when the deadline will be.

Earlier this month The Washington Post reported that the UK Home Office, led by Home Secretary Yvette Cooper, had demanded backdoor access to encrypted files uploaded not only by Brits, but by users worldwide. The company was reportedly served a document called a technical capability notice under the UK's Investigatory Powers Act of 2016. It was reported then that Apple was likely to disable its UK encryption instead of granting security services a backdoor, but that this might not placate the Labour government, which would still not be able to access encrypted files uploaded elsewhere in the world.

Apple is not the only tech company to offer end-to-end encrypted backups. Google has offered encrypted backups to Android users since 2018, and Meta also offers the option to encrypt WhatsApp backups. Both are currently still available in the UK. So does this mean that Google ansd Meta have opted to break the end to end encryption?

The Government's controversial 'disinformation' team is developing a secretive AI programme to trawl through social media looking for concerning posts it deems problematic.

Records show the Department for Science, Innovation and Technology (DSIT) recently awarded a £2.3 million contract to Faculty AI to build monitoring software which can search for foreign interference, detect deepfakes and analyse social media narratives.

DSIT claimed the new AI tool, called the Counter 'Disinformation' Data Platform (CDDP), is for the moment looking solely for posts which pose a threat to national security and public safety risk.

Heavily redacted documents obtained by Big Brother Watch through Freedom of Information requests show that the Government is reserving the right to also use the platform for other issues. An executive summary for the project states: While the CDDP has a current national security focus the tool has the ability to be pivoted to focus on any priority area.