leowolfert - Fotolia
The government has introduced an amendment to the Online Safety Bill that it says will require the regulator to conduct extra scrutiny before requiring technology companies to scan encrypted messages for illegal content.
The amendment to the bill will add an extra review stage before the regulator requires tech companies to scan the content of end-to-end encrypted message services for child sex abuse material (CSAM) and other illegal content.
WhatsApp, Signal, Threema and other encrypted messaging services have called for the UK to amend the Online Safety Bill to protect encrypted communications. They warn that tech companies would be forced to leave the UK if required to weaken encryption.
The Online Safety Bill will now require the regulator Ofcom to commission a report by a “skilled person” before giving technology companies technical notices to scan encrypted messages.
However, civil society groups said the move does not go far enough to protect the integrity and privacy of encrypted messages, and could damage the UK’s chances of becoming a technology superpower.
Lord Parkinson of Whitley Bay, speaking for the government, told the Lords on Wednesday that the amendment would provide an additional safeguard.
“This independent expert scrutiny will supplement Ofcom’s own expertise to ensure that it has a full understanding of relevant technical issues to inform its decision-making,” he said.
Ofcom would be required to consider the impact of privacy and freedom of expression before requiring a service provider to introduce technology to read encrypted messages, and was bound by human rights law, the Lords heard.
“If appropriate technology does not exist which meets these requirements, Ofcom cannot require its use,” he said.
Two further amendments that were designed to ensure stronger protection for encrypted messaging services did not make the bill.
The Lords did not consider a proposed amendment by conservative peer Lord Moylan, that would prohibit Ofcom from imposing any requirement on technology companies that would weaken or remove end-to-end encryption.
And Labour Peer, Lord Stevensen of Balmacara, decided not to proceed with a proposed amendment to require Ofcom to seek approval from an independent judicial commissioner before issuing a technical notice requiring a technology company to scan encrypted communications.
The proposed amendment would have required a judicial commissioner to assess whether the technical notice was proportionate and that appropriate regard had been given to freedom of expression and privacy rights.
The amendment would have also required the judicial commissioner to take evidence from the service provider impacted before making a decision and apply the same legal principles as a judicial review.
Risk to UK technology
The bill envisages technology companies using client-side scanning software placed on users’ phones or computers to detect illegal content before it is encrypted.
In 2021, 40 leading cryptographers and technologists warned that Apple’s plans to introduce client-side scanning were unworkable, vulnerable to abuse, and a threat to safety and security.
Speaking in the Lords, Baroness Fox of Buckley said that, if passed, the bill would give Ofcom far-reaching powers to force WhatsApp and other services to install software to scan private messages for evidence of terrorism, CSAM or abusive content, and to automatically send a report to law enforcement if there was a suspicion of wrong-doing.
“Focusing on encryption just makes no sense,” she said.
The government had exempted text messages, Zoom and email from the provisions of the bill, and had also exempted messages sent by law enforcement, the public sector or emergency responders. Many government communications were sent on WhatsApp, Fox told the Lords.
“It seems then that the target of this part of the bill is UK private citizens and residents, and that the public are seen as the people who must be spied on,” she added.
Baroness Fox of Buckley
She said the bill could put prime minister Rishi Sunak’s vision of the UK becoming a technology superpower at risk, by forcing companies such as WhatsApp that provide encrypted messaging services to leave the UK.
She asked the government to explain scientifically and technologically why leading scientists and technologists were wrong to argue that the bill could inadvertently lead to the breaking of encryption.
Bill does not ‘break encryption’
Speaking for the government, Lord Parkinson said the bill did not require companies to beak or weaken encryption.
He said that if companies were managing the risks on their platforms appropriately, Ofcom would not need to use its powers.
But as a last resort, where there was clear evidence of CSAM on a platform, Ofcom would be able to direct them to use “accredited and accurate technology to identify and remove this illegal content”.
Civil society groups say measures don’t go far enough
Civil society groups said the requirement for Ofcom to commission a report from a “skilled person” did not go far enough.
Monica Horton, policy manager for freedom of expression at Open Rights Group, said the bill now required Ofcom to get a report from a consultant before acting, but that was not the same as making an assessment of fundamental rights.
She said that despite having cross-party support, the opposition Labour Party withdrew an amendment that would have ensured judges had oversight overpowers for “government-mandated surveillance”.
The Online Safety Bill will give Ofcom the power to ask tech companies to scan the public’s private messages on the government’s behalf, she said.
“The government claims it will protect encryption, but has still not provided details about how this is possible if these powers are enacted,” she added.
A legal opinion written for Open Rights Group by Matrix Chambers found the bill’s measures to screen user content “amounts to prior restraint” as it will require platforms to intercept and block online communications before they have even been posted, Computer Weekly reported this week.
Read more about the debate on end-to-end encryption
- CEO of encrypted messaging service Element says Online Safety Bill could pose a risk to the encrypted comms systems used by Ukraine.
- Tech companies and NGOs urge rewrite of Online Safety Bill to protect encrypted comms.
- Protecting children by scanning encrypted messages is ‘magical thinking’, says Cambridge professor.
- Proposals for scanning encrypted messages should be cut from Online Safety Bill, say researchers.
- GCHQ experts back scanning of encrypted phone messages to fight child abuse.
- Tech companies face pressure over end-to-end encryption in Online Safety Bill.
- EU plans to police child abuse raise fresh fears over encryption and privacy rights.
- John Carr, a child safety campaigner backing a government-funded campaign on the dangers of end-to-end encryption to children, says tech companies have no choice but to act.
- Information commissioner criticises government-backed campaign to delay end-to-end encryption.
- Government puts Facebook under pressure to stop end-to-end encryption over child abuse risk.
- Former UK cyber security chief says UK government must explain how it can access encrypted communications without damaging cyber security and weakening privacy.
- Barnardo’s and other charities begin a government-backed PR campaign to warn of dangers end-to-end encryption poses to child safety. The campaign has been criticised as ‘one-sided’.
- Apple’s plan to automatically scan photos to detect child abuse would unduly risk the privacy and security of law-abiding citizens and could open up the way to surveillance, say cryptographic experts.
- Firms working on UK government’s Safety Tech Challenge suggest scanning content before encryption will help prevent the spread of child sexual abuse material – but privacy concerns remain.
- Private messaging is the front line of abuse, yet E2EE in its current form risks engineering away the ability of firms to detect and disrupt it where it is most prevalent, claims NSPCC.
- Proposals by European Commission to search for illegal material could mean the end of private messaging and emails, says MEP.