Besides being a threat to freedom of speech, the UK Online Safety Bill has other dangers.

According to critics, it will allow UK authorities to compel service providers to break users’ encryption. 68 cybersecurity academics published an open letter in July outlining their concerns about the OSB. They argue in it that the bill jeopardizes online users’ safety and privacy. The industry has also been vocal in its opposition to the OSB. According to Apple, encryption “helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches.” The OSB is a serious threat to this safeguard.” Several secure messaging providers, including Whatsapp, Element, Session, and Signal, signed another open letter in April urging the UK government to reconsider the bill.

On a high level, the Online Safety Bill imposes duties of care on providers of “user-to-user” internet services, which allow users to upload or share content that other users can see. This includes actions like uploading photos to Instagram or sending messages via WhatsApp.

This distinguishes social media and online messaging services from internet services such as online banking, where the content uploaded by the end user is only visible to the provider. These responsibilities are intended to keep users from communicating illegal content, such as child sexual abuse material.

Because the OSB addresses messaging applications, cybersecurity experts are concerned that the bill could undermine so-called end-to-end encryption. End-to-end encryption ensures that only the sender of a message and their intended recipients can read the message’s content in messaging apps like WhatsApp and Signal. Even the service provider is unable to read the message.

This has been a source of contention for governments and intelligence agencies around the world, as it means they will no longer be able to persuade tech companies to allow them access to a user’s messages.

End-to-end encryption supporters, such as the digital rights activist group Electronic Frontier Foundation, argue that communication privacy is a fundamental right that protects vulnerable groups, such as dissidents in authoritarian regimes. They argue that encryption contributes to this privacy. However, some critics, such as intelligence and law enforcement agencies, argue that widespread use of this type of encryption makes it difficult to detect criminal activity such as terrorism or child sexual exploitation.

The Online Safety Bill is not the first piece of legislation to be criticized for its potential to undermine the security and privacy of end-to-end encryption. The Australian government passed the Tola Act in 2018, which included provisions requiring tech companies to cooperate with authorities. Politicians argued that dealing with terrorism was necessary. However, there was a strong backlash from critics who claimed it could jeopardize encryption. A recent European Commission proposal suggests similar requirements for user-generated content service providers in EU countries, prompting its own open letter from security and privacy researchers concerned about the potential harm to secure digital societies.

So, how can the Online Safety Bill undermine encryption? The president of messaging app Signal, Meredith Whittaker, says the bill contains no protections against breaking encryption. Although the bill requires the UK communications regulator, Ofcom, to issue “codes of practice” to providers of user-to-user services, with codes that provide a basis for Ofcom to obtain information from these providers and fine them for non-compliance, codes which require that all providers of user-to-user services “must take or use proportional measures individuals from encountering illegal content by means of the service,” its language still allows Ofcom to issue “notices” that could be used to compel messaging applications to undermine encryption. These would require the provider of the service to “use accredited technology to identify illegal content communicated publicly or privately by means of the service, and to swiftly take down that content”.

Conservative MP Damian Collins, who – as minister for tech and the digital economy from July to October 2022 – helped develop the OSB, said in a recent debate that companies should “use their best endeavours to detect, proactively detect, content related to child sexual exploitation”. But he also added: “We are not going to ask companies to break encryption.” However, the open letter from the 68 academics points out the fundamental flaw in this argument: “There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties.”

Since end-to-end encryption fundamentally prevents the service provider from reading user-sent content, this necessitates breaking encryption to identify that content.

Despite Damian Collins’ and the Home Office’s denials, the language of the OSB appears to give credence to cybersecurity experts’ concerns. To achieve its goals, the OSB provides mechanisms for the government to compel messaging applications to undermine their own security measures. It would be simple to remove these provisions. By removing the phrase “or privately” from the bill, the OSB would remain mostly intact while addressing the concerns of providers who use end-to-end encryption. It is painfully ironic, then, that the current wording of the UK’s online safety bill could make UK users of end-to-end encryption less safe online, despite the fact that both Signal and WhatsApp have indicated that they would leave the UK rather than undermine encryption.

Leave a Reply