Urupong - stock.adobe.com
The government yesterday attempted to quash industry concerns that the “spy clause” in the Online Safety Bill, which aims to crack down on child abuse and other harmful online content, would fundamentally weaken end-to-end encrypted services.
Junior arts and heritage minister Stephen Parkinson told the House of Lords yesterday that regulators would not use controversial powers in the bill to scan encrypted messages until it is “technically feasible” to do so.
“Let me be clear: there is no intention by the government to weaken the encryption technology used by platforms, and we have built strong safeguards into the bill to ensure that users’ privacy is protected,” he said.
“A notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content.”
The new powers in the Online Safety Bill (OSB), which went through its third reading in the Lords yesterday, will be enforced by the communications regulator, Ofcom, which will have powers to issue fines of £18m or 10% of a company’s annual global turnover, and to bring prosecutions against company executives.
Technology providers including WhatsApp, Proton and Signal have threatened to withdraw encrypted messaging services from the UK if the government implements controversial powers which they claim will undermine the safety and integrity of encrypted communications.
Opponents of the Bill, including Meredith Whittaker, president of Signal, met with former Facebook vice-president for policy, Richard Allan, now a member of the House of Lords, in a closed-door meeting on Monday described as a last-ditch attempt to urge lawmakers not to pass measures in the bill that would damage privacy-enhancing technology.
Government denies U-turn
The government, however, denied it had made a U-turn on the bill, which went through the Lords without any changes to the “spy clause” – section 122 – which gives Ofcom powers to require technology companies to use “accredited technology” to monitor the contents of encrypted messages.
“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met,” a spokesperson said.
“[The bill] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content – which we know can be developed.”
Government assurances fall short
Signal president Meredith Whittaker described the announcement as a “win” for technology companies.
Writing on X, formerly Twitter, she said the clause could genuinely imperil Signal’s ability to operate in the UK, and that the government’s apparent concession was “much better than nothing”. “From here people can keep pushing with a hard-won admission in hand,” she added.
Others were more pessimistic. Andy Yen, founder and CEO of encrypted email service Proton, said the government fell “well short of providing the legal assurances that businesses need to continue operating and investing in the UK”.
“As it stands, the bill still permits the imposition of a legally binding obligation to ban end-to-end encryption in the UK, undermining citizens’ fundamental rights to privacy, and leaves the government defining what is ‘technically feasible’,” he said.
Head of WhatsApp Will Cathcart wrote in a post on X that powers in the bill to mandate tech companies to scan encrypted messages continued to pose a threat to privacy.
“The fact remains that scanning everyone’s messages would destroy privacy as we know it,” he said. “That was as true last year as it is today. @WhatsApp will never break our encryption and remains vigilant against threats to do so.”
Matthew Hodgson, CEO of Element and Technical Co-founder at Matrix.org, which supplies encrypted messaging services, said that the government had not backed down on scanning encrypted communications and had left open the possibility of introducing it a later date.
"The government has now verbally acknowledged that the scanning technology dreamt up as part of the OSB doesn’t exist. It now needs to recognise that scanning is fundamentally incompatible with end-to-end encrypted messaging apps,” he told Computer Weekly.
The company has warned it would withdraw encrypted services from the UK if it is required to introduce scanning technology.
And Paul Holland, CEO of encrypted mail service Beyond Encryption, said the government had admitted there is no current technology that would not fundamentally break encrypted messaging services. “It was abundantly clear to all those with knowledge of encryption that the government’s proposals were unworkable and the Online Safety Bill put them on a collision course with encrypted messaging services,” he said.
Controversial and draconian powers
James Baker, campaign manager for the Open Rights Group, which campaigns for privacy and free speech in the UK, said that despite the government’s assurances, it had kept “controversial and draconian” powers in the bill.
“The fact they are making last-minute statements to placate industry further demonstrates that the bill is an ill-thought-through legislative mess that Ofcom will now be expected to sort out,” he told Computer Weekly.
“The government should make it clear to Parliament what it actually intends to happen with this policy, and Parliament should ask the Lords to look again at the inadequate safeguards that have been put in place around the use of these powers.”
