Aleksei - stock.adobe.com
Tech companies and NGOs urge rewrite of Online Safety Bill to protect encrypted comms
The Online Safety Bill faces amendments in the House of Lords amid concerns that it could weaken the security of end-to-end encrypted communications for UK citizens
Technology companies offering encrypted messaging services have urged the government to make urgent changes to legislation going through Parliament that threatens to undermine the privacy of encrypted communications.
In an open letter, WhatsApp, Signal, Threema and other encrypted messaging services called for the UK government to rethink measures in the Online Safety Bill that could weaken the security of encrypted communications around the world.
The National Union of Journalists, which represents journalists in the UK, has also warned that the bill could undermine the safety of communications between journalists and their confidential sources.
The Online Safety Bill, which begins its committee stage in the House of Lords tomorrow (19 April 2023), faces a number of amendments from peers who have raised concerns about aspects of the legislation.
WhatsApp, owned by Meta, said in a statement that the bill could force technology companies to break end-to-end encryption on private messaging services, affecting the privacy of billions of people.
The bill, as currently drafted, could “open the door to routine, general and indiscriminate surveillance of personal messages” and put the communications of journalists, human rights activists, politicians and ordinary citizens at risk, the open letter states.
The Home Office argues that new powers are needed in the Online Safety Bill to ensure that technology companies and law enforcement agencies can identify child sexual abuse content on encrypted platforms.
The bill will give the regulator, Ofcom, powers to require communications companies to install technology capable of identifying child abuse images on encrypted communications services.
The regulator will be able to impose fines of up to £18m or 10% of turnover, whichever is greater, for companies that do not comply.
“We support strong encryption, but this cannot come at the cost of public safety. Tech companies have a moral duty to ensure they are not blinding themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms,” a Home Office spokesman said in a statement.
Tech firms’ open letter to UK government
The Home Office is advocating technology known as client side scanning, which would be installed on people’s phones or computers to intercept and identify messages that might contain abuse material or terrorism content before they are encrypted.
But technology companies and leading computer scientists have argued that it is not possible to surveil people’s messages without undermining end-to-end encryption and putting the privacy of their communications at risk.
The open letter has been signed by the leaders of seven technology companies:
- Matthew Hodgson, CEO, Element
- Alex Linton, director, OPTF/Session
- Meredith Whittaker, president, Signal
- Martin Blatter, CEO, Threema
- Ofir Eyal, CEO, Viber
- Will Cathcart, head of WhatsApp, Meta
- Alan Duric, CTO, Wire
The letter argues that end-to-end encryption offers one of the strongest possible defences against malicious actors and hostile states, along with persistent threats from online fraud, scams and data theft.
“As end-to-end-encrypted communication services, we urge the UK government to address the risks that the Online Safety Bill poses to everyone’s privacy and safety. It is not too late to ensure that the bill aligns with the government’s stated intention to protect end-to-end encryption and respect the human right to privacy,” the letter states.
The UK government has acknowledged the privacy risks in the text of the bill, but has said its “intention” is not for the bill to be interpreted in a way that could allow the government backdoor access to encrypted messages.
The tech companies state in the open letter that they are unable to weaken the security of their communications services to suit individual governments. “There cannot be a version of end-to-end encryption that is specific to the UK,” the letter states.
The technology companies are urging the government to rethink the bill to encourage companies to offer “more privacy and security” to UK residents, “not less”.
“Weakening encryption, undermining privacy and introducing mass surveillance of people’s private communications is not the way forward,” the technology companies stated.
BCS, The Chartered Institute for IT, said weakening encryption of secure messaging apps in online safety legislation would damage public trust in technology.
BCS CEO Rashik Parmar said: “There is grave concern that the Online Safety Bill’s requirements around identifying illegal content could break the principle of end-to-end encryption with the promise of a magical backdoor.
“Once a backdoor has been compromised, data and content protected by the encryption becomes accessible. This is exactly what many bad actors would welcome.”
Journalists at risk
The National Union of Journalists also warned that the government risks undermining the security of confidential communications between journalists and their sources.
Michelle Stanistreet, National Union of Journalists general secretary, said information to inform public interest journalism remains under threat: “Government must act now, introducing amendments that ensure protections are afforded to journalists and their encrypted messages.”
Monica Horten, policy manager at the Open Rights Group, said: “In its current form, it [the Online Safety Bill] threatens every person’s right to freedom of expression and privacy. In particular, the bill could allow the scanning of everyone’s private messages.”
A Home Office spokesman said in a statement that the Online Safety Bill did not represent a ban on end-to-end encryption and would not require messaging services to weaken their encryption.
“Where it is the only effective, proportionate and necessary action available, Ofcom will be able to direct platforms to use accredited technology, or make best endeavours to develop new technology, to accurately identify child sexual abuse content, so it can be taken down and the despicable predators brought to justice,” said the spokesman.
Read more about the debate on end-to-end encryption
- Protecting children by scanning encrypted messages is ‘magical thinking’, says Cambridge professor.
- Proposals for scanning encrypted messages should be cut from Online Safety Bill, say researchers.
- GCHQ experts back scanning of encrypted phone messages to fight child abuse.
- Tech companies face pressure over end-to-end encryption in Online Safety Bill.
- EU plans to police child abuse raise fresh fears over encryption and privacy rights.
- John Carr, a child safety campaigner backing a government-funded campaign on the dangers of end-to-end encryption to children, says tech companies have no choice but to act.
- Information commissioner criticises government-backed campaign to delay end-to-end encryption.
- Government puts Facebook under pressure to stop end-to-end encryption over child abuse risk.
- Former UK cyber security chief says UK government must explain how it can access encrypted communications without damaging cyber security and weakening privacy.
- Barnardo’s and other charities begin a government-backed PR campaign to warn of dangers end-to-end encryption poses to child safety. The campaign has been criticised as ‘one-sided’.
- Apple’s plan to automatically scan photos to detect child abuse would unduly risk the privacy and security of law-abiding citizens and could open up the way to surveillance, say cryptographic experts.
- Firms working on UK government’s Safety Tech Challenge suggest scanning content before encryption will help prevent the spread of child sexual abuse material – but privacy concerns remain.
- Private messaging is the front line of abuse, yet E2EE in its current form risks engineering away the ability of firms to detect and disrupt it where it is most prevalent, claims NSPCC.
- Proposals by European Commission to search for illegal material could mean the end of private messaging and emails, says MEP.
Read more on Privacy and data protection
Why we need a secure side door for encrypted apps, not a back door
Chat control: EU lawyers warn plans to scan encrypted messages for child abuse may be unlawful
Government is playing ‘psychic war’ in battle over end-to-end encryption
Online Safety Bill could pose risk to encryption technology used by Ukraine