The UK’s long-debated online safety bill (OSB) has been approved by the House of Lords, clearing the way for it to become law.
But it has pitted the government, which proposed the bill, against tech companies that provide secure messaging services. Critics say it will allow authorities in the UK to compel service providers to break users’ encryption.
In July, 68 cybersecurity academics published an open letter outlining their concerns about the OSB. In it, they argue that the bill undermines the safety and privacy of users online.
Written by Benjamin Dowling, University of Sheffield. This article is the opinion of the authors and not necessarily that of the UK Defence Journal. If you would like to submit your own article on this topic or any other, please see our submission guidelines.
The OSB has met with significant opposition from industry as well. Apple released a statement explaining that encryption “helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The OSB poses a serious threat to this protection.”
In April, several secure messaging providers, such as Whatsapp, Element, Session and Signal, signed another open letter urging the UK government to rethink the bill.
Yet the bill is now set to become law. On a high level, the OSB imposes duties of care on to providers of so-called “user-to-user” internet services, those that allow users to upload or share content that can be seen by other users. This covers activities such as uploading photos onto Instagram or sending messages via WhatsApp.
This distinguishes social media and online messaging services from internet services such as online banking, in which only the provider sees the content uploaded by the end user. These duties of care are aimed at preventing users from communicating illegal content such as child sexual abuse material.
Why is encryption important?
Since the OSB addresses messaging applications, cybersecurity experts have expressed alarm at the potential of the bill to undermine so-called end-to-end encryption. For messaging applications such as WhatsApp and Signal, end-to-end encryption ensures that only the sender of a given message and their intended recipients can read the content of the message. Even the service provider is prevented from reading the message.
This has been a point of contention for governments and intelligence agencies worldwide, since it means they can no longer persuade tech companies to let them access a user’s messages.
Proponents of end-to-end encryption, such as the Electronic Frontier Foundation digital rights activist group, argue that privacy of communication is a fundamental right that protects vulnerable groups, such as dissidents in authoritarian regimes. Encryption, they argue, helps ensure this privacy.
However, critics such as intelligence and law enforcement agencies argue that the widespread use of this form of encryption hinders their ability to detect criminal activity such as terrorism or child sexual exploitation.
Is the OSB the only legislation to do this?
The OSB is not the first piece of legislation that has come under fire over its potential to undermine the safety and privacy of end-to-end encryption. In 2018, the Australian government passed the Tola Act, which also contained measures to compel tech companies to work with the authorities. Politicians argued that it was necessary to address terrorism. But there was a strong backlash from critics who said it could undermine encryption.
A recent proposal by the European Commission suggests similar requirements for service providers of user-generated content in EU countries and has sparked its own open letter from security and privacy researchers concerned for the potential harm to secure digital societies.
Can the OSB help undermine encryption?
The bill specifically requires the UK communications regulator, Ofcom, to issue “codes of practice” to providers of user-to-user services. The codes provide a basis for Ofcom to obtain information from these providers and fine them for non-compliance.
These codes also require that all providers of user-to-user services “must take or use proportional measures to prevent individuals from encountering illegal content by means of the service”.
COnservative MP Damian Collins, who – as minister for tech and the digital economy from July to October 2022 – helped develop the OSB, said in a recent debate that companies should “use their best endeavours to detect, proactively detect, content related to child sexual exploitation”. But he also added: “We are not going to ask companies to break encryption.”
The open letter from the 68 academics points out the fundamental flaw in this argument: “There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties.”
The president of messaging app Signal, Meredith Whittaker, says the bill contains no protections against breaking encryption.
Indeed, the OSB’s language allows Ofcom to issue “notices” that could be used to compel messaging applications to undermine encryption. These would require the provider of the service to “use accredited technology to identify illegal content communicated publicly or privately by means of the service, and to swiftly take down that content”.
Since end-to-end encryption fundamentally prevents the service provider from reading user-sent content, this necessitates breaking encryption to identify that content.
What outcome are we likely to see?
Looking at the language of the OSB, the concerns of cybersecurity experts would appear to have some foundation, despite the denials of Damian Collins and the Home Office. The OSB provides mechanisms for the government to compel messaging applications to undermine their own security measures to achieve its goals.
Removing these provisions would be straightforward. Deleting the phrasing “or privately” from the bill would allow the OSB to stand mostly untouched while addressing the concerns of providers that use end-to-end encryption.
It is painfully ironic then, that since both Signal and WhatsApp have indicated that they would leave the UK rather than undermine encryption, that the current wording of the UK’s online safety bill would potentially leave UK users of end-to-end encryption less safe online.
Benjamin Dowling, Lecturer of Cybersecurity, University of Sheffield. This article is republished from The Conversation under a Creative Commons license. Read the original article.
