The UK’s Online Safety Bill is now law, bringing with it the prospect of tech firms being forced to scan people’s messages – ostensibly for child abuse content. That means breaking so-called ‘end-to-end encryption’, which experts have repeatedly said cannot be done without seriously endangering user security.
The government pushed ahead with the bill, now the Online Safety Act 2023, despite clear warnings from academics, industry chiefs and campaigners, fumbling when asked to explain how the plans would actually work. It’s now down to Ofcom, the regulator tasked with enforcing the law, to assess if it can work at all.
The parliamentary committee on national security strategy warned only yesterday that poor planning has left the UK vulnerable to crippling cyber-attacks.
In a complex digital age, smart regulation is critical to tackle abuse. But that can only come from lawmakers who understand technology or respect those who do.
The more of daily life that becomes digital, the more we rely on secure connections to ensure our data is not exploited. Encryption is the main method stopping miscreants from stealing passwords or personal information.
If firms are forced to weaken security, more attacks will ensue, just at a time that we need to boost security across society.
For example, if WhatsApp were instructed to make messages visible to law enforcement, that back door could be found by others, exposing personal messages. It is a pillar of information security theory that the more ways there are to access a system, the more likely an attacker will be to gain access.
Some attempts to sidestep encryption have already spawned such threats, as with the risk of young LGBTQ people being outed to unsympathetic parents by well-intentioned reporting systems.
Corporate espionage is also a growing issue, with industry figures warning that secrets are at risk from hackers.
The same issues threaten national security, infrastructure and anything else that depends on secure communication – which is, increasingly, everything.
Scanning every user’s privately stored iCloud data would create new threat vectors for data thieves to find and exploit.Erik Neuenschwander, director of user privacy and child safety, Apple
Business dumping UK
Given concerns around security, many organisations are likely to reconsider their position in the UK. Doing business without encryption protecting assets like user data exposes firms to serious risk. It’s also hard to create one product to serve the UK and another for elsewhere, so operators may turn their back on the UK in favour of more secure jurisdictions.
Mission-driven organisations like the Signal messaging app, whose selling point is that it keeps user data from prying eyes, have clearly affirmed that they prioritise privacy and encryption over a continued presence in the UK.
Protonmail, another security-first provider, agrees, stating that: “We haven’t broken encryption for the governments in China or Iran, and we won’t for the UK government… we’d sooner be barred from operating in the UK than compromise the security and privacy our community relies on.”
Apple has said the same and more firms are likely to follow as security risks mount.
Hindering innovation
World-beating innovation requires, as a minimum, access to the basic techniques relied upon to build modern systems, of which encryption is one. Undermining encryption is a bit like forcing house-builders to give police a skeleton key to all homes, while trust in the police plummets.
As the UK seeks to position itself as a technology leader in fields from AI to quantum computing, the threat of having to build gaps in encryption will complicate efforts to build advanced, and also mundane, systems that depend on it.
Nick Hegarty, tech principal at usTwo, said: “As workers in the digital product space, alongside our commitment to protecting the data of vulnerable populations, we understand that forcing such fundamental technical impositions on development limits our ability to use standard tools to create robust and innovative products. This will damage our ability to produce work that we believe in ethically, and also to compete and act at the forefront of technology, particularly for products intended for use in the UK.”
The UK has no hope of being a leader in AI and advanced technologies if its regulations get in the way of creating basic communications systems.Mansoor Ahmed Rengers, CEO of OpenOrigins, tackling deepfake video
Political abuse
The principle of privacy is a cornerstone of civilised society. As we’ve seen from the abuse of Pegasus spyware, political players go to great lengths to get ahead. Pegasus was found on phones belonging to close associates of murdered journalist Jamal Khashoggi, something that is thought to have enabled his persecution.
A governing power whose state bodies, like Spain’s disgraced spy-masters, have visibility of otherwise private messaging can gain huge and unfair advantages.
Suboptimal and counterproductive
Analysis suggests that the majority of problematic content may be better addressed by other methods than cracking encryption.
Besides, the criminal use of technology often resembles an arms race; offenders seek new ways to hide their trail. As they move to different platforms, the law may be applied more widely, forcing more firms to tackle the onerous technicalities described above, while problem users move to other platforms. Increasingly, such alternatives are designed to free users from surveillance. If broken encryption results in the breaches predicted, we’ll all make the move before long.
In the unrelenting pursuit of one policy aim, the government’s expert-allergic approach may solve none of the intended problems – while unleashing a lot more.
But there is a small ray of hope. Ofcom, as the regulator, must be satisfied that the aims of the act are achievable before it begins enforcement.
The act will not actually come into force until the government publishes secondary legislation, and Ofcom must also publish new codes of practice.
The government itself has accepted that "if the appropriate technology does not exist… then Ofcom will not be able to… require its use".
In theory, then, Ofcom could accept that no technology can satisfactorily do what the government dreams of – breaking end-to-end encryption without endangering sensitive data.
This may be the last hope for those who depend on secure technology in the UK.
