After Passing Online Safety Bill, UK Government Gets Back To Harassing Meta About Its End-To-End Encryption
from the yeah-well-we-still-want-the-thing-we-always-wanted dept
Last week, it appeared ever so briefly, the UK government might be finally giving up on its desires to legislate at least one end of messaging services’ end-to-end encryption. Having faced resistance from nearly every encrypted service (all of which threatened to exit the UK if anti-encryption mandates were put in place) as well as internal reports strongly suggesting undermining encryption would be a truly terrible idea, it seemed those pushing the Online Safety Bill were finally willing to accept the uncomfortable fact that breaking encryption only results in broken encryption. What it doesn’t do is end the online harms the UK government felt this bill addressed.
But the concession wasn’t much of a concession. Nothing changed in the wording of the bill. All that really happened is a couple of proponents suggested the UK government wouldn’t pull the trigger on encryption-breaking demands immediately. This concession was surrounded by statements suggesting government officials truly thought the only thing standing between it and “safely” broken encryption was recalcitrant techies working for services like WhatsApp and Signal.
Parkinson said that Ofcom, the tech regulator, would only require companies to scan their networks when a technology was developed that was capable of doing so.
[…]
“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the legislation] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content — which we know can be developed,” the government said.
The Online Safety Bill has now been passed by the UK Parliament. And, as Glyn Moody recently pointed out, all the anti-encryption language remains intact.
[UK] Technology Secretary Michelle Donelan insisted that nothing had changed in the long-awaited legislation, after privacy campaigners earlier this month claimed a victory following widespread reports of a shift in the Government stance on encryption.
Now that the bill has passed with the anti-encryption mandates still intact, it looks like the UK government is going back to leaning hard on uncooperative tech companies in hopes of pressuring them into abandoning encryption plans prior to the implementation of the new law. Facebook has long been the target of criticism from governments around the world that seem to feel they’re entitled to demand Meta not protect its Facebook Messenger service with end-to-end encryption.
Years of ignored requests are culminating in a last-minute push by UK legislators, as Natasha Lomas reports for TechCrunch:
In an interview on BBC Radio 4’s Today Program this morning, [Home Secretary] Suella Braverman claimed the vast majority of online child sexual abuse activity that U.K. law enforcement is currently able to detect is taking place on Facebook Messenger and Instagram. She then hit out at Meta’s proposal to expand its use of E2EE “without safety measures” to the two services — arguing the move would “disable and prohibit law enforcement agencies from accessing this criminal activity [i.e. CSAM]”.
Saying that one of the most popular messaging services is responsible for the most CSAM reports doesn’t really say anything more than the service has a lot of users. It doesn’t mean Meta somehow cares less about limiting the sharing of CSAM than other, less popular services. And I have no idea what “safety measures” Braverman thinks can be attached to E2EE services without, you know, removing at least an E or two.
Braverman doesn’t know or doesn’t care. Or both. Her further comments indicate she’d prefer Meta just maintained its less-than-secure status quo, sacrificing users’ privacy and security in favor of government gains.
First, there’s the stick:
Asked by the BBC what the government would do if Meta goes ahead with its E2EE rollout without the additional measures she wants, Braverman confirmed Ofcom has powers to fine Meta up to 10% of its global annual turnover if it fails to comply with the Online Safety Bill.
Then there’s the carrot — Bravermen says she wants to “work constructively” with Meta to create some sort of magical form of encryption Meta can break at will without compromising user security.
Then there’s the insanity:
“My job is fundamentally to protect children not paedophiles, and I want to work with Meta so that they roll out the technology that enables that objective to be realised. That protects children but also protects their commercial interests,” she said. “We know that technology exists…”
Really? Where is it? Can you point to any examples of this encryption that remains secure despite deliberately introduced flaws? Have you tried it out? Have you performed a security audit on it? SHOW ME ON THE PUBLICLY RELEASED GOVERNMENT REPORT WHERE THIS TECHNOLOGY ALREADY EXISTS.
While it’s true tech exists to detect hashes that match known CSAM, no tech exists to perform hash-matching on E2EE communication services. The only way to do this is to perform scanning on one side of the communication. And to do that, you have to remove the encryption from one end. Some have suggested this is a solution to the problem. But the only tech company that considered moving forward with voluntary client-side scanning abandoned that plan shortly after hearing from everyone (anti-encryption legislators excepted, of course) what a bad idea that would be.