Once again the pearl-clutching “won’t somebody think of the children” brigade have foisted a costly nonsense on the UK. We were told RIPA (2000) was necessary to allow communications interception and snooping without a warrant, because “terrorists and paedophiles”.
Yet somehow it wasn’t enough. Several more Acts were necessary to ensure that our browsing could be recorded, that mass database profiles were built listing our friends and families, social affiliations, interests and so on. Because terrorists and paedophiles. But oddly enough there are still terrorists and paedophiles out there.
If we decided to communicate securely, we became suspect. If we use a VPN on a regular basis, this becomes a challenge to government, because terrorists and paedophiles. And if secure communications are provided as part of a technology company’s offering, they are aiding and abetting, and we need another piece of spurious legislation to make them stop.
I pay for the government to snoop, and I pay again for a VPN, because if the government can snoop, so can others less benign. Now I’ll have to pay the government to pay the tech companies to circumvent encryption, and I imagine I’ll be paying yet another tech company for routine measures to circumvent that.
There may be a lot of good and useful measures in the Online Safety Bill. I’m not expert enough to decide whether keeping under 13 year olds off social media is a good thing, and I just hope age checking won’t be used as yet another opportunity to monitor and store adults’ behaviours; however, I’m well enough informed to know the prohibition of secure communications is neither useful nor good. Nor will it stop terrorists or paedophiles.
Fraud is probably the number one crime in the UK, with millions of offences perpetrated every year, more common even than speeding. Won’t somebody think of the adults?
I approve this message.
Spot on.
It will result in those who wish to maintain their privacy, irrespective of the fact their use of the Internet is completely legal, decamping their place registration and domicile to Estonia or other such territories where their right to privacy is respected.
To be transparent, certain departments have not needed such laws to snoop on accounts of interest in any event.
Wasn’t there a question posed to the MET along the lines of would the outcome of any case have changed if they had access and the answe was along the lines of there is no evidence of this.
Like all the anti protest bills being passed recently and not applied uniformally, this will end up being used for political purposes.
Plus my understanding is a house search requires a court order, this does not and so removing any protection.
In an interesting development, Grant Shapps has decided to send UK troops to Ukraine. The defence secretary revealed plans for the UK to offer on-the-ground training and naval support in the Black Sea last night
Report in this morning’s Independent
That’ll go down like a lead ballon in Washington if we didn’t okay it first. Is this another British lightning rod to lead where others will follow, or Mr Shapps not bothering to read his brief before speaking? He announced it in an interview in the Sunday Telegraph, so I’m waiting for the clarification on Monday.
NATO chief Jens Stoltenberg and the defence ministers of Britain, Germany and France visited Kyiv recently, where Zelensky lobbied for more air defence systems and Ukraine’s future military needs were discussed. Possibly the requirement for boots on the ground was also under discussion
The UK has led the way many times during this conflict and has dragged the US with us over tanks, cluster munitions etc. Boots on the ground always starts with “military trainers” and then usually rapidly escalates
Medvedev – never a man to carefully consider his words – has now confirmed that British military advisors wil be regarded as Nato legitimate targets by Russia
Medvedev and Putin are clearly terrified of the prospect that German TAURUS bunker busting cruise missiles will be deployed against their personal bunkers (TAURUS may already be in theatre), warning that German munitions factories could be targeted by Russia, vilifying those who want Berlin to supply Ukraine with Taurus cruise missiles. Putin’s bunker is believed to be in Eastern Siberia, well out of range
An attack on German munitions factories would be an Article 5 issue. Medvedev wants the German faction opposed to donating kit to the Ukraine to have some Russian ammunition
Shapps and Medvedev, men for whom careful consideration of their words are not a concern. I feel so much safer now.
More seriously, I hope I am underestimating Mr Shapps. I yearn to give him the benefit of the doubt, even though the doubt is so strong. May he prove me wrong.
Radakin gave a speech during DESi last week where he admitted – for the first time – that UKAD was under discussion among the brass. If Shapps wants to do something for the country, getting a few £billion out of Hunt/Sunak for homeland air defence would be impressive.
An attack on anything in Ukraine won’t be an article 5 moment. An attack on a nato member on home soil definite yes, international waters, airspace etc possibly. An attack on them in a war zone they have voluntarily entered will not hit that level though.
And here it comes
Monday’s Daily Telegraph
The clarification has already happened.
Admiral Sunak has slapped down Commodore Shapps.
“Rishi Sunak has been forced to rule out the deployment of British troops to Ukraine after the Kremlin vowed to “ruthlessly eliminate” any soldier sent there.
Grant Shapps, the defence secretary, suggested on the opening day of the Conservative Party conference that training by British army instructors would be relocated to Ukraine.”
From the Sunday Times.
Getting RN assets into the Black Sea will be a bit of a challenge.
