Online Safety Bill Is Official. Now We See What Enforcement Looks Like

Policy

from the uk-censorship-bill-activated dept

After being discussed for years and years, the Online Safety Act in the UK is now law, after receiving “royal assent” last week. Hilariously, the UK’s announcement declared that children and adults will now be safer online, as if that’s absolutely true. It’s not, though. The law includes many provisions that will make both children and adults less safe, including age verification (a privacy nightmare), potential limits on encryption, and tools that can lead to the suppression of important speech. What the law actually does is let the political class claim they made the internet safer, without actually doing so.

The Office of Communications (Ofcom), the agency in charge of enforcement (which is a very different role than it has had historically, where it has generally been roughly equivalent to our FCC), has announced that it is moving to implement the law. Over the last few years, I know that Ofcom has staffed up quite a lot in preparation for this, but it’s still not clear how it will actually work.

Throughout the process, every time people pointed out the many, many, many problems with how the law was written, people would say that Ofcom was a more “friendly” regulator, and one that would take a more collaborative approach to enforcing the Online Safety Act, rather than the aggressive crackdown that some feared.

Of course, even if true, that also leaves Ofcom with a tremendous amount of discretion, which itself can be abused. And frankly, even with the various changes, the final version of the bill remains a complete mess.

It’s so stupid that to get the bill over the finish line, the government basically had to say that it wouldn’t even enforce the part of the law that effectively would outlaw encryption, even though that section of the law remains in place. In other words, it’s all about discretion, and that will depend heavily on who is running Ofcom.

But the encryption stuff is hardly the only problematic aspect of the Online Safety Act. There are still issues regarding age verification, duties of care, transparency mandates, and more — each of which has a tremendous amount of nuance, and where the details of the implementation matter quite a bit.

While the EU is still starting to figure out how the DSA will work in practice, now the UK will have to figure out how the Online Safety Act will work, and so there are now two different, equally confusing and questionable approaches on that side of the Atlantic, both of which are likely to lead to the suppression of protected speech if only due to the chilling effects of the way these laws have been written.

For what it’s worth, I don’t doubt that those running Ofcom now honestly do believe that they will be the more “friendly” regulator on these issues. I just don’t think it’s likely to remain that way over the long haul. And I can’t see how this will do anything good for the internet startup scene that had been growing up in and around London, which will now face a potentially catastrophic compliance regime to deal with.

Filed Under: age verification, duty of care, encryption, ofcom, online safety act, online safety bill, privacy

After Passing Online Safety Bill, UK Government Gets Back To Harassing Meta About Its End-To-End Encryption

Overhype

from the yeah-well-we-still-want-the-thing-we-always-wanted dept

Last week, it appeared ever so briefly, the UK government might be finally giving up on its desires to legislate at least one end of messaging services’ end-to-end encryption. Having faced resistance from nearly every encrypted service (all of which threatened to exit the UK if anti-encryption mandates were put in place) as well as internal reports strongly suggesting undermining encryption would be a truly terrible idea, it seemed those pushing the Online Safety Bill were finally willing to accept the uncomfortable fact that breaking encryption only results in broken encryption. What it doesn’t do is end the online harms the UK government felt this bill addressed.

But the concession wasn’t much of a concession. Nothing changed in the wording of the bill. All that really happened is a couple of proponents suggested the UK government wouldn’t pull the trigger on encryption-breaking demands immediately. This concession was surrounded by statements suggesting government officials truly thought the only thing standing between it and “safely” broken encryption was recalcitrant techies working for services like WhatsApp and Signal.

Parkinson said that Ofcom, the tech regulator, would only require companies to scan their networks when a technology was developed that was capable of doing so.

[…]

“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the legislation] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content — which we know can be developed,” the government said.

The Online Safety Bill has now been passed by the UK Parliament. And, as Glyn Moody recently pointed out, all the anti-encryption language remains intact.

[UK] Technology Secretary Michelle Donelan insisted that nothing had changed in the long-awaited legislation, after privacy campaigners earlier this month claimed a victory following widespread reports of a shift in the Government stance on encryption.

Now that the bill has passed with the anti-encryption mandates still intact, it looks like the UK government is going back to leaning hard on uncooperative tech companies in hopes of pressuring them into abandoning encryption plans prior to the implementation of the new law. Facebook has long been the target of criticism from governments around the world that seem to feel they’re entitled to demand Meta not protect its Facebook Messenger service with end-to-end encryption.

Years of ignored requests are culminating in a last-minute push by UK legislators, as Natasha Lomas reports for TechCrunch:

In an interview on BBC Radio 4’s Today Program this morning, [Home Secretary] Suella Braverman claimed the vast majority of online child sexual abuse activity that U.K. law enforcement is currently able to detect is taking place on Facebook Messenger and Instagram. She then hit out at Meta’s proposal to expand its use of E2EE “without safety measures” to the two services — arguing the move would “disable and prohibit law enforcement agencies from accessing this criminal activity [i.e. CSAM]”.

