Changes to the UK’s draft Online Safety Bill could see tech companies forced to build backdoors into end-to-end encrypted messaging services to detect and report abuse material. The proposed changes could threaten data security and provide a new attack vector for hackers, experts have warned.
The Department of Culture, Media and Sport this week added several amendments to the Online Safety Bill, which was originally presented to the House of Commons on May 11. DCMS says the amendments are designed to offer members of the public additional protection from the dangers of unmitigated malicious actions online, such as the sharing of child sexual abuse material (CSAM) or online fraud.
What’s changing in the Online Safety Bill?
The legislation will impose fresh legal requirements on tech companies that host content generated by their users, such as social media platforms, and search engines, say explanatory notes released by DCMS.
Tech companies providing end-to-end encrypted messaging will be mandated to put systems in place which automatically scan for CSAM so it can be reported to authorities.
Communications regulator Ofcom is being given extra powers through the bill to impose fines of up to £18m or 10% of the company’s global annual turnover, whichever is higher, should tech companies fail to comply.
The Online Safety Bill and client side scanning
The Online Safety Bill has attracted widespread criticism since its inception, says Alexi Drew, CEO and co-founder of Penumbra Analysis. “It’s grown out beyond all proportion,” she argues. “It’s now created some form of monstrosity squatting at the centre of British digital politics and governance strategy which, on so many levels, makes no sense.”
Today it was revealed that 16 civil rights campaign groups had written to the government to oppose the bill, saying it was “on the verge of being unworkable” and that it would not protect citizens online. “It risks being the worst of both worlds: failing to keep us safe, while also threatening free speech,” the letter says.
Mandating such extensive access into all private messaging could undermine the security of intellectual property and sensitive data, Drew says, and make such a system a target for cybercriminals. “We would be obscenely naive if we were to suggest that that amount of data would be secure,” she says.
This level of access would only practically be achieved through the use of something called “client-side scanning”, cybersecurity expert Professor Alan Woodward told the BBC. “The implication [within the bill] is some form of universal ‘client-side scanning’ which many will see as overly intrusive and liable to… be used to detect other items unrelated to child safety,” he said.
Client-side scanning is where companies will scan the contents of a message before it is encrypted to ensure that it contains nothing untoward. Apple tried to introduce it last year to scan for CSAM and withdrew the system almost immediately due to a privacy backlash.
A report by security company MalwareBytes on this type of scanning says “technologies such as these may represent the most powerful surveillance system ever imagined. It is imperative that we find a way to make them abuse-resistant and auditable before we decide to start using them.”
The Online Safety Bill and the end of end-to-end encryption
While this sort of monitoring may be useful in routing out CSAM, as well as other criminal activity, it would necessitate a level of access to private content that could render E2EE ineffective. “This is very likely in practice to permit Ofcom to require platforms to use technologies that are incompatible with the use of end-to-end encryption or that compromise its integrity,” the MalwareBytes report says.
The technique also holds striking similarities to that of the NSO Group and its controversial spyware Pegasus, which has been used by authoritarian regimes to spy on political opponents, activists and journalists. The UK government is one of many western governments to have its systems breached by the spyware in the last 12 months.
What is proposed in the Online Safety Bill is “pretty much the same”, Drew says. She adds: “The irony is that the European Union is currently at the point of banning NSO Group, the US sanctioning it and at the same time was attempting to buy it, and the UK government is saying ‘let’s make it something that all private companies lawfully have to do’.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.