The Online Safety Bill risks making apps more vulnerable to attacks from bad actors
Announcing the ban of Chinese social media app TikTok from being used on British government devices recently, Oliver Dowden was clear: “The security of sensitive government information must come first, so today we are banning this app on government devices.”
What’s the issue with TikTok? Well there are a few. Its terms and conditions demand that the app is able to access data on a user’s device, which is then shared with the app’s parent company. Meanwhile, TikTok itself has admitted that it has used its own app to spy on reporters – tracking their physical movements in an attempt to track down whistleblowers.
The fundamental concern for the United Kingdom, United States and European governments is that data shared with TikTok’s owner Bytedance is not secure from the clutches of the Chinese government. And yet, while the UK government advises its employees to avoid using vulnerable apps, at the very same time we are debating legislation that could make widely-used messaging apps such as WhatsApp and Signal less secure.
The UK’s future as a global tech hub and as a safe place to communicate online depends on getting this [bill] right
The Online Safety Bill is laudable in intent, but raises a number of questions. There is a wide consensus on protecting children from pornography and ensuring that neither they nor vulnerable adults are exposed to illegal content. However, while most of us want our daily communications, now conducted almost entirely over the internet, to be secure, an unintended consequence of the bill may make apps more vulnerable to attack or interception by bad actors.
Section 110 of the bill legislates for platforms to use “accredited technology” to identify terrorism and child sexual abuse related content. The most likely way this will be achieved is via what is known as “client side scanning”. This means identifying potentially illegal content by matching it to an existing database – the scanning being done by software either on a user’s phone, tablet or laptop, or on a remote server.
As global campaign group the Internet Society has pointed out: “This fundamentally defeats the purpose of [end-to-end] encryption. Private and secure E2E encrypted communications between two parties, or among a group, are meant to stay private.”
They believe that, “adding client-side scanning functionality increases the ‘attack surface’ by creating additional ways to interfere with communications by manipulating the database of objectionable content [...] By leveraging a system’s blocking features, criminals could even choose to block users from sending specific content. This could be targeted to impact legitimate uses, potentially impeding the communications of law enforcement, emergency response and national security personnel.”
Where criminals can go, there is no doubt that rogue and criminal states such as Russia, Iran and North Korea – all states that already pursue aggressive cyberwarfare policies – will follow.
Leading firms including Meta and Signal have already voiced their fears of enforced client-side scanning, even going as far to say they may be forced to withdraw services from the UK rather than weaken their platforms. As well as a risk to security, this part of the bill presents a potential threat to the UK’s leadership in tech. Can we really afford to alienate global tech firms, or put our own tech start-ups at risk by compromising their security?
And even if some think this is just big business “crying wolf” surely we can’t dismiss the concerns of UK-based journalists and campaigners working with dissidents in countries with totalitarian regimes who fear for the safety of their contacts and wonder how they will be able to support them in the future.
With the bill set to return to Parliament this month, peers from across the political spectrum have tabled amendments to protect children and vulnerable adults, while safeguarding online privacy and free expression, and keeping our vibrant tech sector at the forefront of global innovation.
While the Online Safety Bill has had a somewhat tortuous progress through Parliament thus far, it is not yet a workable bill. It requires further close scrutiny and a debate about trade-offs and unintended consequences.
With so much of our lives conducted online, it may be no exaggeration to say that the UK’s future as a global tech hub and as a safe place to communicate online depends on getting this right.
Lord Kamall, Conservative peer
Get the inside track on what MPs and Peers are talking about. Sign up to The House's morning email for the latest insight and reaction from Parliamentarians, policy-makers and organisations.