Saying that one of the most popular messaging services is responsible for the most CSAM reports doesn’t really say anything more than the service has a lot of users. It doesn’t mean Meta somehow cares less about limiting the sharing of CSAM than other, less popular services. And I have no idea what “safety measures” Braverman thinks can be attached to E2EE services without, you know, removing at least an E or two.

Braverman doesn’t know or doesn’t care. Or both. Her further comments indicate she’d prefer Meta just maintained its less-than-secure status quo, sacrificing users’ privacy and security in favor of government gains.

First, there’s the stick:

Asked by the BBC what the government would do if Meta goes ahead with its E2EE rollout without the additional measures she wants, Braverman confirmed Ofcom has powers to fine Meta up to 10% of its global annual turnover if it fails to comply with the Online Safety Bill.

Then there’s the carrot — Bravermen says she wants to “work constructively” with Meta to create some sort of magical form of encryption Meta can break at will without compromising user security.

Then there’s the insanity:

“My job is fundamentally to protect children not paedophiles, and I want to work with Meta so that they roll out the technology that enables that objective to be realised. That protects children but also protects their commercial interests,” she said. “We know that technology exists…” 

Really? Where is it? Can you point to any examples of this encryption that remains secure despite deliberately introduced flaws? Have you tried it out? Have you performed a security audit on it? SHOW ME ON THE PUBLICLY RELEASED GOVERNMENT REPORT WHERE THIS TECHNOLOGY ALREADY EXISTS.

While it’s true tech exists to detect hashes that match known CSAM, no tech exists to perform hash-matching on E2EE communication services. The only way to do this is to perform scanning on one side of the communication. And to do that, you have to remove the encryption from one end. Some have suggested this is a solution to the problem. But the only tech company that considered moving forward with voluntary client-side scanning abandoned that plan shortly after hearing from everyone (anti-encryption legislators excepted, of course) what a bad idea that would be.

So, in a sense, the tech does exist. But it’s not something anyone truly concerned about safety, security, or privacy would consider to be a real solution to the CSAM problem. But that’s what the UK government wants: insecure services that allow it to take a look at anyone’s communications. And that should never be considered an acceptable outcome.

Filed Under: encryption, end to end encryption, ofcom, online safety bill, suella braverman, uk
Companies: facebook, meta

UK Government ‘Concession’ On Breaking End-to-End Encryption In The Online Safety Act (Just Passed) Turns Out Not To Be One

Privacy

from the Schrödinger's-encryption-backdoor dept

Last week Techdirt wrote about an important development in the long-running saga of the UK’s Online Safety Act, which has just become law. The UK government said at that time it would not use controversial powers in the new law to break end-to-end encryption until it was “technically feasible” to do so while preserving users’ privacy. That seemed to be a recognition that it was impossible to carry out scanning that safeguarded privacy with any existing technology, despite previous claims to the contrary. Since it is extremely unlikely such technology will ever exist, the hope was that the UK government was effectively dropping the idea with this concession. But in the days that followed, this optimistic interpretation has seemed less certain. When the “technically feasible” caveat was first mentioned, the Guardian pointed out:

the government has not changed the wording of the bill, which still gives [the UK regulatory body] Ofcom the power to issue an accredited technology notice. A government spokesperson said: “Our position on this matter has not changed”.

Further evidence that the underlying intent hasn’t changed is found in an article in the Independent:

[UK] Technology Secretary Michelle Donelan insisted that nothing had changed in the long-awaited legislation, after privacy campaigners earlier this month claimed a victory following widespread reports of a shift in the Government stance on encryption.

Donelan gave more details of how the new Online Safety Act would work in practice:

In terms of end-to-end encryption, when a platform about to encrypt or already has encrypted – if there were concerns then raised with the regulator that there was paedophilia or child abuse on there, then the regulator would have a conversation with that platform, see what mitigations they could put in place to adhere to the legislation.

If none of that worked, we need a safety net built into this piece of legislation – and the safety net works by the regulator saying you now need to invest in technology that will allow you to maintain the privacy element of encryption, protect encryption, but also enable us to have access and find these criminals, these heinous individuals, these paedophiles, these stains on society.

It may never have to be used. But we think it is important that we put that safety net in legislation.

So it seems the UK government’s idea is that Internet companies will be ordered to come up with ways to break end-to-end encryption while maintaining privacy. But don’t worry, because that magic encryption backdoor will only be there as a “safety net”, not as something that will ever be used routinely. Of course.

Once again, the UK government is attempting an impossible balancing act. On the one hand, it needs to keep the extreme wing of its party happy by bringing in surveillance of encrypted communications. On the other, it doesn’t want the UK to lose key messaging services like Signal, WhatsApp and iMessage, which have all said they won’t implement back doors. Its solution seems to be the usual demand that tech companies “nerd harder”, plus a promise that the new surveillance powers would only be used if the “mitigations” don’t work.

The hardliners who don’t understand the technology might be happy with that approach, but the tech companies won’t be. As soon as the latter are ordered to begin that harder nerding, they will probably pull out of the UK. In other words, despite the “technically feasible” fig leaf, nothing has changed. The UK government’s desperate attempt to come up with Schrödinger’s encryption backdoor – there for the police, but not there for the tech companies – has failed. It had to choose between mass surveillance and messaging services; by passing the Online Safety Act with the text unchanged, it seems to have chosen surveillance.

