Encryption myths versus realities of Online Safety Bill

UK politicians – just like the rest of us – rely on encryption all day, every day, to protect their physical safety, keep their conversations private, and safeguard their families and their finances.

But in their determination to criticise tech companies’ plans, notably Facebook, to make encryption more widely available, politicians appear to think that undermining digital safety for everyone is acceptable collateral damage.

Much of the debate has, understandably, centred on the importance of keeping children safe online. The NSPCC’s head of child safety policy, Andy Burrows, has acknowledged that encryption offers privacy benefits, but says it puts children at risk if it is poorly implemented. But the government is not calling for end-to-end encryption to be better implemented – it is calling for it not to be implemented at all.

Polemics make for bad policies. Here are the myths about encryption that the government’s Online Safety Bill is founded upon:

Myth number one: This is just about encrypted messaging. No. Encryption secures data and communications, but also secures systems and objects that affect your physical world. It protects home security devices such as CCTV cameras and door locks and keeps snoopers away from children’s connected toys. The government can’t legislate for a world in which technology ensures we have secure connected things, but not secure messages.

Myth number two: The Online Safety Bill does not weaken encryption. The bill would make providers of encrypted services criminally liable for the acts of their users. Imagine if supermarkets were made liable for crimes committed with kitchen knives they had sold – they would stop selling knives rather than face the liability. The Bill creates a strong incentive for companies to weaken or remove encrypted services.

Myth number three: The Online Safety Bill creates a safe encryption backdoor for law enforcement. There is no feasible encryption backdoor that can’t also be used by malicious actors. Despite having access to the best cryptographic expertise available, the government cannot come up with one, because “safe encryption backdoor” is an oxymoron.

We also know that law enforcement agencies have made exaggerated claims about encryption as an obstacle, and admit that often, the biggest hindrance to effective policing is technical capability, not encryption. Politicising and scapegoating encryption diverts attention and resources at a time when a National Audit Office report has highlighted other, more addressable, shortcomings in UK law enforcement’s technical capability.

Myth number four: Technical experts aren’t doing enough to help. In a bizarre twist, technologists are now being accused by the home secretary of failing in a “duty of care” to users by providing them with secure services. But technology stakeholders are contributing constructive, evidence-based proposals, including information on content moderation in encrypted systems, and mitigating terrorists’ use of encryption.

There are rumblings of dissent. Even the former head of GCHQ says that weakening security for everyone is not the solution. The Information Commissioner’s Office (ICO) also stepped into the encryption debate with an unequivocal endorsement of end-to-end encryption. The ICO isn’t alone; in July 2020, data protection authorities from Australia, Canada, Gibraltar, Hong Kong, Switzerland and China (yes, China) published an open letter stating: “Ease of staying in touch must not come at the expense of people’s data protection and privacy rights.”

Once we, as citizens, allow those rights to be taken away, we will not get them back. In successive Queen’s Speeches, the government has, absurdly, claimed it wants to “harness the benefits of a free, open and secure internet”. Far from doing that, the Online Safety Bill undermines online security, jeopardises those benefits, and puts us all at greater risk – in the real world and online.

Robin Wilton is director of internet trust at the Internet Society.