Online Safety Bill: encrypted messages to be saved - for now

Britain's Science, Innovation and Technology Secretary Michelle Donelan leaves after attending the weekly Cabinet meeting at 10 Downing Street, in London, on February 21, 2023.
Britain's Science, Innovation and Technology Secretary Michelle Donelan. (Image credit: Photo by DANIEL LEAL/AFP via Getty Images)

The article was modified on September 8, 2023, as we received a comment from the UK government clarifying its position on the matter. 

As the long-debated Online Safety Bill entered its final stage in the House of Lords on September 6, 2023, the UK government announced an unexpected pushback on its most controversial provision—for now, at least.

Ministers decided to postpone what was deemed by critics as the "spy clause" until it is "technically feasible" to do so, the Financial Times reported. Article 122 introduces, in fact, a requirement for tech companies to client-side-scanning private and encrypted messages for harmful and illegal content. Experts have long said this cannot happen without violating people's privacy.

The decision comes as popular messaging apps like WhatsApp and Signal threatened to leave the UK if such a law was finally implemented. Countless privacy advocates, cryptographers, and academics have been long calling on how the Bill could undermine citizens' privacy and freedom of speech, in fact, while setting a global worrying precedent. 

It falls short of fixing privacy issues

"Clause 122, known as the 'spy clause', could see the private sector being mandated to carry out mass surveillance of private digital communications. It would leave everybody in the UK vulnerable to malicious hacking attacks and targeted surveillance campaigns. It also sets a dangerous precedent. It is not possible to create a technological system that can scan the contents of private electronic communication while preserving the right to privacy."

These were the words that Rasha Abdul Rahim, Director of Amnesty Tech, used to describe the unattended consequences of letting secure messaging apps break encryption. "A police officer (or spy) in your pocket" is what this provision is also called.

Born as a way to "make the UK the safer place to be online," it has increasingly become clear that the almost 300-page long Bill was slowly achieving the opposite results: making people more vulnerable online. 

As the Financial Times reported, the tech regulator Ofcom still has the power to require tech companies to develop side scanning software. However, these would be required to scan their networks only when "a technology is developed that is capable of doing so." According to experts, it could pass years before such software is developed.

This announcement doesn't mean the UK government's position on this matter has changed, though. "As has always been the case, as a last resort, on a case by case basis and only when stringent privacy safeguards have been met, it will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content—which we know can be developed," a government spokesperson told TechRadar 

Nonetheless, controversies with the Bill don't end with Article 122. Critics warn that new age verification requirements, for which sites will have to verify the age of visitors by scanning government-issued documents or biometric data, also pose a serious threat to the privacy of UK internet users.

More data collected means greater possibilities for these details to be abused and leaked. Considering the bad track record of recent national data breaches like the ransomware attack on the NHS in June, these are not "not merely an abstract possibility but eventualities to prepare for," wrote a group of academics working in information security and cryptography in an open letter.

Overall, it feels that more of a victory for privacy, this is the latest clumsy compromise for ensuring that big players like WhatsApp, Signal and other widely used secure email services like ProtonMail and Tutanota won't exit the UK market for good. What a place to start for such an important regulation.

Commenting on this point, Proton's Founder and CEO Andy Yen said: "A statement delaying or watering down the dangerous and infeasible parts of the Online Safety Bill is not unwelcome, but it falls well short of providing the legal assurances that businesses need to continue operating and investing in the UK. 

"As it stands, the bill still permits the imposition of a legally binding obligation to ban end-to-end encryption in the UK, undermining citizens' fundamental rights to privacy, and leaves the government defining what is 'technically feasible.' For all the good intentions of today’s statement, without additional safeguards in the Online Safety Bill, all it takes is for a future government to change its mind and we’re right back where we started."

TOPICS
Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com