Follow me @glynmoody on Mastodon.

Filed Under: backdoors, concession, end-to-end encryption, imessage, nerd harder, ofcom, online safety bill, Schrödinger, signal, uk, whatsapp

UK Government Pauses Demands For Broken Encryption In Its Online Safety Bill

Privacy

from the citizens-briefly-allowed-continued-access-to-widely-used-services dept

The UK government is still pushing a bill that would give it more direct control of the internet, but it has, at least for the time being, decided against mandating broken encryption.

For months now, supporters of the Online Safety Bill have insisted the only way to stop the spread of child sexual abuse material (CSAM) is to engage in always-on scanning of user content. Services that utilized end-to-end encryption (like Signal, WhatsApp, and Apple’s iMessage) would be forced to break encryption to scan content.

That mandate has provoked an intense amount of backlash from the affected service providers. The three listed above have all informed the UK government that they would pull their services from the UK, rather than comply with this mandate.

As these entities pointed out (on multiple occasions), introducing deliberate security flaws makes everyone less secure, not just those engaged in criminal activity. The government’s own Information Commissioner arrived at the same conclusion: that breaking end-to-end encryption would actually make children less safe and more likely to be targeted/located by sexual abusers.

The good news is that, for the moment, the UK government has decided to drop this mandate, as 9to5Mac reports, quoting from a (paywalled) Financial Times article.

The Financial Times reports that the government has now agreed to drop from the Online Safety Bill the requirement to scan messaging apps for illegal content.

The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is “technically feasible” to do so, postponing measures that critics say threaten users’ privacy.

A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour bid by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users’ security.

It’s a win, especially for UK citizens, who were facing loss of access to some of the most popular communication services on the planet. But it’s not a complete victory for anyone. Minister Lord Stephen Parkinson still seems to believe it’s possible to compromise encryption without, you know, compromising it. The big nerds at Big Tech just need to work harder at ushering this magical form of technology into existence.

Parkinson said that Ofcom, the tech regulator, would only require companies to scan their networks when a technology was developed that was capable of doing so.

[…]

“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the legislation] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content — which we know can be developed,” the government said.

Pressing pause on the mandate, but still living in denial. There’s no such thing as securely compromised encryption. Either it’s secure or it isn’t. Just because the security flaws have been introduced by a government mandate doesn’t make these flaws any less exploitable by more malicious entities. And it doesn’t make it any less likely governments with histories of human rights abuses will leverage these mandates and the resulting broken encryption to engage in even more human rights abuses.

It either works or it’s broken. The UK government needs to fully accept this fact if it’s ever going to move on towards actually doing something useful to protect children from sexual abusers. As long as it continues to pretend the impossible is constantly just over the tech horizon, it will only reduce its citizens communication options and put every user of these services — no matter where they’re located — at risk.

Filed Under: csam, encryption, messaging, online safety bill, uk

Service Providers, Security Researchers Again Warn UK Against Mandating Compromised Encryption

Privacy

from the once-you-break-it,-it's-broken dept

Pretty much everyone who isn’t a UK legislator backing the Online Safety Bill has come out against it. The proposal would give the UK government much more direct control of internet communications. Supposedly aimed at limiting the spread of child sexual abuse material (CSAM), the proposal would do the opposite of its moniker by making everyone less safe when interacting with others via internet services.

While proponents continue to offer up nonsensical defenses of a bill that would compromise encryption, if not actually outlaw it, people who actually know what they’re talking about have been pointing out the flawed logic of UK regulators, if not promising to exit the UK market entirely if the bill is passed.

As the bill heads for another round of votes, entities that actually want to ensure online safety continue to speak up against. The group of critics includes Apple, which knows from first hand experience the negative side effects created by demanding broken encryption and/or client-side scanning.

[I]n a statement Apple said: “End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats.

“It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk.

“Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all.”

Also speaking up (again), but probably not being heard (again), are encrypted communication services WhatsApp and Signal — both of which have promised to stop offering their services in the UK if the Online Safety bill becomes law. Here are the statements given to the Evening Standard by WhatsApp, Element, and Signal:

“If the Online Safety Bill does not amend the vague language that currently opens the door for mass surveillance and the nullification of end-to-end encryption, then it will not only create a significant vulnerability that will be exploited by hackers, hostile nation states, and those wishing to do harm, but effectively salt the earth for any tech development in London and the UK at large,” Meredith Whittaker, president of not-for-profit secure messaging app Signal told The Standard.

[…]

“No-one, including WhatsApp, should have the power to read your personal messages,” Will Cathcart, head of WhatsApp at Meta told The Standard.

[…]

Element chief executive and chief of technology Matthew Hodgson told The Standard, “The Online Safety Bill is effectively giving the Government the remit to put a CCTV camera in everybody’s bedrooms, and the way people use their WhatsApp today is pretty personal — people use messaging apps more than they communicate with people in person.”

The Evening Standard also takes time to note some hypocrisy contained in the bill. Whatever burdens are placed on encrypted services won’t affect the legislators pushing this bill. They’ll still be free from snooping, even if none of their constituents are.

