The Online Safety Bill is the enactment of two long held UK government desires: the removal of harmful internet content, and visibility into end-to-end (E2E) content. The latter is just a byproduct of enforcing the former. Both are justified on national security (terrorism) and protection of children requirements (child pornography).
At the time of writing, this bill (PDF) has passed through the House of Commons, and is currently at committee stage in the House of Lords. It is likely (not certain) that it will become law. While this would be a UK law, its reach expands to any internet platform providing services to people in the UK.
The primary gist of the bill is that platform providers are responsible for the content available on their platforms, irrespective of who generates the content. If content is deemed harmful (child pornography, terrorist recruitment, revenge porn, bullying, self-harm, and anything the government defines as ‘illegal’), the provider can be required to remove that content.
All of this sounds reasonable; but the problems start with visibility and enforcement. Enforcement is to be undertaken by the government’s own Office of Communications regulator, Ofcom. To be able to determine compliance with the law, Ofcom must have visibility on the content. That, in simple terms, implies mass government surveillance of any internet available to users within the UK.
But what if the information on the platform is protected with end-to-end encryption within a messaging or communications application? That doesn’t matter; it is still subject to the law, and Ofcom must be provided access to the cleartext content. In short, the Online Safety Bill will require messaging app providers to implement some form of backdoor into the encrypted data – although the government asserts this isn’t a ban on E2E encryption itself.
Ofcom’s weapons include fines up to £18 million ($22 million) or 10% of global revenue (GDPR’s maximum is 4% of global revenue), blocking the platform, and even criminal liability for senior managers.
The problem is that end-to-end encryption and backdoors are mutually exclusive. The UK government insists that this needn’t be so, but it is a technological reality. In his Primer for E2E Encryption Policy in 2022, Alec Muffett (formerly a security policy advisor to the Open Rights Group) wrote: “You can’t be ‘a little bit surveilled’. Either a non-participant has independently determined a message which Alice has spoken to the other participants, or else they have not. If such has occurred, then surveillance has occurred and the guarantee of E2E has been broken.”
The anomaly is that if the government can access the content, criminals and foreign governments will almost certainly be able to use the same backdoor.
There are three questions to consider. Is the law legal? How will the messaging app providers respond? Can users do anything to ensure private communication despite the new law?
A legal law
The first page of the bill states (referring to the European Convention on Human Rights – ECHR): “Lord Parkinson of Whitley Bay has made the following statement under section 19(1)(a) of the Human Rights Act 1998: ‘In my view the provisions of the Online Safety Bill are compatible with the Convention rights’.” The bill is sponsored by the Department for Digital, Culture, Media & Sport. Parkinson is Parliamentary Under Secretary of State for the Department for Digital, Culture, Media & Sport. Fox and hen house?
SecurityWeek asked Monica Horten, policy manager, freedom of expression at the Open Rights Group, is this bill compatible with ECHR. “No,” she replied. “It lacks procedural safeguards for users whose content is restricted, and the potential for disproportionate surveillance of private chats, are two reasons why this would be the case.” We asked, could the bill be challenged in the courts. Yes, she said. “The over-broad text, and the minimal definition leaves it open challenge.”
This law will already affect US firms. The real danger is its arguments may spread like a contagion to be used by other governments.
Response from messaging app companies:
WhatsApp has stated very clearly that it will not provide a backdoor for Ofcom, and accepts that it may be blocked in the UK (as has already happened in Iran). It worries about the message being sent by ‘a liberal democracy’ to more authoritarian regimes.
Signal president Meredith Whittaker told the BBC the organization “would absolutely, 100% walk” rather than abide by government surveillance requirements.
Tutanota takes a slightly different stance. In a blog posted on February 28, 2023, the firm states, “‘Walking out’ is not the solution here. We at Tutanota say the opposite: We will not ‘walk’ from the UK. If Prime Minister Rishi Sunak and his government want to stop people in the UK to use strong encryption – like that provided by our secure email service Tutanota – he must block access to Tutanota – just like Russia and Iran are already doing.”
The effect is that if an ‘E2E-encrypted’ product is available in the UK after the bill becomes law, it should no longer be considered to be truly safe from prying eyes.
Circumvention
SecurityWeek talked to Jeff Williams, CTO and co-founder at Contrast Security. “This is about the third time we’ve been through this exact conflict,” he said. The first was the epic battle over the Clipper Chip in 1993, containing a backdoor to enable law enforcement to access encrypted communications. There have been other similar battles in the intervening 30 years that have all ended the same way — the failure to enable government access to keys (GAK) was one attempt.
He accepts the dichotomy between wishing to keep children safe from online harm while simultaneously wishing to keep personal communications private and secure. “The problem,” he says, “is these two goals are impossible to reconcile.” Any backdoor will weaken encryption. “And it’s all but certain that unwanted individuals will use that backdoor to undermine everyone’s security and privacy. What’s worse is these backdoors can be easily circumvented by bad guys’, privacy loving good guys, and anyone else who wants to communicate securely over this insecure channel.”
An easy option, he suggests, is superencryption. “Essentially, you use your own non-backdoored encryption first, and then send it through the system using the backdoored encryption. Government will only have access to what’s been encrypted with your own non-backdoored encryption. This is easily possible for communications formats as well as files.”
He has little time for this new battle for law enforcement access to encrypted messages. “The Clipper Chip was dead in three years. This Bill won’t last nearly that long. At this point, strong cryptography is well understood and public. The idea that governments can prevent secure communications between the denizens of the world is long dead. Apparently, there are some in the government that didn’t read the obituary.”
The most effective circumvention will come when liberal governments understand you cannot beat cybercriminality by becoming a legal cybercriminal. They conflate two wishes: greater control over the internet, and the protection of children. They use the latter to justify the former, but the two wishes are not compatible. The first is a technology issue, while the second is a social issue.
In a paper (PDF) published last year, Ross Anderson, professor of security engineering at Cambridge university first debunks many of the statistics and arguments used to justify the need for the Online Safety Bill, and then concludes: “The idea that complex social problems are amenable to cheap technical solutions is the siren song of the software salesman and has lured many a gullible government department on to the rocks. Where ministers buy the idea of a magical software ‘solution’, as the industry likes to call its products, the outcomes are often disappointing and sometimes disastrous.”
Marcus Ranum put it more succinctly in Ranum’s Law: “You can’t solve social problems with software.”
Related: US Lawmakers Propose Internet Controls to Fight Child Porn
Related: Backdoors Would Introduce IT Infrastructure Risks: ENISA
Related: The Argument Against a Mobile Device Backdoor for Government
Related: Internet Access, Privacy ‘Essential for Freedom’: Proton Chief