UK Online Safety Bill Harms Privacy & Security, Experts SayCivil Society Groups Ask PM Sunak to Reconsider Decryption Clause in Legislation
A slew of civil society groups warn that U.K. legislation aimed at protecting children would undermine online safety for kids and adults by weakening end-to-end encryption.
See Also: Why Metadata Isn't Enough
The Tory government-backed Online Safety Bill would impose a duty onto online platforms to shield young users from pornographic or self-harm content while exposing users to potential criminal prosecution for sending harmful or threatening communications. Secretary of State for Justice Dominic Raab days ago announced the bill will expand to criminalize explicit deepfake images.
The bill empowers the U.K. Office of Communications to order online intermediaries, including chat apps such as WhatsApp and search engines such as Google, to use "accredited technology" to scan for child sexual exploitation and abuse material - a requirement potentially at odds with encryption that scrambles the content of messages before they reach the internet.
In an open letter sent to Prime Minister Rishi Sunak on Thursday, civil society members and cybersecurity experts from 70 organizations, led by the Global Encryption Coalition, said the bill "would make U.K. businesses and individuals less safe online, including the very groups that the Online Safety Bill intends to protect."
The letter is the latest salvo in a decadeslong fight being fought in Europe, the United States and Australia between technologists who tout the privacy- and security-enhancing properties of end-to-end encryption and governments who have cited terrorism and child sexual abuse as justification for backdoors into encryption algorithms. The technologists' consistent argument is that any backdoor is likely to be eventually spotted and exploited by bad actors, including state-sponsored hackers (see: Who Backdoored Juniper's Code?).
"We all deserve the protection that end-to-end encryption provides, but the most vulnerable in society - children and members of at-risk communities - need it most of all," letter signatories said.
Backers also raised the possibility of economic consequences, citing a June 2021 study by the Internet Society - also a letter signatory - pegging at $AU1 billion the decrease in economic activity caused by a similar bill that became law in Australia in 2018.
A December 2021 review by an Australian parliamentary committee of the law, the Telecommunications and Other Legislation Amendment, stated that Australian authorities had yet to issue a compulsory request to an online service provider to decrypt encrypted messages. During a July 2020 parliamentary committee hearing, Australian authorities collectively estimated the number of voluntary requests for the text of encrypted communications to number fewer than 50.
"There have been points in time when ASIO has come close to issuing a compulsory notice. However, our preference will always be to engage as much as possible with industry partners," said Mike Burgess, director-general of security at the Australian Security and Intelligence Organization.