Yes, Snapps read that the Romans and Vikings hauled their ships overland where there was no direct link to where they wanted to sail. I’m sure he think the RN crews can do the same. I mean, who needs the Montreux Convention?
No no no ignore that and focus on how the ‘Cultural Marxists’ are using 15 minute cities to curtail your freedoms!
There are times I feel completely out of touch. How does a trend towards localism curtail my freedom? I’m assuming you were being sarcastic in context, but I’m curious as to how the argument is even being made?
The conspiracy theory rests entirely on two false beliefs: 1) 15 minute cities and LTNs are the same thing 2) you can’t drive a car in or out of an LTN.
I read a artile some time ago about 15 minute cities but didnt believe it, think it was for Australia, are they real in the UK?
They are real in that councillors are talking about the concept for their areas and incorporating aspects into their planning. Not real in that any of those areas reach the theoretical aspiration.
They aren’t !
Next?
This is another example of government ministers who don’t understand technology refusing to listen to people who do. It never ends well.
This is not good. I wonder how far it would extend. End-to-end encrypted messaging services would seem to be the obvious target but if this really is some sort of blanket “ban un-crackable encryption” campaign then would it also affect zero-knowledge services such as cloud-syncing password managers (BitWarden, LastPass, DashLane etc) and online backup services (iDrive, Carbonite, CrashPlan etc)?
By allowing the user to choose their own encryption key that is never known to the service provider it means that even if a request from HMG to decrypt something became legally binding on such service providers they would genuinely be unable to comply. Surely that can’t be in the scope of this because to me such services seem little different to my encrypting a local Zip file.
If a consequence of this bill is for such zero-knowledge service providers to withdraw their zero-knowledge option and require all users to use a service-provider-generated encryption key I for one would be reluctant to continue using such services thus the security of my passwords would be likely to decrease substantially (I’d probably use simpler passwords) and I would lose the ability to conveniently do very frequent off-site backups.
Well, the stated intent is ‘user-to-user’ and they like to focus on social media / messaging, so you would hope it stops there, but I still remember a Psychoactive Substances Bill so poorly-worded that it could potentially have made chocolate and coffee illegal.
Since most password managers and back-up services have sharing functionality, I’m worried that might lead to some unscrupulous and overreaching investigator having them all classified as user-to-user.
Meanwhile, you can remove encryption entirely from messaging apps and bad actors can still encrypt anything they want offline with public-key encryption. Most end-users will lack the know-how to do it, while criminals will find it little more than a slight speed-bump.
If I’m not mistaken, It would seem that I have been trying for Anti Malware and Anti Virus for keeping Smartphone Handset Technologies free from Intrusions since way back (A Decade or more) and It would seem that IF my Circumstances Permitting future date then I Might-be in the queue for iPhone Technologies rather than Smartphone Handset Technologies that would seem Presently almost Top-of-Range Samsung that I would seem to have Recollection Of Being Pursued By Providers Of for my Reselling Back to Suppliers for an Inferior Valuation Of when the ink barely dry on Contract for a Minimal Monthly Cost as part of a Bundled Contract, So It Would Seem within recent years.
Apparently, So It Would Seem To Be Claimed, “Smartphone Technologies are More Susceptible to Interference Over Internet Communications, Allegedly, Due-to the Open Source Nature of Apps with the Apparent Hazards of Malware being introduced through Applications that would seem to Slip Through Scrutiny Methods Employed from time to time”.
It would seem that I hope this helps with understanding of comparisons in the differences between Technologies.
First clamping down on protests, and now clamping down on encryption… what next?
Honestly? This is business as usual. My suspicion is that half the people who vote for these things didn’t understand the implications and either trusted the government or feared the whip, while the other half fully understood the implications and welcomed them.
Expansion of photo recognition cameras to save us from terrorists , like China !
Odd that a government that states ‘personal freedom’ is a main plank of its philosophy would so easily undermine personal online safety.
Odd too, that a government so scornful of public servants, is happy to see encryption circumvented by public servants when it sees fit.
OSB is riven with contradictions, so one can only wonder who they think will truly benefit from it. As usual, poorly thought through, and just as likely to be poorly implemented.
What could possibly go wrong.
Perhaps I’m a cynic, but I do tend to look at who profits from these things. Who lobbied for it? Who owns shares in a company that makes the tools required? What news story will get buried?
This one smacks of appeasing some internal faction or creating a new spectacle for voters to focus on, since it seems to neither solve a problem nor make money.
Like Starmer and Street accepting money from people with private health care interests , is the NHS safe in their hands? Future after dinner speeches $$
Safer in their hands than the tories who had admitted they want rid of the nhs.
If the Government takes an excessive number of years to decide if someone who came on the Windrush ship has legal status despite them living here and paying tax most of their lives don’t think they can be trusted not to abuse powers !