How the Online Safety Bill jeopardises the foundation of security online
Undermining encryption means the Online Safety Bill in its current form is not fit for purpose.
On the heels of the UK's signature on a declaration to protect human rights, fundamental freedoms, and the free flow of information online, the UK Online Safety Bill does the opposite by undermining a critical part of the equation: encryption.
The UK’s Online Safety Bill was introduced into the House of Commons on the 17th of March. Despite its stated aim to make the UK the safest place online, it would create serious security and privacy vulnerabilities by introducing a new surveillance power that would disproportionately impact those that need it most - especially vulnerable groups, including children. Clause 103(2) is particularly worrisome because it gives OfCom the power to undermine the same human rights the UK recently committed to uphold in the Declaration for the Future of the Internet.
The bill is lengthy and clause 103(2) b has not received much attention. However, this is a dangerous measure that puts the lives and rights of so many at risk by undermining encryption - and it must be stopped.
Encryption is a critical technology that helps Internet users keep information and communications confidential between the sender and intended receiver. Forty-five technologists, security experts, and NGOs, including members of the Global Encryption Coalition, recently published an open letter highlighting how the Online Safety Bill threatens end-to-end encryption, the strongest form of this security tool. The letter notes that clause 103(2) b could result in notices that would “require that providers of such services introduce scanning capabilities into their platforms to scan all user content”. The global technology company Apple made a similar proposal for its messaging services last year and, following outcry from security experts, withdrew the plan. It was unworkable then and it remains unworkable now.
Millions of people worldwide rely on encryption for their personal security in times of crisis. For instance, the UK’s efforts to try to get people in conflict zones like Afghanistan and Ukraine to safety would be significantly hindered without the security assured by private messaging apps and communications. Moreover, the legislation poses a serious threat to the health of our national economy by creating high costs to comply with the legislation, and the associated costs of leaving all businesses at greater risk of cyber crime with backdoors to encrypted messages. This has already happened in Australia, as a result of the Telecommunications and other Legislation Amendment (Assistance & Access) Act (TOLA) law.
Such scanning cannot be accomplished on end-to-end encrypted services because no one, including the provider, has access to the content carried on that service except for the sender and the intended recipient(s). As a result, such a requirement would require service providers to compromise or abandon end-to-end encryption, and would set a dangerous precedent of introducing new surveillance technologies into the devices we use everyday. These technologies could be exploited by criminals and hostile governments, thereby undermining personal and national security. Beyond these concerns, such an approach could be replicated by other governments, including in countries with weak democratic institutions. It also marks a stark departure from the EU’s prohibition on member states to oblige general monitoring of communications. As a result, it risks misalignment with one of the UK’s largest trading partners.
Strong encryption protects private information and is integral to the ability to do business, work securely, and build and maintain relationships that are vital to everyday life. Fighting crime is critical, but there are ways to do it without putting our personal safety, human rights, and digital economy at risk of harm. In a world where we increasingly rely on digital technology, users need these everyday digital tools to be secure. Clause 103 (2) b of the Online Safety Bill would have a detrimental impact on the UK and Internet users around the world, and for that reason it should be dropped.
For more information about why the Online Safety Bill needs to change, please click here.
Get the inside track on what MPs and Peers are talking about. Sign up to The House's morning email for the latest insight and reaction from Parliamentarians, policy-makers and organisations.