UK Government ‘Concession’ On Breaking End-to-End Encryption In The Online Safety Act (Just Passed) Turns Out Not To Be One
from the Schrödinger's-encryption-backdoor dept
Last week Techdirt wrote about an important development in the long-running saga of the UK’s Online Safety Act, which has just become law. The UK government said at that time it would not use controversial powers in the new law to break end-to-end encryption until it was “technically feasible” to do so while preserving users’ privacy. That seemed to be a recognition that it was impossible to carry out scanning that safeguarded privacy with any existing technology, despite previous claims to the contrary. Since it is extremely unlikely such technology will ever exist, the hope was that the UK government was effectively dropping the idea with this concession. But in the days that followed, this optimistic interpretation has seemed less certain. When the “technically feasible” caveat was first mentioned, the Guardian pointed out:
the government has not changed the wording of the bill, which still gives [the UK regulatory body] Ofcom the power to issue an accredited technology notice. A government spokesperson said: “Our position on this matter has not changed”.
Further evidence that the underlying intent hasn’t changed is found in an article in the Independent:
[UK] Technology Secretary Michelle Donelan insisted that nothing had changed in the long-awaited legislation, after privacy campaigners earlier this month claimed a victory following widespread reports of a shift in the Government stance on encryption.
Donelan gave more details of how the new Online Safety Act would work in practice:
In terms of end-to-end encryption, when a platform about to encrypt or already has encrypted – if there were concerns then raised with the regulator that there was paedophilia or child abuse on there, then the regulator would have a conversation with that platform, see what mitigations they could put in place to adhere to the legislation.
If none of that worked, we need a safety net built into this piece of legislation – and the safety net works by the regulator saying you now need to invest in technology that will allow you to maintain the privacy element of encryption, protect encryption, but also enable us to have access and find these criminals, these heinous individuals, these paedophiles, these stains on society.
It may never have to be used. But we think it is important that we put that safety net in legislation.
So it seems the UK government’s idea is that Internet companies will be ordered to come up with ways to break end-to-end encryption while maintaining privacy. But don’t worry, because that magic encryption backdoor will only be there as a “safety net”, not as something that will ever be used routinely. Of course.
Once again, the UK government is attempting an impossible balancing act. On the one hand, it needs to keep the extreme wing of its party happy by bringing in surveillance of encrypted communications. On the other, it doesn’t want the UK to lose key messaging services like Signal, WhatsApp and iMessage, which have all said they won’t implement back doors. Its solution seems to be the usual demand that tech companies “nerd harder”, plus a promise that the new surveillance powers would only be used if the “mitigations” don’t work.
The hardliners who don’t understand the technology might be happy with that approach, but the tech companies won’t be. As soon as the latter are ordered to begin that harder nerding, they will probably pull out of the UK. In other words, despite the “technically feasible” fig leaf, nothing has changed. The UK government’s desperate attempt to come up with Schrödinger’s encryption backdoor – there for the police, but not there for the tech companies – has failed. It had to choose between mass surveillance and messaging services; by passing the Online Safety Act with the text unchanged, it seems to have chosen surveillance.
Follow me @glynmoody on Mastodon.
Filed Under: backdoors, concession, end-to-end encryption, imessage, nerd harder, ofcom, online safety bill, Schrödinger, signal, uk, whatsapp
Comments on “UK Government ‘Concession’ On Breaking End-to-End Encryption In The Online Safety Act (Just Passed) Turns Out Not To Be One”
That statement is a contradiction in itself, as privacy means others excluded, and letting the government have access means others included. How can privacy be preserved if strangers, which include government agents, are granted access to contents of messages and images etc.
Re:
Wait, wait, wait. You think privacy should also apply to government intrusion? What kind of loony-tunes are you?
/s (Just in case that wasn’t obvious.)
Re:
🤷
Re:
Alot of their current thinking was that they could build content scanners on the users device, which would only phone home if something bad is detected.
Re: Re:
Do you think that would be limited to your communications, or would the pressure then become monitor what is being filmed to detect the creation of CSAM. This is no more that a government excuse to establish continuous spying on everybody by gradually expansion of what it is ‘reasonable’ to scan for.
So, hopefully Ofcom will be hesitant to use the safety net for fear of having big tech leave their market. And the rest of us wait with baited breath for the inevitable day when they will.
Popcorn anybody?
Re:
Ofcom won’t be hesitant, I predict.
Re: Re:
Ofcom will likely hesitant alot, There also the fact that Ofcom is likely to be super underfunded and unable to enforce 90% of the bill so its likely the rules will not be effective.