So, in a sense, the tech does exist. But it’s not something anyone truly concerned about safety, security, or privacy would consider to be a real solution to the CSAM problem. But that’s what the UK government wants: insecure services that allow it to take a look at anyone’s communications. And that should never be considered an acceptable outcome.
Filed Under: encryption, end to end encryption, ofcom, online safety bill, suella braverman, uk
Companies: facebook, meta
Comments on “After Passing Online Safety Bill, UK Government Gets Back To Harassing Meta About Its End-To-End Encryption”
To Bravermen
And what about the interests of the people you are meant to represent, are they not allowed to have any privacy? Also note, that if encryption is broken at a central server, it is part of a system to tap into user devices, one breach of that servers security will ensure that private conversation through that server become public knowledge.
Also, if encryption is broken as you wish to attack the problem of CSAM, how long before that capability is used to attack terrorism, major crime, minor crime and political opposition?
Re:
We actually had an old security law that was meant to be used on terrorists. It turned out local councils were using it to spy on dog walkers who weren’t cleaning up after their dogs.
She reminds me very much of the last couple of FBI directors we had. They also thought (and presumably still do) that secure communications is only for them, and not for the rest of the peasantry.
Unfortunately (for them), that cat is pretty much out of the bag. And they will keep whining about it, endlessly. If only somebody – like Texas, maybe – would pass a law eviscerating the first amendment. Oh, wait….
If you don't like being a punching-bag stop passively taking the hits
That protects children but also protects their commercial interests,” she said. “We know that technology exists…”
This is what tech companies get for tiptoing around the feelings of those looking to gut encryption and continuing to pretend that they are arguing in good faith.
If those same companies had from the start adopted a ‘Put up or shut up’ stance and publicly demanded that anyone claiming that encryption can be both secure and able to be broken on demand provide an example of what they are claiming rather than assert that it can be done I imagine that argument would have been dropped long ago as it would just lead to a public humiliation of the one making it.
They don’t want End to End Encryption.
They want to End Encryption.
This article could stand doing a better job of drawing the distinction between implementing a secure backdoor in end-to-end encryption, versus doing pre-encryption client-side scanning (CSS). Both would eventually end up being disastrous. But the former has been properly judged to be technically impossible, while the latter is eminently do-able.
With CSS you still have practically unbreakable, secure end-to-end encryption, assuming that both ends refer to “over the network” and not “within the device.” To say that CSS breaks encryption is a bit disingenuous. My Signal app alerts me when I make a typo, and I bet it’s running my unencrypted text through a spell-checker, so it’s already running a form of CSS. It’s just that I trust that Signal won’t notify the feds when I make a spelling error, and that the spell-checker isn’t a slippery slope to egregious privacy violations.
So there are terrific arguments against CSS, but it’s important not to conflate CSS with what some tech-illiterate politicians want, which is for the nerds to geek really hard, hacking mathematics, to safely permit only good government actors to decrypt a data stream at will.
Re:
If both approaches are disastrous, does it really matter to detail the distinction?
He didn’t say that. He said that it requires the removal of encryption at one end, which is correct.
Re: Re:
I think so. Because one is impossible, and one is very do-able, and it’s confusing to read this when you’re co-mingling the two ideas.
The author uses phrases like “undermining encryption” and “breaking encryption” and “removing encryption” and also (in the case of Messenger, apparently), not using end-to-end encryption at all, and also a “magical form of encryption Meta can break at will without compromising user security.” I confess that I’m still not sure which idea he’s talking about in which paragraph, except toward the end.
A misleading characterization. Encryption isn’t “removed” at one end in CSS, it’s still there, and nobody can spy on the encrypted stream. It’s just that something else is inserted prior to the encryption. It’s inserting a form of spyware. As distinct from, say, a benevolent spell-checker.
Re: Re: Re:
The article was clear enough to me, and it isn’t about the differences between backdoors and CSS, so it makes sense to not spend additional time to spell it out.
It’s not really misleading. One of the links in the article about how bad of an idea CSS is, explains that for CSS to work, at least in Apple’s case, the data would have to be decrypted on the device to be scanned, and then re-encrypted before being sent. That’s a massive security problem, and while it’s technically correct that it’s doable, it’s just as bad of an idea as what one might call “traditional” encryption backdoors.
Re: Re: Re:2
I guess we will just have to agree to disagree on both points, then.
On the first, all I can say is that I was confused, yet I’m very rarely confused by articles of this nature. I’m actually still unsure what the author means in several paragraphs.
On the second, I don’t think you disputed my claim that with CSS the data is still encrypted in transit between the two endpoints. You just reiterated that CSS is bad, which is something we both agree with.