The Online Safety Bill concerns only online messages sent by UK citizens and residents, but not anything sent on messaging apps by law enforcement, the public sector, or emergency responders.

This is handy, given that The Standard understands that up to half of Government communications are still being sent over consumer apps like WhatsApp.

The UK government continues to insist — despite all the evidence it has provided to the contrary — that it’s not interested in breaking encryption, installing backdoors, or otherwise undermining users’ privacy and security. But its protestations are inept and absolutely not backed by any of the wording in the bill, which contains mandates that would absolutely do the things the bill’s defenders insist it won’t.

There’s no better demonstration of this form of bullshit than Conservative MP Damian Collins attempting to talk his way out from under the bill’s wording while debating Signal’s Meredith Whittaker, who continually points out the assurances Collins offers aren’t actually in the bill.

The opposition to the bill has gone from cacophonous to deafening in recent days. As Natasha Lomas reports for TechCrunch, a group of 68 security researchers have offered up their group opposition to the Online Safety Bill in a letter [PDF] that briefly, but incisively, points out the flaws in the legislation.

Here’s that letter’s take on client-side scanning — just one of several problematic mandates:

A popular deus ex machina is the idea to scan content on everybody’s devices before it is encrypted in transit. This would amount to placing a mandatory, always-on automatic wiretap in every device to scan for prohibited content. This idea of a “police officer in your pocket” has the immediate technological problem that it must both be able to accurately detect and reveal the targeted content and not detect and reveal content that is not targeted, even assuming a precise agreement on what ought to be targeted.

[…]

We note that in the event of the Online Safety Bill passing and an Ofcom order being issued, several international communication providers indicated that they will refuse to comply with such an order to compromise the security and privacy of their customers and would leave the UK market. This would leave UK residents in a vulnerable situation, having to adopt compromised and weak solutions for online interactions.

That’s actually the smaller (and shorter) of the two open letters issued in the past few days by security researchers. The second letter [PDF] contains seven pages of signatories from all over the world, as well as a more in-depth critique of the extremely flawed proposal.

The letter notes the issues scanning for CSAM using hashes already poses: namely, that hashes can be altered to avoid detection and that false positives still happen frequently. Now, take these existing problems, scale them to the nth degree, and throw some AI into the mix. This is what’s awaiting UK residents if the bill passes with the client-side scanning/encryption-breaking mandates in place:

At the scale at which private communications are exchanged online, even scanning the messages exchanged in the EU on just one app provider would mean generating millions of errors every day. That means that when scanning billions of images, videos, texts and audio messages per day, the number of false positives will be in the hundreds of millions. It further seems likely that many of these false positives will themselves be deeply private, likely intimate, and entirely legal imagery sent between consenting adults.

This cannot be improved through innovation: ‘false positives’ (content that is wrongly flagged as being unlawful material) are a statistical certainty when it comes to AI. False positives are also an inevitability when it comes to the use of detection technologies — even for known CSAM material.

Not only will the government be able to sift through all of this, if anything gets flagged, it will also get to sift through all of these personal messages even when the AI is wrong about what it thought it had observed. Narrowly targeted scanning only in situations where some evidence already exists that CSAM is being distributed could limit the collateral damage, but nothing in the bill or in supporters’ statements indicate the government is interested in any process that doesn’t give it the opportunity to collect it all.

Then there’s the mission creep, which is always present when a government expands its surveillance powers.

Even if such a CSS system could be conceived, there is an extremely high risk that it will be abused. We expect that there will be substantial pressure on policymakers to extend the scope, first to detect terrorist recruitment, then other criminal activity, then dissident speech. For instance, it would be sufficient for less democratic governments to extend the database of hash values that typically correspond to known CSAM content (as explained above) with hash values of content critical of the regime. As the hash values give no information on the content itself, it would be impossible for outsiders to detect this abuse. The CSS infrastructure could then be used to report all users with this content immediately to these governments.

Even if the UK government would never do this (and no one believes it wouldn’t), a Western nation with “liberal” values (as in enshrined human rights, etc.) passing this sort of law would embolden far less liberal nations to expand their domestic surveillance programs under the pretense of making the internet safer and/or detecting CSAM.

Whether or not all of this opposition will make a difference remains to be seen. So far, the steady stream of criticism and promises to exit the market haven’t managed to alter the bill’s mandates in any significant manner. Maybe the EU’s recent abandonment of encryption-breaking mandates in its internet-targeting legislation following months of criticism will force UK lawmakers to rethink their demands. Then again, this is the same government that decided it didn’t want to be part of any club that would accept it and Brexited its way into the wrong side of history.

Filed Under: client side scanning, csam, damian collins, encryption, meredith whittaker, online safety bill, uk
Companies: signal

UK Government Official Offers Up Nonsensical Defense Of Criminalizing End-To-End Encryption

Say That Again

from the these-are-my-feelings,-he-said,-presenting-them-as-facts dept

Since its inception, the UK’s latest attempt to directly regulate the internet has been a disaster. Once dubbed the “Online Harms Bill,” it has since been rebranded to make it appear less harmful to the internet. The bill hasn’t gotten any better, but it does have a less alarmist name, even if everyone pushing hard for its passage tends to align themselves with alarmists.

