leowolfert - Fotolia

Government boosts protection for encryption in Online Safety Bill but civil society groups concerned

House of Lords adopts amendment to require Ofcom to commission a report before requiring technology companies to scan encrypted messages, but drops proposals for judicial oversight

The government has introduced an amendment to the Online Safety Bill that it says will require the regulator to conduct extra scrutiny before requiring technology companies to scan encrypted messages for illegal content.

The amendment to the bill will add an extra review stage before the regulator requires tech companies to scan the content of end-to-end encrypted message services for child sex abuse material (CSAM) and other illegal content.

WhatsApp, Signal, Threema and other encrypted messaging services have called for the UK to amend the Online Safety Bill to protect encrypted communications. They warn that tech companies would be forced to leave the UK if required to weaken encryption.

The Online Safety Bill will now require the regulator Ofcom to commission a report by a “skilled person” before giving technology companies technical notices to scan encrypted messages.

However, civil society groups said the move does not go far enough to protect the integrity and privacy of encrypted messages, and could damage the UK’s chances of becoming a technology superpower.

Lord Parkinson of Whitley Bay, speaking for the government, told the Lords on Wednesday that the amendment would provide an additional safeguard.

“This independent expert scrutiny will supplement Ofcom’s own expertise to ensure that it has a full understanding of relevant technical issues to inform its decision-making,” he said.

Ofcom would be required to consider the impact of privacy and freedom of expression before requiring a service provider to introduce technology to read encrypted messages, and was bound by human rights law, the Lords heard.

“If appropriate technology does not exist which meets these requirements, Ofcom cannot require its use,” he said.

Dropped amendments

Two further amendments that were designed to ensure stronger protection for encrypted messaging services did not make the bill.

The Lords did not consider a proposed amendment by conservative peer Lord Moylan, that would prohibit Ofcom from imposing any requirement on technology companies that would weaken or remove end-to-end encryption.

And Labour Peer, Lord Stevensen of Balmacara, decided not to proceed with a proposed amendment to require Ofcom to seek approval from an independent judicial commissioner before issuing a technical notice requiring a technology company to scan encrypted communications.

The proposed amendment would have required a judicial commissioner to assess whether the technical notice was proportionate and that appropriate regard had been given to freedom of expression and privacy rights.

The amendment would have also required the judicial commissioner to take evidence from the service provider impacted before making a decision and apply the same legal principles as a judicial review.

Risk to UK technology

The bill envisages technology companies using client-side scanning software placed on users’ phones or computers to detect illegal content before it is encrypted.

In 2021, 40 leading cryptographers and technologists warned that Apple’s plans to introduce client-side scanning were unworkable, vulnerable to abuse, and a threat to safety and security.

Speaking in the Lords, Baroness Fox of Buckley said that, if passed, the bill would give Ofcom far-reaching powers to force WhatsApp and other services to install software to scan private messages for evidence of terrorism, CSAM or abusive content, and to automatically send a report to law enforcement if there was a suspicion of wrong-doing.

“Focusing on encryption just makes no sense,” she said.

The government had exempted text messages, Zoom and email from the provisions of the bill, and had also exempted messages sent by law enforcement, the public sector or emergency responders. Many government communications were sent on WhatsApp,  Fox told the Lords.

“It seems then that the target of this part of the bill is UK private citizens and residents, and that the public are seen as the people who must be spied on,” she added.

“It seems the target of this part of the bill is UK private citizens and residents, and that the public are seen as the people who must be spied on”
Baroness Fox of Buckley

She said the bill could put prime minister Rishi Sunak’s vision of the UK becoming a technology superpower at risk, by forcing companies such as WhatsApp that provide encrypted messaging services to leave the UK.

She asked the government to explain scientifically and technologically why leading scientists and technologists were wrong to argue that the bill could inadvertently lead to the breaking of encryption.

Bill does not ‘break encryption’

Speaking for the government, Lord Parkinson said the bill did not require companies to beak or weaken encryption.

He said that if companies were managing the risks on their platforms appropriately, Ofcom would not need to use its powers.

But as a last resort, where there was clear evidence of CSAM on a platform, Ofcom would be able to direct them to use “accredited and accurate technology to identify and remove this illegal content”.

Civil society groups say measures don’t go far enough

Civil society groups said the requirement for Ofcom to commission a report from a “skilled person” did not go far enough.

Monica Horton, policy manager for freedom of expression at Open Rights Group, said the bill now required Ofcom to get a report from a consultant before acting, but that was not the same as making an assessment of fundamental rights.

She said that despite having cross-party support, the opposition Labour Party withdrew an amendment that would have ensured judges had oversight overpowers for “government-mandated surveillance”.

The Online Safety Bill will give Ofcom the power to ask tech companies to scan the public’s private messages on the government’s behalf, she said.

“The government claims it will protect encryption, but has still not provided details about how this is possible if these powers are enacted,” she added.

A legal opinion written for Open Rights Group by Matrix Chambers found the bill’s measures to screen user content “amounts to prior restraint” as it will require platforms to intercept and block online communications before they have even been posted, Computer Weekly reported this week.

Read more about the debate on end-to-end encryption

    Read more on Hackers and cybercrime prevention

    CIO
    Security
    Networking
    Data Center
    Data Management
    Close