Re: Re: Re:
True.
Unless the gov increases funds to them, which is unlikely.
Re:
Ofcom: “Welp, fuck, I don’t think even WE can try to maintain that facade”
Unless the UK Government increases funding to Ofcom, the whole thing’s gonna collapse in a few months.
Re: Re:
Sad, but true thing right here.
Re: Re:
Well Ofcom is asking for a extra £66 million funding to tide it through 2024-25 during a possible recession and election that could lead to a change in government…
But they are still likely to be super underfunded and unable to enforce 90% of the bill.
Re: Re: Re:
Let’s hope it does collapse.
Note:
····”Perhaps the biggest failing has been the lack of detail in how these extraordinary powers will be implemented. It’s down to Ofcom to sort this mess and we call on them to work with cyber experts, tech companies and civil society to minimise the harms to our fundamental rights.”
Figured I put this here.
Re:
Except… the legislation essentially says Ofcom can say “make it so” and it’s up to the “cyber experts, tech companies and civil society” to figure out how to implement, with Severe Penalties should they fail to do so.
Paedophiles
Wow, those paedophiles are sneaky SOBs.
They are the only ones in the world that need their messages encrypted I guess.
Well, now be aware, that the UK recognizes that all encrypted messages are from/to paedophiles and those creeps will now be going to jail.
Re:
Amazing how many banks exclusively hire paedophiles, isn’t it?
Oh, wait… you say police communication is encrypted too?
Re: Re:
Not to mention all the politicians who use encrypted messaging apps and services…
Re:
are you stupid? cus anyone that wants encryption is not a pedo loser right wing
Re:
Encryption is also used for online shopping, banking, law firms to name a few
Re: Re:
Except for maybe law firms, that encryption does not concern the government because the companies will deliver the decrypted content when served with a warrant. It is the person to person messaging that the government wants to be able to spy on.
Re: Re: Re:
…and how do you determine that the communication is person to person and not corporate? You can’t spy on one without spying on the other.
Re: Re: Re:2
Which intermediary can they ask to decrypt the messages between you and the corporations with which you do business? Ditto corporate run VPNs?
This legislation is aimed at Apple, Telegram and other systems where the owners of the servers cannot deliver up the plain text. It is not aimed at SSL, and would be very problematic if it was, as who would they demand the plain text from?
Wellyesbutactuallyno
Tech experts: “So is the Spy Clause dead?”
The Uk Parliament: “2+2= 5.”
Tech experts: “…”
Tech Experts: “…That’s not an answer.”
The UK Parliament: “It is now.”
Re:
Ofcom: Well, fuck me, what the fuck am I supposed to do again WITH SOME DUCT TAPE AND A CAT5 CABLE?
“Preserve the privacy and protection of encryption, except don’t.”
How is anyone aware of a problem with encrypted material that they can report it in the first place? Stands to reason that these concerns are raised due to observations outside the encrypted environment, where, oddly enough, law enforcement investigations have always had the ability to operate.
It’s all a giant hoax.
If they only mathed harder they could make 2+2 equal 5
They were never going to drop their anti-encryption stance since doing so would require them to admit that they’re trying to put everyone in danger including kids, so they just foisted all the blame on the tech companies again and made it so if only companies would Nerd Harder they’d be able to come up with encryption that is safe and secure and can be broken on demand.
Re:
Encryption doesn’t work like that
Re: Re: 'Make a totally secure door. Now add a lock and give me a copy of the key.'
I know that, and you know that, but the people pushing and passing laws like this refuse to admit that since it would gut their entire argument if they had to admit that ‘encryption that is both secure and can be cracked on demand’ isn’t possible.
Re: Re:
No, it works like this: https://xkcd.com/538/
Only instead of the wrench, they’d use the easily accessible backdoor that everyone knows when it’s been inevitably compromised.
The Online Safety Act, aka the Make Government Officials Safe from… from… er, whatever we don’t like act, yeah, that’s the ticket.
If I could point something out
Michelle Donelan did say that ministers never made any concessions on end-to-end encryption
She said that nothing had changed in the Bill and that ministers were not watering down plans, with the Online Safety Bill containing a “safety net” that “may never have to be used”.
This is kinda old news to me
Re:
And the article mentions that
"But we really want it to be so"
This approach to law making reminds me of the Indiana Pi Law – https://en.wikipedia.org/wiki/Indiana_Pi_Bill
Re:
Perfect sense to people who don’t understand the concept, but such brain-melting nonsense to people who do that they don’t even know where to start saying what’s wrong with it? Pretty much.