Directly, the legislation targets harmful content, focusing the most harmful (and most capable of swaying public and legislative sentiment): child sexual abuse material (CSAM). “For the children” is the pitch but the proposal affects far more than those abusing children.

Indirectly, the bill attempts to criminalize end-to-end encryption. Client-side scanning is mandated, which means providers of services utilizing this encryption would need to remove encryption from the client side to scan content before it’s transmitted. Those who fail to perform this scanning would be held criminally and civilly liable, which pretty much criminalizes the same encryption the UK government itself has acknowledged actually makes children safer.

Since the proposed mandates not only conflict with common sense, but would result in UK residents having access to fewer internet communication services, those willing to talk over these implications continue to raise the volume of their voices.

The latest to say dumb things about a bad law is Security Minister Tom Tugendhat, who offered up a nonsensical defense of the Online Safety bill during his appearance at the Policing Institute for the Eastern Region (PIER) conference earlier this month.

It’s easy to overestimate a problem when your sole source for stats is the largest communications service in the world. But that’s what Tugendhat does, leading off a sales pitch for increased government surveillance and fewer privacy protections for UK residents.

In 2022 NCMEC received over 32 million reports of suspected child sexual exploitation and abuse.

21 million of these came from Facebook alone, which not only speaks to the severity of the issue they face.

It also leads me to suspect that other companies are significantly under-reporting.

But how does that lead him to suspect this? That goes unexplained. It’s not unusual that the world’s largest social media platform would submit the most reports to NMCEC. But that doesn’t mean others are under-reporting. It simply may be that other platforms aren’t nearly as popular with child abusers.

Even if they are, it doesn’t mean they’re not reporting enough. And, as for Facebook’s 21 million reports, there’s no evidence offered by either this minister or NMCEC that millions of reports are having any impact on stemming the flow of CSAM, much less deterring those creating this illegal content.

NMCEC receives ~30 million reports a year. UK politicians like Tugendhat seem to believe the minimal effort they make on their end (the UK government, that is) justifies broad legislation that criminalizes the sort of security protections online users expect (i.e., encryption) and makes it that much easier for the government to demand service providers become active participants in broad, unending surveillance of their users.

It’s clear, then, that this is a threat of immense scale and complexity, and I’m grateful for the valiant efforts of our law enforcement agencies.

Every month UK law enforcement agencies arrest 800 people and safeguard 1200 children.

Arrests are not convictions. And “safeguarding children” is a meaningless phrase without more context. All this means is that some cops are earning their paychecks. The rest of this phrase means nothing more than politicians and law enforcement officials have decided CSAM creators exploit 1.25 children each — a stat that sounds suspiciously close to the old cliché of the nuclear family and its 1.5 children. It certainly doesn’t sound like solid facts.

But facts aren’t important here. This is legislation driven by emotion and powered by guilt. If one believes the government shouldn’t have these powers, then they’re obviously in favor of child exploitation. People want their representatives to be rational. But they’re no better than the rest of us, as Tugendhat demonstrates in this presentation, which is based on things he’s seen and heard, but not on much more than that.

He lists three high-profile arrests of sex offenders over the past several years as evidence of the need to expand the government’s power. But three arrests against millions of reports a year is hardly evidence the government knows what to do with the powers it already has, much less that it would be that much more effective if allowed to criminalize encryption and mandate client-side scanning of content.

The argument made is this: the government should be able to prevent you from utilizing end-to-end encryption. If you question the government’s reason for doing so, please re-read the assertion above.

The UK government is in favour of protecting online communications.

And it is possible to offer your customers the privacy they expect…while also maintaining the technical capabilities needed to keep young people safe online.

Meta are just choosing not to, many others have already taken the same path.

In other words, when the government says people should not have access to encrypted communications services, it is well and right and good. When companies decide users should have access to encrypted communications, they are wrong and greedy and evil. It’s apparently just that simple.

Making things even stupider is this clumsy analogy, where the Minister decides he’s only responsible for some parenting.

My children love going to a playground near where we live.

While they’re there it’s clear who’s responsible for their safety.

Me of course, as their parent – but also the council, who have a duty to ensure the environment is safe and well-maintained, and our local police force, who have a duty to make sure nothing dangerous or illegal is taking place.

Both have clear lines of accountability to me and to our local community.

[…]

But what happens when they do go online?

Who’s responsible for their safety?

And is anyone accountable to them – or to me?

In my view it’s clear.

Companies like Meta enjoy vast power and influence over our lives.

With that power should come responsibility.

Fantastic. Tugendhat says he will abdicate his responsibility when his children go online. And he apparently believes this refusal to be responsible should be a problem for online services, rather than something he should have to deal with.

And that pretty much sums up the UK’s government’s approach to “online harms.” It’s everyone’s fault but the legislators who feel you shouldn’t be permitted to use secure messaging services just because there are apparently thousands of sexual predators the government somehow hasn’t managed to round up despite receiving more than 30 million alerts from NMCEC a year.