Re: Re: Re:3
Governments are not concerned with SSL encryption between you and a public post on X, or Facebook etc, as those companies can scan for CSAM, or
anything else that governments can enact laws to force scanning. Similarly transactions with banks and online shops are not a target of this legislation. What they are targeting is end to end encryption between you and your friends relations and associates, where the central server cannot scan the content, or hand it over when served with a warrant. That is they do not want individuals to be able to have private online conversations, and CSAM is the stalking horse to allow ensure your online conversation can be looked at by serving a warrant.
Re: Re: Re:
“Removed” means “removed from the process”. It’s clear. He didn’t say “breaks the encryption, then re-encrypts”.
Someone reading all your stuff before it gets encrypted means… not secured (encrypted), for practical purposes.
I believe Apple still has the integrity (for now– once upon a time I would have said the same about Google, and we see how long that lasted) to stand up to bullshit like this, but if Meta has to choose between backdooring all E2EE encryption or losing the entire UK market/10% of revenue, they will absofuckinglutely cuck for the idiots in Parliament. Hopefully they will send an in app message to all UK users, or else temporarily shut the service down, encouraging their users to protest to their MP.
But I could just as easily see them realizing, “Signal and Telegram have 0 ability to fight this like we can. We can just sit on our hands and watch all other competitors die, cuck for the UK government, and rake in all the people who leave the other platforms for ourselves!”
We all know that conservatives want to destroy encryption because it is a covert operation to ruin the lives of LGBTQ+ folk while ensuring their religious leaders can continue molesting the underaged.
Anyone who disagrees with this is a homophobe. Which makes them a closeted gay, realistically.
This comment has been flagged by the community. Click here to show it.
Re:
Hear, hear!
Anyone claiming to be straight simply hasn’t made an honest effort to understand why another man might find sticking his penis into a vagina distasteful. On the other hand the fact that men were designed with prostrate glands proves that we were all ultimately designed, by nature, to assfuck each other. A heteronormative narrative has stolen from us millennia of true love that can only be expressed between males.
Re: Re:
You know exactly what you’re talking about. The Greeks had it all figured out the right way, encouraging relationships between male teachers and their students on a level that transcends the need to breed. Not the kind of fallen situation that we have today.
I remember a few years ago (2019?) when the US government was “grilling” Facebook for saying that it is moving towards end-to-end encryption. Generally, the 5 eyes spy agencies really hate encryption of any kind and have been quietly pushing to ban all effective encryption. It’s a repeat of trying to classify encryption as a munition that is tightly controlled by the government (since encryption has become a much more standard thing these days, you can already tell how well THAT debate went for the government).
I think that, for these organizations, it’s bad enough that things like VPNs and TOR exist, but if Facebook implements encryption, greatly increasing public use of it, it is an absolute nightmare scenario for them. There’s a reason governments take turns bashing Meta for implementing end-to-end encryption – they hate the idea that ordinary people can secure their information online and will do everything they can to demonize its use.
At the end of the day, though, whether it was the efforts in the 70s or efforts today to restrict or compromise encryption, it’s still an effort to basically ban math. In that perspective, I sarcastically say to the government, “good luck with that.”
Someone should send a letter to her
Demanding proof that such technology exists
The middle one. Take out the middle “E.” That’s what they want.
the UK govt is nothing but a bunch of lying assholes, like all govts. this bill isn’t, never was and never will be about protecting children on line or anywhere else! it’s about snooping on everyone, everywhere, over anything and i’ll bet that within 6 months everyone will see the plain truth of things!yet again, the USA is to blame because of what has done and still tries to do and the encouragement it gives to other countries, such as the UK, to follow it’s instructions! every govt everywhere wants to know what everyone is doing as long as no one knows what these cheating, lying fuckers in govt, wherever they are, are doing.the planet is changing into countries led by tyrants, dictators who dont give a shit about anything,about anyone except amassing greater fortunes and more control of us mere mortals! what a prospect for the next decades, if we havn’t blown the place up or desicrated it so much it blows us up!!
That protects children but also protects their commercial interests
Well that’s just the hugest strawman. Should set it up at a festival.
Protects children – how? We still don’t even know this. Demanding takedowns of stuff but hardly ever prosecuting the producers of CSAM hasn’t worked so far.
but also protects their commercial interests
That’s… now what E2EE is about. It might protect someone’s commercial interests. Or bank accounts. Or lives. Or, you know, those children.