By Joe Mullin / Electronic Frontier Foundation (EFF)
The U.K. Parliament is pushing ahead with a sprawling internet regulation bill that will, among other things, undermine the privacy of people around the world. The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force backdoors into messaging services, which will destroy end-to-end encryption. No amendments have been accepted that would mitigate the bill’s most dangerous elements.
If it passes, the Online Safety Bill will be a huge step backwards for global privacy, and democracy itself. Requiring government-approved software in peoples’ messaging services is an awful precedent. If the Online Safety Bill becomes British law, the damage it causes won’t stop at the borders of the U.K.
The sprawling bill, which originated in a white paper on “online harms” that’s now more than four years old, would be the most wide-ranging internet regulation ever passed. At EFF, we’ve been clearly speaking about its disastrous effects for more than a year now.
It would require content filtering, as well as age checks to access erotic content. The bill also requires detailed reports about online activity to be sent to the government. Here, we’re discussing just one fatally flawed aspect of OSB—how it will break encryption.
Support our Independent Journalism — Donate Today!
An Obvious Threat To Human Rights
It’s a basic human right to have a private conversation. To have those rights realized in the digital world, the best technology we have is end-to-end encryption. And it’s utterly incompatible with the government-approved message-scanning technology required in the Online Safety Bill.
This is because of something that EFF has been saying for years—there is no backdoor to encryption that only gets used by the “good guys.” Undermining encryption, whether by banning it, pressuring companies away from it, or requiring client side scanning, will be a boon to bad actors and authoritarian states.
The U.K. government wants to grant itself the right to scan every message online for content related to child abuse or terrorism—and says it will still, somehow, magically, protect peoples’ privacy. That’s simply impossible. U.K. civil society groups have condemned the bill, as have technical experts and human rights groups around the world.
The companies that provide encrypted messaging—such as WhatsApp, Signal, and the UK-based Element—have also explained the bill’s danger. In an open letter published in April, they explained that OSB “could break end-to-end encryption, opening the door to routine, general and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human rights activists and even politicians themselves.” Apple joined this group in June, stating publicly that the bill threatens encryption and “could put U.K. citizens at greater risk.”
U.K. Government Says: Nerd Harder
In response to this outpouring of resistance, the U.K. government’s response has been to wave its hands and deny reality. In a response letter to the House of Lords seen by EFF, the U.K.’s Minister for Culture, Media and Sport simply re-hashes an imaginary world in which messages can be scanned while user privacy is maintained. “We have seen companies develop such solutions for platforms with end-to-end encryption before,” the letter states, a reference to client-side scanning. “Ofcom should be able to require” the use of such technologies, and where “off-the-shelf solutions” are not available, “it is right that the Government has led the way in exploring these technologies.”
The letter refers to the Safety Tech Challenge Fund, a program in which the U.K. gave small grants to companies to develop software that would allegedly protect user privacy while scanning files. But of course, they couldn’t square the circle. The grant winners’ descriptions of their own prototypes clearly describe different forms of client-side scanning, in which user files are scoped out with AI before they’re allowed to be sent in an encrypted channel.
The Minister completes his response on encryption by writing:
We expect the industry to use its extensive expertise and resources to innovate and build robust solutions for individual platforms/services that ensure both privacy and child safety by preventing child abuse content from being freely shared on public and private channels.
This is just repeating a fallacy that we’ve heard for years: that if tech companies can’t create a backdoor that magically defends users, they must simply “nerd harder.”
British Lawmakers Still Can And Should Protect Our Privacy
U.K. lawmakers still have a chance to stop their nation from taking this shameful leap forward towards mass surveillance. End-to-end encryption was not fully considered and voted on during either committee or report stage in the House of Lords. The Lords can still add a simple amendment that would protect private messaging, and specify that end-to-end encryption won’t be weakened or removed.
Earlier this month, EFF joined U.K. civil society groups and sent a briefing explaining our position to the House of Lords. The briefing explains the encryption-related problems with the current bill, and proposes the adoption of an amendment that will protect end-to-end encryption. If such an amendment is not adopted, those who pay the price will be “human rights defenders and journalists who rely on private messaging to do their jobs in hostile environments; and … those who depend on privacy to be able to express themselves freely, like LGBTQ+ people.”
It’s a remarkable failure that the House of Lords has not even taken up a serious debate over protecting encryption and privacy, despite ample time to review every every section of the bill.
Finally, Parliament should reject this bill because universal scanning and surveillance is abhorrent to their own constituents. It is not what the British people want. A recent survey of U.K. citizens showed that 83% wanted the highest level of security and privacy available on messaging apps like Signal, WhatsApp, and Element.
Documents related to the U.K. Online Safety Bill:
- EFF info page on the U.K. Online Safety Bill
- EFF Deeplinks Blog: How the OSB attacks Free Speech and Encryption (August 2022)
- EFF Deeplinks Blog: UK’s Draft Online Safety Bill Raises Serious Concerns Around Freedom of Expression (July 2021)
- Civil society open letter on Online Safety Bill (November 2022)
- Open Letter from encrypted messaging providers about Online Safety Bill (April 2023)
- EFF and Allied NGOs Briefing to House of Lords (July 2023)
Joe Mullin is a policy analyst at EFF, where he works on patents, encryption, platform liability, and free expression online. Before joining EFF, Joe worked as a reporter covering legal affairs for the technology website Ars Technica, and American Lawyer’s magazine group. Earlier in his journalism career, Joe wrote for The Associated Press and The Seattle Times. He has a bachelors degree in history and a masters in journalism, both from the University of California at Berkeley. Outside of his work at EFF, Joe enjoys trail running and cycling.