View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
November 29, 2022

Online Safety Bill: Privacy and cybersecurity fears over end-to-end encryption changes remain

New laws aimed to keep internet users safe have been amended, but issues of cybersecurity and privacy may not have been resolved.

By Matthew Gooding

Changes to the UK’s Online Safety Bill, new legislation designed to safeguard internet users, have been announced by the government as it prepares to bring it before Parliament. But there has been no mention of any alterations to the part of the law which will give tech companies oversight of end-to-end encrypted messages, something campaigners fear could infringe privacy and pose cybersecurity problems.

Online Safety Bill changes
The Online Safety Bill will help protect children online, but could cause cybersecurity and privacy problems, campaigners claim. (Photo by Natalia Lebedinskaia/Shutterstock)

The bill is designed to keep internet users safe and stop children from accessing harmful content by placing controls on social media platforms and other tech companies around how they assess and delete illegal material.

Work on the legislation was paused earlier this year in the face of opposition from Tory MPs who felt it would impinge on free speech by forcing platforms to suppress “legal but harmful” content.

Now an amended version of the bill is due to return to Parliament next week, with the first amendments having been tabled ahead of the report stage on 5 December. Further changes will be made at later stages of the Bill’s passage, a Department for Digital Culture, Media and Sport (DCMS) statement said.

Does the Online Safety Bill threaten UK cybersecurity?

But while changes have been announced, the DCMS statement makes no mention of provisions around end-to-end encrypted messages which have alarmed privacy campaigners.

Under a new clause added over the summer, tech companies providing end-to-end encrypted messaging will be mandated to put systems in place which automatically scan for child sex abuse material (CSAM) so it can be reported to authorities.

However, the only way to do this effectively is through client-side scanning, where companies will scan the contents of a message before it is encrypted to ensure that it contains nothing illegal. Apple tried to introduce this last year to scan for CSAM sent via its iMessage service and was forced to withdraw the system almost immediately due to a privacy backlash.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

Creating such a backdoor into messaging systems could also cause a security threat if exploited by cybercriminals.

Last week, a group of 70 civil rights groups and cybersecurity experts from around the world sent an open letter to Prime Minister Rishi Sunak asking for the clauses around end-to-end encryption scanning to be removed.

“Leading cybersecurity experts have made clear that even message scanning, mistakenly cited as safe and effective by its proponents, actually creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic,” the letter says.

“Undermining protections for end-to-end encryption would make UK businesses and individuals less safe online, including the very groups that the Online Safety Bill intends to protect.”

Tech Monitor has contacted DCMS for clarification on whether changes have been made to the parts of the bill peraboutd-to-end encryption.

Online Safety Bill changes will ‘protect free speech’

Elsewhere, changes to the bill remove the “legal but harmful” designation for content, but DCMS says it has strengthened protections elsewhere, through new measures that will also be added to make social media platforms more transparent and accountable to users.

The changes will offer users what DCMS calls a “triple shield” of protection when online: social media firms will be legally required to remove illegal content, take down material in breach of their own terms of service, and provide adults with greater choice over the content they see and engage with.

Whether the changes will be enough to win over IT professionals to the benefits of the Online Safety Bill remains to be seen. Just 14% of 1,300 IT professionals surveyed by the BCS, the Chartered Institute for IT, earlier this year considered the Bill to be ‘fit for purpose’. More than half (51%) believed it will not make the internet safe, and 46% believe it is “not workable”.

The removal of the “safe but harmful” designation may be welcomed, as most respondents felt it would not be effective at combating CSAM and other abuse material.

Digital Secretary Michelle Donelan said: “Unregulated social media has damaged our children for too long and it must end.

“Young people will be safeguarded, criminality stamped out and adults given control over what they see and engage with online. We now have a binary choice: to get these measures into law and improve things or squabble in the status quo and leave more young lives at risk.”

Read more: UK government sets out AI regulation plans

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.