Online Safety Bill: encrypted messages to be saved - for now

Britain's Science, Innovation and Technology Secretary Michelle Donelan leaves after attending the weekly Cabinet meeting at 10 Downing Street, in London, on February 21, 2023.
Britain's Science, Innovation and Technology Secretary Michelle Donelan. (Image credit: Photo by DANIEL LEAL/AFP via Getty Images)

The article was modified on September 8, 2023, as we received a comment from the UK government clarifying its position on the matter. 

As the long-debated Online Safety Bill entered its final stage in the House of Lords on September 6, 2023, the UK government announced an unexpected pushback on its most controversial provision—for now, at least.

Ministers decided to postpone what was deemed by critics as the "spy clause" until it is "technically feasible" to do so, the Financial Times reported. Article 122 introduces, in fact, a requirement for tech companies to client-side-scanning private and encrypted messages for harmful and illegal content. Experts have long said this cannot happen without violating people's privacy.

The decision comes as popular messaging apps like WhatsApp and Signal threatened to leave the UK if such a law was finally implemented. Countless privacy advocates, cryptographers, and academics have been long calling on how the Bill could undermine citizens' privacy and freedom of speech, in fact, while setting a global worrying precedent. 

It falls short of fixing privacy issues

"Clause 122, known as the 'spy clause', could see the private sector being mandated to carry out mass surveillance of private digital communications. It would leave everybody in the UK vulnerable to malicious hacking attacks and targeted surveillance campaigns. It also sets a dangerous precedent. It is not possible to create a technological system that can scan the contents of private electronic communication while preserving the right to privacy."

These were the words that Rasha Abdul Rahim, Director of Amnesty Tech, used to describe the unattended consequences of letting secure messaging apps break encryption. "A police officer (or spy) in your pocket" is what this provision is also called.

Born as a way to "make the UK the safer place to be online," it has increasingly become clear that the almost 300-page long Bill was slowly achieving the opposite results: making people more vulnerable online. 

As the Financial Times reported, the tech regulator Ofcom still has the power to require tech companies to develop side scanning software. However, these would be required to scan their networks only when "a technology is developed that is capable of doing so." According to experts, it could pass years before such software is developed.

This announcement doesn't mean the UK government's position on this matter has changed, though. "As has always been the case, as a last resort, on a case by case basis and only when stringent privacy safeguards have been met, it will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content—which we know can be developed," a government spokesperson told TechRadar 

Nonetheless, controversies with the Bill don't end with Article 122. Critics warn that new age verification requirements, for which sites will have to verify the age of visitors by scanning government-issued documents or biometric data, also pose a serious threat to the privacy of UK internet users.

More data collected means greater possibilities for these details to be abused and leaked. Considering the bad track record of recent national data breaches like the ransomware attack on the NHS in June, these are not "not merely an abstract possibility but eventualities to prepare for," wrote a group of academics working in information security and cryptography in an open letter.

Overall, it feels that more of a victory for privacy, this is the latest clumsy compromise for ensuring that big players like WhatsApp, Signal and other widely used secure email services like ProtonMail and Tutanota won't exit the UK market for good. What a place to start for such an important regulation.

Commenting on this point, Proton's Founder and CEO Andy Yen said: "A statement delaying or watering down the dangerous and infeasible parts of the Online Safety Bill is not unwelcome, but it falls well short of providing the legal assurances that businesses need to continue operating and investing in the UK. 

"As it stands, the bill still permits the imposition of a legally binding obligation to ban end-to-end encryption in the UK, undermining citizens' fundamental rights to privacy, and leaves the government defining what is 'technically feasible.' For all the good intentions of today’s statement, without additional safeguards in the Online Safety Bill, all it takes is for a future government to change its mind and we’re right back where we started."

TOPICS
Chiara Castro
News Editor (Tech Software)

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Read more
Conceptual image of a large group of cctv camera watching and spying on a mobile phone with messages, it illustrates digital surveillance concept
New EU Chat Control makes scanning encrypted chats optional – but privacy experts are still worried
View on National Assembly building in Paris, France, with French and European flags flying.
France rejects controversial encryption backdoor provision
ignal messaging application President Meredith Whittaker poses for a photograph before an interview at the Europe's largest tech conference, the Web Summit, in Lisbon on November 4, 2022.
"We will not walk back" – Signal would rather leave the UK and Sweden than remove encryption protections
Actalis SSL encryption
Apple is right not to bow down to the UK government's encryption backdoor request - but users should still be angry
Privacy
"Anonymity is not a fundamental right": experts disagree with Europol chief's request for encryption back door
A hand holding an iPhone with the iCloud logo on screen.
UK's Apple iCloud backdoor "jeopardizes the security and privacy of millions," warn experts
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today