The government’s Online Safety Bill, new legislation designed to keep UK internet users safe from harmful content, could break end-to-end encryption and threaten the safety and privacy of citizens, a group of messaging services including WhatsApp and Signal have warned. The companies have written an open letter to ministers asking them to reconsider the wording of the bill, which would allow third parties to monitor messages on currently encrypted platforms.
Published this morning, the letter is signed by seven executives from encrypted messaging platforms that operate in the UK. It comes as the bill is debated in the House of Lords, having already passed through the House of Commons.
Why does the Online Safety Bill threaten end-to-end encryption?
The Online Safety Bill is designed to keep internet users safe and stop children from accessing harmful content by imposing controls on social media platforms and other tech companies around how they assess and delete illegal material.
It has been in development for several years, but work on the legislation was paused last year in the face of opposition from Tory MPs who felt it would impinge on free speech by forcing platforms to suppress “legal but harmful” content. An amended version was subsequently agreed which passed its first reading in the House of Commons earlier this year.
One of the provisions of the bill is that companies providing end-to-end encrypted messaging will be mandated to put systems in place which automatically scan for child sex abuse material (CSAM) so it can be reported to authorities.
The only way to do this effectively is through client-side scanning, where companies will scan the contents of a message before it is encrypted to ensure that it contains nothing illegal. Apple tried to introduce this to its iMessage service last year to scan for CSAM, and was forced to withdraw the system almost immediately due to a privacy backlash.
As reported by Tech Monitor, Apple has subsequently introduced new levels of encryption on its services, which could put it at odds with the UK government when the Online Safety Bill comes into force.
What are the consequences of banning end-to-end encryption?
It says: “Around the world, businesses, individuals and governments face persistent threats from online fraud, scams and data theft. Malicious actors and hostile states routinely challenge the security of our critical infrastructure. End-to-end encryption is one of the strongest possible defences against these threats, and as vital institutions become ever more dependent on internet technologies to conduct core operations, the stakes have never been higher.
“As currently drafted, the bill could break end-to-end encryption, opening the door to routine, general and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human rights activists and even politicians themselves, which would fundamentally undermine everyone’s ability to communicate securely.”
Calling on the government to “urgently rethink” the new laws, the signatories add: “The Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copycat laws.
“Global providers of end-to-end encrypted products and services cannot weaken the security of their products and services to suit individual governments. There cannot be a ‘British internet,’ or a version of end-to-end encryption that is specific to the UK.”
While the signatories of the letter all have a business interest in preserving end-to-end encryption, other parts of the tech community have raised concerns about the bill. More than half of IT professionals surveyed by BCS, the Chartered Institute for IT, last year said the legislation would not make the internet safer, with just 14% considering it “fit for purpose”.
Tech Monitor has contacted the Department for Science Innovation and Technology for comment on the letter.