Urupong - stock.adobe.com

UK minister fails to reassure tech companies over encryption risk

Technology companies say reassurances by government ministers that they have no intention of weakening end-to-end encrypted communication services do not go far enough

The government yesterday attempted to quash industry concerns that the “spy clause” in the Online Safety Bill, which aims to crack down on child abuse and other harmful online content, would fundamentally weaken end-to-end encrypted services.

Junior arts and heritage minister Stephen Parkinson told the House of Lords yesterday that regulators would not use controversial powers in the bill to scan encrypted messages until it is “technically feasible” to do so.

“Let me be clear: there is no intention by the government to weaken the encryption technology used by platforms, and we have built strong safeguards into the bill to ensure that users’ privacy is protected,” he said.

“A notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content.”

The new powers in the Online Safety Bill (OSB), which went through its third reading in the Lords yesterday, will be enforced by the communications regulator, Ofcom, which will have powers to issue fines of £18m or 10% of a company’s annual global turnover, and to bring prosecutions against company executives.

Technology providers including WhatsApp, Proton and Signal have threatened to withdraw encrypted messaging services from the UK if the government implements controversial powers which they claim will undermine the safety and integrity of encrypted communications.

Opponents of the Bill, including Meredith Whittaker, president of Signal, met with former Facebook vice-president for policy, Richard Allan, now a member of the House of Lords, in a closed-door meeting on Monday described as a last-ditch attempt to urge lawmakers not to pass measures in the bill that would damage privacy-enhancing technology.

Government denies U-turn

The government, however, denied it had made a U-turn on the bill, which went through the Lords without any changes to the “spy clause” – section 122 – which gives Ofcom powers to require technology companies to use “accredited technology” to monitor the contents of encrypted messages.

“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met,” a spokesperson said.

“[The bill] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content – which we know can be developed.”

Government assurances fall short

Signal president Meredith Whittaker described the announcement as a “win” for technology companies.

Writing on X, formerly Twitter, she said the clause could genuinely imperil Signal’s ability to operate in the UK, and that the government’s apparent concession was “much better than nothing”. “From here people can keep pushing with a hard-won admission in hand,” she added.

Others were more pessimistic. Andy Yen, founder and CEO of encrypted email service Proton, said the government fell “well short of providing the legal assurances that businesses need to continue operating and investing in the UK”.

“As it stands, the bill still permits the imposition of a legally binding obligation to ban end-to-end encryption in the UK, undermining citizens’ fundamental rights to privacy, and leaves the government defining what is ‘technically feasible’,” he said.

Head of WhatsApp Will Cathcart wrote in a post on X that powers in the bill to mandate tech companies to scan encrypted messages continued to pose a threat to privacy.

“The fact remains that scanning everyone’s messages would destroy privacy as we know it,” he said. “That was as true last year as it is today. @WhatsApp will never break our encryption and remains vigilant against threats to do so.”

Matthew Hodgson, CEO of Element and Technical Co-founder at Matrix.org, which supplies encrypted messaging services, said that the government had not backed down on scanning encrypted communications and had left open the possibility of introducing it a later date.

"The government has now verbally acknowledged that the scanning technology dreamt up as part of the OSB doesn’t exist. It now needs to recognise that scanning is fundamentally incompatible with end-to-end encrypted messaging apps,” he told Computer Weekly.

The company has warned it would withdraw encrypted services from the UK if it is required to introduce scanning technology.

And Paul Holland, CEO of encrypted mail service Beyond Encryption, said the government had admitted there is no current technology that would not fundamentally break encrypted messaging services. “It was abundantly clear to all those with knowledge of encryption that the government’s proposals were unworkable and the Online Safety Bill put them on a collision course with encrypted messaging services,” he said.

 Controversial and draconian powers

James Baker, campaign manager for the Open Rights Group, which campaigns for privacy and free speech in the UK, said that despite the government’s assurances, it had kept “controversial and draconian” powers in the bill.

“The fact they are making last-minute statements to placate industry further demonstrates that the bill is an ill-thought-through legislative mess that Ofcom will now be expected to sort out,” he told Computer Weekly.

“The government should make it clear to Parliament what it actually intends to happen with this policy, and Parliament should ask the Lords to look again at the inadequate safeguards that have been put in place around the use of these powers.”

Changes over Section 122 crucial

Barbora Bukovská, senior director for law and policy at Article 19, which supports freedom of expression, said it was “absolutely crucial” to add specific reassurances to the bill to commit Ofcom not to apply Section 122 in a way that could undermine end-to-end encryption.

“Without it, the prospect of the government compelling companies to surveil private messages is not off the table,” she said. “At the same time, we have the concrete commitment from the government that the powers won’t be used until it’s ‘technically feasible’ – and will be holding them to account for that,” she added.

Rasha Abdul Rahim, director of Amnesty Tech, said the “spy clause” could lead to the private sector being mandated to carry out mass surveillance of private digital communications.

“It would leave everybody in the UK – including human rights organisations and activists – vulnerable to malicious hacking attacks and targeted surveillance campaigns,” she said. “It also sets a dangerous precedent. It remains undeniably true that it’s not possible to create a technological system that can scan the contents of private electronic communication while preserving the right to privacy.”

Speaking in the House of Lords yesterday, Labour peer Kenneth Morgan said that by handing over responsibility for encryption to Ofcom combined with potential intervention from the courts, the government had created an undemocratic process.

“The fact of the matter is, everybody knows that you cannot do what Ofcom is empowered by this bill to do without breaching end-to-end encryption,” he said. “It’s as simple as that.”

Client-side scanning

Ofcom is expected to mandate technology known as client-side scanning to inspect the contents of communications sent by secure messaging services and mobile phones before they are encrypted.

This would require communications service providers to install software capable of analysing messages and to send reports back either to a government agency or a technology provider.

Another scanning technology under consideration, homomorphic encryption, makes it possible to perform calculations on encrypted data to identify its content.

 Read more about the debate on end-to-end encryption

Read more on IT risk management

Data Center
Data Management