End-to-end encryption “cannot come at the expense of protecting the public” the UK’s Department for Digital, Culture, Media and Sport (DCMS) says. The department is preparing for a potential run-in with Apple, which launched new enhanced encryption and security tools this week that could be in contravention of the upcoming Online Safety Bill. These added security measures “cannot be allowed to hamper efforts to catch perpetrators of the most serious crimes,” DCMS says.
Under the Online Safety Bill, which is currently being debated in the House of Commons, companies will be compelled to weaken security and provide “backdoor access” that bypasses encryption and provide access to any encrypted data in messages, cloud storage or logs on request. Failure to do so would result in “large, disabling fines”, the bill says.
The proposals have put DCMS at loggerheads with security professionals, campaigners and tech giants. Apple has long-refused backdoor access to its systems when requested by law enforcement agencies, but didn’t respond to a question from Tech Monitor on what position it would take with the new Online Safety Bill.
Its new encryption and privacy tools suggest it is prepared for the fight. The advanced security features are focused on protecting users against threats from state and malicious hackers. This includes full end-to-end encryption for user data in the cloud, both active and back-up data, as well as iMessage contact key verification where users can verify they’re communicating only with the person they intended.
“As threats to user data become increasingly sophisticated and complex, these new features join a suite of other protections that make Apple products the most secure on the market,” Apple wrote in a statement adding that it is “committed to strengthening both device and cloud security, and to adding new protections over time”.
Apple said it was “unwavering” in its commitment to provide users with the best data security including mitigating emerging threats to their personal data on the device and in the cloud.
Online Safety Bill a 'disaster' for privacy
The new tools have been welcomed by security professionals and campaigners. The Electronic Frontier Foundation praised Apple for adopting advanced end-to-end encryption, stating in a blog post that “companies should stop trying to square the circle by putting bugs in our pockets at the request of governments, and focus on protecting their users, and human rights. Today Apple took a big step forward on both fronts.”
Erica Portnoy, EFF senior staff technologist, described the Online Safety Bill as "a disaster for user privacy" which must not pass the House of Commons. "Scanning private content is incompatible with encryption, and endangers the rights of all users, including children," Portnoy says. "If it passes, the censorious, anti-encryption Online Safety Bill won’t just affect the UK—it will be a blueprint for repression around the world. The bill would require Apple to compromise its encryption, both pre-existing and newly added."
DCMS says it is meeting regularly with tech companies including Apple to discuss internet safety, explaining that companies must assess the level of risk when opening access to encrypted data no matter what their design is, with the bill designed to be "technology neutral".
DCMS 'working with industry' on Online Safety Bill
The department is sticking to its guns on the need for backdoor access, telling Tech Monitor: "Firms will be required to adhere to the strong child safety duties in the Online Safety Bill, and we remain committed to continuing to work with the tech industry to develop innovative solutions that protect public safety and privacy."
A spokesperson for the department said that Ofcom would be given a suite of new enforcement powers, allowing it to take a lead on making decisions around whether to force companies to break encryption. This could include fines of up to £18mn or 10% of qualifying global turnover depending on which is the higher amount for failing to provide access.
It was described as a "risk-based, proportionate" frame to protect citizens online and uphold the right to freedom of expression, adding that it doesn't ban E2EE - described as a "vital part of our digital world" - but rather requires it not to be misused.
As well as requesting access to encrypted data by design, DCMS says a recent £555,000 safety tech fund was established to develop proof of concept tools to find ways to scan for child abuse images in an end-to-end encrypted environment that protects children whilst maintaining user privacy.
The EFF warned in a statement: "These types of systems create more vulnerabilities that endanger the rights of all users, including children. Security experts and NGOs have spoken clearly about this issue, and asked for the anti-encryption sections of this bill to be withdrawn, but the bill’s sponsors have unfortunately not listened."