Changes over Section 122 crucial
Barbora Bukovská, senior director for law and policy at Article 19, which supports freedom of expression, said it was “absolutely crucial” to add specific reassurances to the bill to commit Ofcom not to apply Section 122 in a way that could undermine end-to-end encryption.
“Without it, the prospect of the government compelling companies to surveil private messages is not off the table,” she said. “At the same time, we have the concrete commitment from the government that the powers won’t be used until it’s ‘technically feasible’ – and will be holding them to account for that,” she added.
Rasha Abdul Rahim, director of Amnesty Tech, said the “spy clause” could lead to the private sector being mandated to carry out mass surveillance of private digital communications.
“It would leave everybody in the UK – including human rights organisations and activists – vulnerable to malicious hacking attacks and targeted surveillance campaigns,” she said. “It also sets a dangerous precedent. It remains undeniably true that it’s not possible to create a technological system that can scan the contents of private electronic communication while preserving the right to privacy.”
Speaking in the House of Lords yesterday, Labour peer Kenneth Morgan said that by handing over responsibility for encryption to Ofcom combined with potential intervention from the courts, the government had created an undemocratic process.
“The fact of the matter is, everybody knows that you cannot do what Ofcom is empowered by this bill to do without breaching end-to-end encryption,” he said. “It’s as simple as that.”
Ofcom is expected to mandate technology known as client-side scanning to inspect the contents of communications sent by secure messaging services and mobile phones before they are encrypted.
This would require communications service providers to install software capable of analysing messages and to send reports back either to a government agency or a technology provider.
Another scanning technology under consideration, homomorphic encryption, makes it possible to perform calculations on encrypted data to identify its content.
Read more about the debate on end-to-end encryption
- Government boosts protection for encryption in Online Safety Bill but civil society groups remain concerned.
- CEO of encrypted messaging service Element says Online Safety Bill could pose a risk to the encrypted comms systems used by Ukraine.
- Tech companies and NGOs urge rewrite of Online Safety Bill to protect encrypted comms.
- Protecting children by scanning encrypted messages is ‘magical thinking’, says Cambridge professor.
- Proposals for scanning encrypted messages should be cut from Online Safety Bill, say researchers.
- GCHQ experts back scanning of encrypted phone messages to fight child abuse.
- Tech companies face pressure over end-to-end encryption in Online Safety Bill.
- EU plans to police child abuse raise fresh fears over encryption and privacy rights.
- IT professionals wary of government campaign to limit end-to-end encryption.
- John Carr, a child safety campaigner backing a government-funded campaign on the dangers of end-to-end encryption to children, says tech companies have no choice but to act.
- Information commissioner criticises government-backed campaign to delay end-to-end encryption.
- Government puts Facebook under pressure to stop end-to-end encryption over child abuse risk.
- Former UK cyber security chief says UK government must explain how it can access encrypted communications without damaging cyber security and weakening privacy.
- Barnardo’s and other charities begin a government-backed PR campaign to warn of dangers end-to-end encryption poses to child safety. The campaign has been criticised as ‘one-sided’.
- Apple’s plan to automatically scan photos to detect child abuse would unduly risk the privacy and security of law-abiding citizens and could open up the way to surveillance, say cryptographic experts.
- Firms working on UK government’s Safety Tech Challenge suggest scanning content before encryption will help prevent the spread of child sexual abuse material – but privacy concerns remain.
- Private messaging is the front line of abuse, yet E2EE in its current form risks engineering away the ability of firms to detect and disrupt it where it is most prevalent, claims NSPCC.
- Proposals by European Commission to search for illegal material could mean the end of private messaging and emails, says MEP.
Read more on IT risk management
Parliament passes sweeping Online Safety Bill but tech companies still concerned over encryption
Braverman puts pressure on Meta to pause end-to-end encryption plans
IT experts issue new warnings over Online Safety Bill plans to weaken end-to-end encryption
Government boosts protection for encryption in Online Safety Bill but civil society groups concerned