And where does this all end up? With a government figure turning a single company into a villain, strongly suggesting future legislative proposals will be crafted not with deterring CSAM in mind, but with inflicting as much financial and civil damage to a single US company as possible:

Some will have heard the words I have used today to be particularly critical of one company, they are right, I am speaking about Meta specifically and Mark Zuckerberg’s choices particularly. These are his choices, these are our children. He is not alone in making these choices, other companies have done too.

Let me be clear again: this government will not look away.

We will shortly be launching a campaign. A campaign to tell parents the truth about Meta’s choices, and what they mean for the safety of their children.

This isn’t about fighting CSAM. This is about the UK government’s antipathy towards Meta for daring to roll out end-to-end encryption.

It’s not that CSAM isn’t a problem. It’s that the legislative responses are consistently terrible. And what Tugendhat is pitching is nothing more than an extremely petty form of revenge, but one that’s backed by considerable government power.

Filed Under: client side scanning, csam, encryption, end-to-end encryption, moral panic, online safety bill, tom tugendhat, uk

OnlyFans Throws The Open Internet Under The Bus

Surprises

from the only-regulatory-moats dept

It’s always disappointing when an internet company that should know better decides to throw the open internet it relies on under the bus.

You would think that a site like OnlyFans would know better. You expect this sorta thing from Meta or Google or Netflix, which have reached a size where they’re more willing to compromise with open internet principles in order to help build themselves a politically convenient compliance nightmare for smaller competitors.

But you would have thought OnlyFans was still new enough that it wouldn’t join those pulling up the ladder behind them. After all, it’s run into its own struggles with what happens when moralizing politicians try to stifle the open internet.

Apparently, though, the company doesn’t care much to support the open internet.

The Economist recently had a big story about attempts to regulate speech online. The piece is not a bad summary of how politicians everywhere are trying to become the speech police. There’s some talk of Section 230, the various dumb state laws about content moderation, the DSA in the EU, attempts in Turkey and Brazil to clamp down on online speech, and much more.

However, what caught my eye was the discussion about the UK’s Online Safety Bill, a very problematic bill that we’ve spoken about plenty of times. And, the Economist actually got a quote from OnlyFans seeming to endorse the age verification aspects of the bill:

The most controversial part of Britain’s bill, a requirement that platforms identify content that is “legal but harmful” (eg, material that encourages eating disorders) has been dropped where adults are concerned. But there remains a duty to limit its availability to children, which in turn implies the need for widespread age checks. Tech firms say they can guess users’ ages from things like their search history and mouse movements, but that a strict duty to verify users’ age would threaten anonymity.

Some suspect that their real objection is the price. “I don’t think ‘It costs money and is hard’ is an excuse,” says Keily Blair, chief operations officer of OnlyFans, a porn-centric platform which checks the age of its users and doesn’t see why others shouldn’t do the same. Yet some platforms are adamant: the Wikimedia Foundation, which runs Wikipedia, says it has no intention of verifying users’ age.

Look, if you want to do age verification, that’s on you, but making it mandatory is a nightmare for the open internet. First, as noted, it destroys anonymity. Second, it puts more user data at risk, for no good reason (to verify ages you have to collect sensitive data). Third, even if it is about the expense, tons of websites can’t afford that nonsense, which will serve no purpose and won’t actually keep anyone safe.

The fact that OnlyFans voluntarily decides to verify ages has a lot more to do with OnlyFans’ business model, content, and target audience. But it’s no excuse for saying that everyone else should have to deal with the same compliance nightmare despite very different products and audiences.

Apparently, this willingness to throw the open internet under the bus isn’t new. That quote seemed so out of place that I went looking, and apparently the company came out fully in favor of the Online Safety Bill last fall.

Blair hopes the Online Safety Bill, which imposes a “duty of care” on social media platforms, will bring her rivals up to the same standard the company believes it upholds.

“We want everyone to be as safe as we are. Anything that pushes people in that direction is a good thing for society,” she says. But now the bill has been pushed back, companies may be slower to act. “I’m disappointed because some people need a stick to make changes. Unfortunately, the law often is that stick.”

There’s an astounding lack of understanding about basic policy issues here, and ones that seem likely to come back to bite OnlyFans. What a “duty of care” actually means is the requirement to litigate any time anything bad happens to anyone on your site. Because each time something bad happens someone will sue, and sites will have to spend a ridiculous about of time, money, and resources to explain why they were appropriate in their “care.” Even if a site thinks it will win, it still creates a massive mess of nonsense and wasted time and money.

Later in that same article, Blair also made it clear that she has no clue how freedom of expression actually works, which is quite stunning given the content that OnlyFans regularly hosts on its own site:

What did she make of those accusations that the legislation would suppress freedom of speech? “Freedom of expression and online safety aren’t a binary choice,” she says. “The reality is that freedom of expression has always been curtailed by the law. There’s always been boundaries in place from a legal standpoint to protect around what we think is acceptable in a modern society to say and not. That’s why we have rules around hate speech.

“People often say things and do things on the internet that they would only do behind a keyboard,” she adds. “People feel emboldened to behave in certain ways sometimes. It’s right to have the same protection online as you do walking down the street.”

