UK Government Pauses Demands For Broken Encryption In Its Online Safety Bill
from the citizens-briefly-allowed-continued-access-to-widely-used-services dept
The UK government is still pushing a bill that would give it more direct control of the internet, but it has, at least for the time being, decided against mandating broken encryption.
For months now, supporters of the Online Safety Bill have insisted the only way to stop the spread of child sexual abuse material (CSAM) is to engage in always-on scanning of user content. Services that utilized end-to-end encryption (like Signal, WhatsApp, and Apple’s iMessage) would be forced to break encryption to scan content.
That mandate has provoked an intense amount of backlash from the affected service providers. The three listed above have all informed the UK government that they would pull their services from the UK, rather than comply with this mandate.
As these entities pointed out (on multiple occasions), introducing deliberate security flaws makes everyone less secure, not just those engaged in criminal activity. The government’s own Information Commissioner arrived at the same conclusion: that breaking end-to-end encryption would actually make children less safe and more likely to be targeted/located by sexual abusers.
The good news is that, for the moment, the UK government has decided to drop this mandate, as 9to5Mac reports, quoting from a (paywalled) Financial Times article.
The Financial Times reports that the government has now agreed to drop from the Online Safety Bill the requirement to scan messaging apps for illegal content.
The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is “technically feasible” to do so, postponing measures that critics say threaten users’ privacy.
A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour bid by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users’ security.
It’s a win, especially for UK citizens, who were facing loss of access to some of the most popular communication services on the planet. But it’s not a complete victory for anyone. Minister Lord Stephen Parkinson still seems to believe it’s possible to compromise encryption without, you know, compromising it. The big nerds at Big Tech just need to work harder at ushering this magical form of technology into existence.
Parkinson said that Ofcom, the tech regulator, would only require companies to scan their networks when a technology was developed that was capable of doing so.
[…]
“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the legislation] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content — which we know can be developed,” the government said.
Pressing pause on the mandate, but still living in denial. There’s no such thing as securely compromised encryption. Either it’s secure or it isn’t. Just because the security flaws have been introduced by a government mandate doesn’t make these flaws any less exploitable by more malicious entities. And it doesn’t make it any less likely governments with histories of human rights abuses will leverage these mandates and the resulting broken encryption to engage in even more human rights abuses.
It either works or it’s broken. The UK government needs to fully accept this fact if it’s ever going to move on towards actually doing something useful to protect children from sexual abusers. As long as it continues to pretend the impossible is constantly just over the tech horizon, it will only reduce its citizens communication options and put every user of these services — no matter where they’re located — at risk.
Filed Under: csam, encryption, messaging, online safety bill, uk
Comments on “UK Government Pauses Demands For Broken Encryption In Its Online Safety Bill”
How would a law that said “We can designate someone to read all you mail, and monitor all your phone calls and tell us if they see something that might indicate illegal activity, without a specific warrant”, fly? Why do government think they can do the same because communications are on the Internet.
Promising not to enforce a provision in a law they plan on passing regardless is only barely a win, and only for so long as it takes the government to turn around and say, “pray I don’t change the deal any further”.
Re:
This part of the law is being removed, as described in the article you didn’t read.
Re: Re:
Our government hasn’t actually dropped it – a junior minister told the House of Lords they won’t use that provision at the moment but they haven’t removed it from the actual bill.
Also the FT article this story is based on is a week old and the UK Government has already denied they agreed to remove or not enforce this:
https://www.independent.co.uk/business/ministers-deny-concessions-as-online-safety-bill-returns-to-commons-b2410089.html
Re: Re: Re:
It seems like the UK Gov is leaving the door open to go back on there “word” at a future date while also setting Ofcom up as a scapegoat.
The whole bill is unworkable mess that it is likely to collapse under its own weight and Ofcom is going to struggle with implementation and enforcement and will make choices that pleases no one.
'Nerd Harder', take... I lost count
It’s a nice continuation of the usual shifting of the blame on the subject, claiming that they’ll only force companies to scan everything when there is tech in place to do it ‘securely’ while in the very next breath claiming that said tech is entirely possible to create if only those self-centered tech companies cared enough about the problem to create it.
Maybe not as paused as you think
I’ll let the folks at Matrix explain:
https://youtu.be/M0oc7sVksm0?t=1930
This should start around 32 minutes in.
As noted, various governments have been whining about wanting a super-sekrit backdoor that everyone knows will be cracked five minutes after introduction.
What I always wonder about this is how they account for financial transactions. Today’s world economy is built on secure financial communication. It would fall apart without it. Does this bill even address that?
Re:
‘That wouldn’t have happened if the companies had just Nerded Harder, all the blame is on them for making a flimsy door not us for demanding it be added’ would be the government’s response I imagine.