UK rolls back controversial encryption rules of Online Safety Bill

The UK government has conceded one of the more controversial parts of its Online Safety Bill, stating that the powers granted by the legislation will not be used to scan encrypted messaging apps for harmful content until it can be done in a targeted manner.

Companies will not be required to scan encrypted messages until it is “technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content,” said Stephen Parkinson, the Parliamentary Under-Secretary of State for Arts and Heritage, in a planned statement during the bill’s third reading in the House of Lords on Wednesday afternoon.

As recently as August, Michelle Donelan, the secretary of state for Science, Innovation and Technology, told the BBC that technology was in development that would allow encrypted messages to be scanned only for information related to abuse and exploitation  — a view that was at odds with both Big Tech companies and the government’s own Safety Tech Challenge Fund, which failed to find a technical solution to the problem.

But the government’s position that there will be no scanning of encypted messaging apps until it’s technically feasible is “nonsense,” said Matthew Hodgson, co-founder of Element, a decentralized British messaging app. “Scanning is fundamentally incompatible with end-to-end encrypted messaging apps. Scanning bypasses the encryption in order to scan, exposing your messages to attackers.”

Hodgeson said that the UK governmenrt has simply opened the door to scanning in the future. “It’s not a change, it’s kicking the can down the road.”

The Online Safety Bill is legislation that aims to keep websites and different types of internet-based services free of illegal and harmful material while defending freedom of expression. It applies to search engines; internet services that host user-generated content, such as social media platforms; online forums; some online games; and sites that publish or display pornographic content.

While proposals to keep internet users safe from fraudulent and other potentially harmful content and prevent children, in particular, from accessing damaging material, have been widely welcomed, people across the political spectrum have been less than thrilled about a clause inserted by the government in the summer of 2022. This amendment would have forced tech companies providing end-to-end encrypted messaging to scan for child sex abuse material (CSAM) so it can be reported to authorities. 

Civil liberty groups, cybersecurity experts, elected officials, and a number of organizations have repeatedly argued that the legislation’s current provisions would erode the benefits of encryption in private communications, reduce internet safety for UK citizens and businesses, and compromise freedom of speech.

“The Online Safety Bill poses a serious threat to this protection and could put UK citizens at greater risk. Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all,” Apple said in a statement earlier this year.

In April, the head of WhatsApp went one step further, saying he would rather the messaging app was blocked in the UK than weaken the privacy of its encrypted messages, if required by the UK’s Online Safety Bill.

This is not the first time the UK government has had to concede certain parts of the bill. In its original draft, the UK government required internet companies to monitor “legal but harmful” user content.

However, after concerns were raised over the government being ultimately responsible for defining what fell into that category, the provision was replaced with new rules for companies to be more transparent over internal policies on content moderation, for example requiring online services to explicitly say why certain content must be removed.

http://www.computerworld.com/category/security/index.rss

Leave a Reply