It’s unclear here if OnlyFans’ execs are just ignorant, foolish, believe that they can withstand the litigation onslaught while others can’t… or some combination of all three. Or maybe they see themselves as a regulatory target and think they’ll get a better deal by playing nice with regulators. But, nonetheless, it’s still disappointing that a site that has benefited so much from the open internet and freedom of expression has decided to support throwing it all away.

Filed Under: age verification, free expression, keily blair, online safety bill, online speech, open internet, uk
Companies: onlyfans

Wikipedia Tells UK Government It Won’t Comply With Proposed Age Verification Mandates

Policy

from the satisfy-your-personal-data-bloodlust-elsewhere dept

The UK government still hopes to bend the internet to its will, but it’s constantly finding out it won’t be as easy as just declaring a bunch of stuff illegal. Tech companies from all over the world would be affected by its “Online Safety Bill” (originally more proactively titled the “Online Harms Bill“). Negatively affected.

The push continues to outlaw things like end-to-end encryption, expand the government’s power to directly regulate internet communications, and otherwise make everyone more miserable (and less safe, ironically).

The usual suspects have been cited in support of ruining the internet: hate speech, CSAM, etc. While the proposed measures might have some immediately noticeable effect, those effects will likely be limited to showboat-y, ineffectual fining of non-compliant tech companies, perhaps with a few threats of prosecution thrown into the mix.

Notably, the bill targets tech companies, rather than those engaging in the activities the UK government wants to see eradicated. Tech companies are pushing back, though. Some of the biggest providers of encrypted communication services have already told the UK government they’ll exit the British market, rather than make their offerings less secure.

It’s not just encryption being targeted by the UK government. The government is also demanding service providers collect and retain more information about their users, supposedly to ensure the proverbial children aren’t exposed to content above their pay age grade.

Here’s where Wikipedia, via the Wikimedia Foundation, steps in and gives the UK government the extended two-finger salute (one better than America!), as Chris Vallance and Tom Gerken report for the BBC:

Wikipedia will not comply with any age checks required under the Online Safety Bill, its foundation says.

Rebecca MacKinnon, of the Wikimedia Foundation, which supports the website, says it would “violate our commitment to collect minimal data about readers and contributors”.

UK government officials have decided the Wikimedia Foundation (specifically, its Wikimedia) places children in harm’s way by hosting content that is either (1) actually pornographic (people stash porn at Wikimedia) or (2) sufficiently descriptive of sexual acts to be considered pornography (even if said descriptions are meant to educate, rather than titillate).

Consequently, Wikimedia/Wikipedia would be required to verify UK users’ ages, something it has never done anywhere in the world. In response to this new demand — one that would require Wikimedia to gather more information about its users than it currently does — the Foundation has flatly stated it won’t be invading its users’ privacy just to satisfy the UK government’s bizarre desire to turn the internet into vast repository of user info it can dip into whenever it feels it needs to.

Even if Wikimedia was inclined to comply with this ridiculous mandate, there’s likely no way it could feasibly comply with it. The logistical demands verge on impossibility.

There are currently 6.6 million articles on Wikipedia, and she said it was “impossible to imagine” how it would cope with checking content to comply with the bill.

She added: “Worldwide there are two edits per second across Wikipedia’s 300-plus languages.”

The online, user-generated encyclopedia does have its supporters in the UK legislature. As the BBC reports, some are arguing for an exemption that would allow sites like Wikipedia to bypass age verification since it relies on community moderation, rather than its own employees or algorithms. But others in Parliament, as well as the entities pushing for a more restrictive internet, claim adding exemptions will just encourage services like Wikimedia to perform less moderation, rather than more.

Those people are wrong. Mandates won’t force the internet to behave the way UK politicians would prefer it behaves. Instead, it will mean their constituents will lose access to services they currently use, be denied access to others, and allow child abusers and bigots to sink even further below the radar where they’re still capable of doing harm but far less likely to be detected.

Filed Under: age verification, online safety bill, uk
Companies: wikimedia

WhatsApp Tells UK Government It’s Still Not Willing To Undermine Its Encryption

(Mis)Uses of Technology

from the don't-make-me-tap-the-sign dept

The UK government is entertaining even more plans to undermine (or actually outlaw) end-to-end encryption. And it’s not gaining any support from the multiple services (and multiple people) these efforts would harm.

Both Signal and Proton have made it clear they’ll pull their services rather than weaken their encryption to comply with UK government demands. WhatsApp is saying the same thing — telling the UK government something it has already told it at least twice.

In 2017, WhatsApp made an unofficial announcement of its policies when UK law enforcement showed up with a demand to compel decryption of a targeted account. WhatsApp refused to comply and the UK government apparently decided not to press the issue. At least not directly.

Five years later, the UK government is still hammering away at encryption, adding more mandates to its steadily simmering Online Safety Bill. And WhatsApp told the UK government what it told it back in 2017: breaking encryption just isn’t an option. (In the form of a lawsuit challenging an Indian law, WhatsApp said the same thing to the Modi administration and its series of rights-violating internet-related laws.)

