Does the UK Online Safety Bill “Break Encryption”?

It’s not surprising that the government would avoid mentioning encryption when crowing about the achievement of passing the bill, given that the question of what the bill requires of companies and platforms that offer end-to-end encrypted messaging services is one of the more controversial – and unsettled – aspects of the bill.

In a blog post published earlier this month, Lord Stephen Parkinson of Whitley Bay, the Parliamentary Under Secretary of State Department for Culture, Media and Sport, tried to put tech company stakeholders at ease.

“A number of noble Lords mentioned press coverage about encryption, which I am aware of,” Parkinson wrote. “Let me be clear: there is no intention by the Government to weaken the encryption technology used by platforms, and we have built strong safeguards into the Bill to ensure that users’ privacy is protected.

“While the safety duties apply regardless of design, the Bill is clear that Ofcom cannot require companies to use proactive technology on private communications in order to comply with these duties,” Stephenson continued. “Ofcom can require the use of a technology by a private communication service only by issuing a notice to tackle child sexual exploitation and abuse content under Clause 122. A notice can be issued only where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content.”

Parkinson added that when deciding whether to issue such a notice, “Ofcom will work closely with the service to help identify reasonable, technically feasible solutions to address child sexual exploitation and abuse risk, including drawing on evidence from a skilled persons report.”

“If appropriate technology which meets these requirements does not exist, Ofcom cannot require its use,” Parkinson added. “That is why the powers include the ability for Ofcom to require companies to make best endeavors to develop or source a new solution. It is right that Ofcom should be able to require technology companies to use their considerable resources and expertise to develop the best possible protections for children in encrypted environments. That has been our long-standing policy position.”

While Meredith Whittaker, the President of encrypted messaging app Signal, said the company was “more optimistic than we were when we began engaging with the UK government” following Parkinson’s statement, she added it was important that stakeholders continue to press the government for a commitment that the “unchecked and unprecedented power” the bill offers authorities will not be used to undermine private communications.

It’s safe to say that Open Rights Group (ORG), a UK-based digital rights advocacy organization, was somewhat less mollified by Parkinson’s comments than was Whittaker.

“At the eleventh hour of the Online Safety Bill’s passage through Parliament, the Government has found itself claiming to have both conceded that it won’t do anything stupid regarding encrypted messages, and that it may well press ahead with dangerous technologies if it wants to,” ORG’s James Baker and Jim Killock wrote in the post published two days after Parkinson’s statement. “It is in a total mess over its proposals to break end-to-end encryption and scan our private messages, despite assurances to Parliament, and making the groundbreaking admission to industry that client-side scanning is currently trying to achieve the impossible.”

Noting that the government had conceded that if the “appropriate technology doesn’t exist that meets those requirements (scanning encrypted messages), then OFCOM will not be able to use clause 122 to require its use,” ORG then pointed out other government officials are strenuously denying they’ve made any changes to bill at all with respect to encryption.

“We haven’t changed the bill at all,” MP Michelle Donelan said on a Times radio appearance, as noted by ORG. “If there was a situation where the mitigations that the social media providers are taking are not enough, and if after further work with the regulator, they still can’t demonstrate that they can meet the requirements within the bill, then the conversation about technology around encryption takes place.”

One of the sticking points between the government officials who have pushed for the passage of the Online Safety Bill and their many critics in the tech industry appears to be whether the ‘scanning’ technology the government envisions being used to look at encrypted messages simply doesn’t exist yet or  simply isn’t feasible and will never exist.

While Donelan and her peers seem to think it’s merely a technical challenge that the companies aren’t willing to commit their “considerable resources and expertise” (as Parkinson put it) to complying with the law, many of the technologists themselves seem to think the government might just not understand what “encrypted” means.

In comments made to University College London News in July, Awais Rashid, Professor of Cyber Security at the University of Bristol and Director of the REPHRAIN Center, said the issue is “the technology being discussed is not fit as a solution.”

According to UCL News, Rashid has been working on the development of “automated tools to detect child abuse material online as well as engineering privacy into software systems for 15 years,” so he may know a thing or two about what the government is trying to accomplish through the Bill.

“Our evaluation shows that the solutions under consideration will compromise privacy at large and have no built-in safeguards to stop repurposing of such technologies for monitoring any personal communications,” Rashid said. “Nor are there any mechanisms for ensuring transparency and accountability of who will receive this data and for what purposes will it be utilized.”

The good news is, there’s a way for the UK government to avoid running roughshod over encrypted communications and internet user-privacy.

“Parliament must take into account the independent scientific evidence in this regard,” Rashid said. “Otherwise the Online Safety Bill risks providing carte blanche for monitoring personal communications and potential for unfettered surveillance on a societal scale.”

My hunch is that the UK government will not “take into account the independent scientific evidence,” because independent scientific evidence is hard to hear over cries of WON’T SOMEBODY PLEASE THINK OF THE CHILDREN?!?!