UK Government Apparently Hoping It Can Regulate End-To-End Encryption Out Of Existence
from the sure-hope-'the-children'-are-grateful-for-the-shitty-future-being-handed dept
Politicians — those motivated by the notion of “doing something” — want to end encryption. They don’t want this to affect their communications and data security. But they don’t see the harm in stripping these protections from the general public. Often, the argument is nothing better than “only criminals want end-to-end encryption,” something they trot out as a truism despite plenty of evidence to the contrary.
But these politicians (and government officials) are cowards. They refuse to call a backdoor a backdoor. They come up with all sorts of euphemisms while pretending compliance with proposed laws won’t result in the creation of backdoors that can be exploited by everyone, not just the “good guys.” They also deploy other euphemisms to attack encryption that protects millions of members of the public, referring to good encryption as “warrant-proof” or “military-grade.” Those terms never survive examination, but the narrative persists because most members of the public have no interest in closely examining falsehoods uttered by governments.
The UK government has expressed an unhealthy determination to undermine encryption for years now. It has the fanciest of plans to undo protections enjoyed by UK residents for reason ranging from “the children” to “the terrorists.” The underlying intent never changes even if the name on the office doors do. Regulators come and go but the desire remains. Even the bills get renamed, as though a different shade of lipstick would make the UK’s anti-encryption pig any more desirable.
Rebranding from “Online Harms” to “Online Safety” only changed the tablecloths in the Titanic’s dining room. The UK government wants encryption dead. But presumably “safety” sounds better than “harms,” especially when the government affirmatively wants to harm the safety of millions of UK residents.
The Internet Society has taken a look at the revamped and rebranded bill and has delivered a report [PDF] that explains exactly where on the Internet doll the UK government plans to engage in inappropriate touching. There’s no mention of backdoors or broken encryption, but complying with the law means possibly doing both.
The draft Online Safety Bill places a duty of care on service providers within the scope of the draft bill to moderate illegal and harmful content on their platforms, with fines and penalties for those that fail to uphold this duty. The only way for service providers that offer end-to-end encryption to comply with this duty of care would be to remove or weaken the encryption that they offer.
That’s the end result of these demands. But the politicians and regulators pushing this are unwilling to directly refer to the harms the bill will cause. There’s no ban on end-to-end encryption. There’s no mandate for backdoors. Instead, the bill hopes to achieve these ends by applying regulatory pressure that makes both of these outcomes unavoidable.
Service providers deploying end-to-end encryption obviously cannot see the content of communications between users. The UK government says that’s no longer acceptable. Providers need to be proactive in preventing the spread of certain content. That leaves them with only one option.
Ofcom can require that service providers use “accredited technology” to identify harmful content and “swiftly take down that content”. To comply with this requirement and fulfil their “duty of care”, service providers will likely need to resort to upload filters and other mechanisms that may interfere with the use of end-to-end encryption.
Basically, the same thing that saw Apple catch a considerable amount of heat will be expected to be standard operating procedure for any tech company doing business in the UK. Client-side filtering is the most efficient way to prevent the uploading and sharing of “harmful content.” Shutting it off at the source means either invading devices or removing at least one end of the end-to-end encryption. And once those options are available, it will only be a matter of time before the UK government starts demanding access to unencrypted devices and/or messages.
And the UK government has specifically cited Apple’s now-defunct plans to strip protections it previously extended to users and device owners as evidence the proposed law is a net gain for society.
[I]n the Daily Telegraph article announcing the Safety Challenge Fund, Home Secretary Priti Patel points to Apple’s client-side scanning proposal as a positive example, raising concerns about the criteria for evaluating Challenge Fund proposals.
In its quest for easy wins, the UK government is ignoring the long-term fallout of these demands. While it may have no problem stripping UK residents of strong data and communication protections, it may find it more difficult to talk powerful businesses into accepting less-than-solid protections for their financial interactions and transmission of sensitive proprietary info. And government employees still rely heavily on third-party contractors for communication services and data transmission/storage. These same employees also rely on devices and cell phones manufactured by companies that will now be forced to make their products less secure for everyone who uses them.
Everyone loses. But the people who will lose more and lose it faster simply don’t matter. Before the cold reality of broken encryption hits home for politicians, they’ll have already collected the PR wins needed to secure more terms in office. And with more time comes more power. Eventually, the UK government may find a way to exempt it from the impositions placed on the private sector, elevating them above the people they serve. In the end, very little will have actually been done to address the problems (child exploitation, terrorism) cited to justify these impositions. The only guarantee is that devices, communication services, and the internet at large will be expected to make huge sacrifices in service to the UK government’s talking points.