Another year has passed and the UK government still wants to get the Online Safety Bill passed. And, once again, Meta has surfaced to tell the government that it can pass all the laws it want, but none of them will force WhatsApp to undermine its encryption.

WhatsApp would refuse to comply with requirements in the online safety bill that attempted to outlaw end-to-end encryption, the chat app’s boss has said, casting the future of the service in the UK in doubt.

Speaking during a UK visit in which he will meet legislators to discuss the government’s flagship internet regulation, Will Cathcart, Meta’s head of WhatsApp, described the bill as the most concerning piece of legislation currently being discussed in the western world.

The UK government doesn’t have any leverage here. WhatsApp will simply stop offering its service in the UK. As Cathcart points out, 98% of its users reside in other countries. And there’s no reason it should put all of its users at risk, just because the home to 2% of its user base is being stupid about end-to-end encryption.

Now, that 2% would probably like to have access to an encrypted messaging service, whether it’s WhatsApp, Signal, or Proton’s offering. Unfortunately for them, supporters of the bill don’t want them to have these options. But that’s not going to work out well for the government. Angering constituents tends to shift the leverage back their way, which means legislators are pushing a terrible bill from a position of weakness.

The potential for hefty fines only makes it more likely service providers will exit this market rather than give the government what it wants.

Under the bill, the government or Ofcom could require WhatsApp to apply content moderation policies that would be impossible to comply with without removing end-to-end encryption. If the company refused to do, it could face fines of up to 4% of its parent company Meta’s annual turnover – unless it pulled out of the UK market entirely.

If the options are providing a weakened service that harms all users or shelling out 4% of its income on a regular basis, the option these legislators failed to consider is really the only intelligent option: exiting the market.

And when that starts happening, the government is going to get an earful from the people it never bothered to listen to in the first place: domestic users of services these legislators are actively trying to destroy.

Filed Under: encryption, online safety bill, uk
Companies: meta, whatsapp

UK’s Online Safety Bill Will Actually Just Harm Everyone, Encrypted Service Provider Warns

(Mis)Uses of Technology

from the now-that-it's-kind-of-fixed,-let's-break-it dept

Over the past couple of years, we’ve covered the UK’s “Online Safety Bill” extensively. And for good reason, seeing as it has the potential to effectively outlaw end-to-end encryption, and create an unworkable mess for any service (and it’s pretty much all of them) engaging in content moderation.

The bill was originally called the “Online Harms Bill,” but underwent rebranding, possibly due to legislators and regulators realizing this might signal their true intent: to harm online communications and services. Now it’s all about “safety,” and that means often claiming this is all being proposed to save the children of the UK from online harms — a claim that continues to be made even though a UK government commission pointed out banning or undermining encryption would actually harm kids.

The ever-expanding legislative proposal has received significant pushback. WhatsApp said it would not break its encryption to appease the UK government. Signal said the same thing, telling legislators it would simply refuse to offer its services in the UK if it was required to undermine or break its encryption.

Proton (of Proton Mail fame) has now weighed in on the harmful “safety” bill in a post on its site, pointing out what some might have missed in this discussion. It’s not just about regulating social media services. It’s about regulating pretty much everything anyone does online.

Proton offers encrypted services, including cloud storage. It also offers a VPN. These may seem to be outside the parameters of the law (not including the encryption-targeting parts of it) since the bill aims to reduce the amount of “harmful” content people encounter on widely used social media services. But the bill’s language is all encompassing, which means Proton is likely not exempt from the proposed legislation.

At this stage, the bill is so broad that it’s not entirely clear who would be subject to it. While primarily targeting social media companies, the bill defines “content” as anything that is “communicated publicly or privately”. In practice, as tech companies (like Proton) often offer single accounts encompassing a number of different services, it’s likely that services that are not meant to be subject to the law (like email) will inadvertently become subject to it by extension.

That essentially means that almost any online service that has users in the UK could be affected. It also means that messages you send your mom could be treated the same as something you post on social media for everyone to see, which comes dangerously close to violating UK citizens’ explicit right to a private life.

This means Proton’s executive may be just as liable for user-generated content as companies like Facebook and Twitter. And that could mean jail time if the UK government decides Proton isn’t doing enough to enforce its terms of service and/or proactively monitoring content for anything the government decides is objectionable. That’s a problem when you offer end-to-end encryption: you can’t monitor content because you simply cannot see it.

If the bill passes in its current form, Proton (and services like it) would have only four options, none of them good.

• Remove its end-to-end encryption
• Weaken its end-to-end encryption
• Install client-side scanning
• Cease providing service in the UK

Supporters of the bill simply don’t see the problem. If encryption prevents companies from complying with the law, either the encryption goes or they do. The collateral damage is someone else’s problem.

Proton doesn’t want to leave the UK. But if it can’t protect the privacy of its users and still comply with the law, it looks like that will be the only option it has.

If this bill becomes law, the UK will become a third-world nation in terms of internet services. Its residents will have a dearth of options, none of which will be particularly palatable. The companies that remain will have demonstrated by their compliance they have little interest in the security and privacy of their users. And who in their right mind would choose to put their trust in that?

Filed Under: encryption, online safety bill, safety, uk
Companies: proton