How the Online Safety Bill jeopardises the foundation of security online
Undermining encryption means the Online Safety Bill in its current form is not fit for purpose
On the heels of the UK’s signature on a declaration to protect human rights, fundamental freedoms, and the free flow of information online, the UK Online Safety Bill does the opposite by undermining a critical part of the equation: encryption.
The UK’s Online Safety Bill was introduced into the House of Commons on the 17th of March. Despite its stated aim to make the UK the safest place online, it would create serious security and privacy vulnerabilities by introducing a new surveillance power that would disproportionately impact those that need it most - especially vulnerable groups and children.
Forty-five technologists, security experts, and NGOs, including members of the Global Encryption Coalition, recently published an open letter highlighting how the Online Safety Bill threatens end-to-end encryption, the stronger form of this security tool. The letter notes that clause 103(2) b could result in notices that would “require that providers of such services introduce scanning capabilities into their platforms to scan all user content”. The global technology company Apple made a similar proposal for its messaging services last year and, following outcry from security experts, withdrew the plan. It was unworkable then and it remains unworkable now. The bill is lengthy and this particular measure has not received much attention. However, this is a dangerous measure that puts the lives and rights of so many at risk by undermining encryption and it must be stopped.
Millions of people worldwide rely on encryption for their personal security in times of crisis. For instance, the UK’s e orts to try to get people in conflict zones like Afghanistan and Ukraine to safety would be significantly hindered without the security assured by private messaging apps and communications. Moreover, the legislation poses a serious threat to the health of our national economy by creating high compliance costs, and the associated costs of leaving your business at greater risk of cybercrime with backdoors to encrypted messages. This has already happened in Australia, as a result of the Telecommunications and other Legislation Amendment (Assistance & Access) Act (TOLA) law.
This scanning cannot be accomplished on end-to-end encrypted services because nobody, including the provider, has access to the content carried on that service except for the sender and the intended recipient(s). Such a requirement would require service providers to compromise or abandon end-to-end encryption, and would set a dangerous precedent of introducing surveillance technologies into the devices we use everyday. It could be replicated elsewhere, including in countries with weak democratic institutions, and marks a stark departure from the EU’s prohibition on member states to oblige general monitoring of communications. As a result, it also risks misalignment with one of the UK’s largest trading partners.
Strong encryption protects private information and is integral to the ability to do business, work securely, and build and maintain relationships that are vital to everyday life. Fighting crime is critical, but there are ways to do it without putting our personal safety, human rights, and digital economy at risk of harm. In a world where we increasingly rely on digital technology, users need these everyday digital tools to be secure. Clause 103 (2) b of the Online Safety Bill would have a detrimental impact on the UK and internet users around the world, and for that reason it should be dropped.
“Strong encryption protects private information”