Ministerial statement on UK's Online Safety Bill seen as steering out of encryption clash
The U.K. government appears to have steered out of a direct collision with the tech industry over a controversial, encryption-risking provision in the Online Safety Bill.
Mainstream tech giants and smaller encrypted messaging services have been united in warning for many months that the bill poses a direct threaten to the security and privacy of millions of web users by placing a legal obligation on encrypted messaging apps to bake-in content scanning capabilities on receipt of an order by the Internet regulator, Ofcom.
Security and privacy researchers, and legal experts, have also chipped in with a regular cadence of warnings that the bill's broad surveillance powers risk -- paradoxically -- wreaking major harm on web safety. Yet the government has appeared deaf to concerns about the impact on encryption.
The bill targets a range of online harms and safety issues, including by putting obligations on platforms to tackle child sexual abuse material (CSAM). But here the government has explicitly sought to foster development of CSAM-scanning tools which could be applied to end-to-end encrypted (E2EE) messaging platforms without affecting user privacy -- ignoring warnings from experts that there's no way to circumvent E2EE without trashing people's privacy and security.
Strongly encrypted messaging apps like Signal accused ministers of magic thinking. Even Apple waded into the public fray over the summer -- warning the Bill poses a risk to web users' security. WhatsApp and others have also warned they could shut services in the U.K. if the bill isn't revised to remove the threat to encryption.
In recent months the government has sought to dampen concerns by suggesting Ofcom would not use these powers against strongly encrypted platforms which apply the gold standard (zero knowledge) E2EE, such as Signal, WhatsApp and iMessage. But the tech industry hit back -- with the Signal Foundation's president Meredith Whittaker among those asking why ministers wouldn't clearly write the claimed limit into the text of the law to ensure strong legal protection for E2EE?
The compromise the government has apparently landed on now looks, at best, like a fudge -- as there is still no clear statement putting E2EE beyond the reach of the bill's scanning powers.
In a ministerial statement today in the House of Lords, where the bill was getting its third reading, Lord Parkinson of Whitley Bay said Ofcom could not be required to order scanning unless "appropriate technology" exists.
"When deciding whether to issue a notice [to scan for CSAM] Ofcom will work with the service to identify reasonable, technically feasible solutions to address the child sexual exploitation and abuse risk including drawing on evidence from a skilled person's report. If appropriate technology does not exist which meets these requirements Ofcom cannot require its use," he said. "That is why the powers include the ability for Ofcom to require companies to make best endeavours to develop or source a new solution."
"It is right that Ofcom should be able to require technology companies to be able to use their considerable resources and their expertise to develop the best possible protections for children in encrypted environments. That has been our long standing policy position. Our stance on tackling child sexual abuse online remains firm and we've always been clear that the bill takes a measured, evidence-based approach to doing so," he added.
The government's line was highlighted earlier today, in a report by the FT ahead of the bill's third reading -- which wrote that the minister would state: "A notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content."
The newspaper also reported that "officials have now privately acknowledged to tech companies that there is no current technology able to scan end-to-end encrypted messages that would not also undermine users’ privacy", citing "several people briefed on the government’s thinking".
It's the quietest of climb-downs, if indeed the FT's sources have got an accurate snapshot of ministers' views. But it's probably as far as the government is going to go, given how deeply it's dug this hole.
As we've reported before, even the the director of the research group it selected to carry out a technical evaluation of the “safety tech” projects that were given public funding back in 2021, as part of a Home Office competition to develop tech capable of detecting CSAM on E2EE services without comprising privacy, has warned of the folly of the effort.
“The issue is that the technology being discussed is not fit as a solution,” Awais Rashid, professor of cyber security at the University of Bristol and director of the Rephrain Centre, warned in a university press release in July. “Our evaluation shows that the solutions under consideration will compromise privacy at large and have no built-in safeguards to stop repurposing of such technologies for monitoring any personal communications.
Flagging up technical feasibility as a hard stop for Ofcom's powers in a ministerial reading at this late stage of the bill's passage looks to be the escape hatch the government has settled (and briefed on) to get out of a mess very much of its own making -- a mess that's generated increasingly attention-grabbing headlines about mainstream messaging apps preparing to exit the U.K. -- without it being too explicit in carving out E2EE from the bill's reach and risking a backlash from child safety campaigners who have been expending their own efforts on pushing for the bill's powers to go even further.
Given this is a fudge, and given the continued existence in the bill of powers for Ofcom to order scanning on E2EE platforms the moment some developer claims to have come up with a feasible techie workaround -- not to mention who knows what else might be lurking in the final text as a raft of amendments were also discussed today by Lord Parkinson -- privacy campaigners are right to remain concerned.
In an early response to the FT's report, posted to X (Twitter), Signal's Whittaker called the government's statement an "important moment" -- and "a victory, not defeat" -- while caveating her remarks by saying it is "not the final win".
I would call this a victory, not a defeat. And am grateful to the UK government for making their stand clear. This is a really important moment, even if it’s not the final win.https://t.co/tq1Oflu7Qq
— Meredith Whittaker (@mer__edith) September 6, 2023
The Open Rights Group, a digital rights advocacy group which has also campaigned against the bill's threat to encryption, described the government's concessions as "welcome news" while arguing it would be "better if these powers had been completely removed from the bill". "We continue to fight for the removal of the spy clause," it added in remarks posted on X.
WhatsApp's Will Cathcart also chipped in with a response, repeating his vow the platform would "never break our encryption". "The fact remains that scanning everyone's messages would destroy privacy as we know it," he said. "That was as true last year as it is today. WhatsApp will never break our encryption and remains vigilant against threats to do so."
The fact remains that scanning everyone’s messages would destroy privacy as we know it. That was as true last year as it is today. @WhatsApp will never break our encryption and remains vigilant against threats to do so. https://t.co/iHsBOhkp8r
— Will Cathcart (@wcathcart) September 6, 2023
The government, meanwhile, has rebutted any suggestion the minister's remarks signal a change of tack.
In a statement emailed to TechCrunch a spokesperson for the Department for Science, Innovation and Technology said:
Our position on this matter has not changed and it is wrong to suggest otherwise. Our stance on tackling child sexual abuse online remains firm, and we have always been clear that the Bill takes a measured, evidence-based approach to doing so.
As has always been the case, as a last resort, on a case by case basis and only when stringent privacy safeguards have been met, it will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content -- which we know can be developed.
Monday saw technology companies including TikTok, Meta, Microsoft and more come together to discuss the threats posed by sexual offenders exploiting our children. We all agreed to continue to work together to tackle these heinous crimes wherever they take place.
Lord Parkinson also expressed gratitude for what he described as "constructive engagement" from technology companies over the summer as the government worked on various amendments to a bill that had already seen scores of changes, big and small, over years plural -- and under several secretaries of state -- since the first draft of the bill was published back in May 2021.
This report was updated to include WhatsApp's public remarks