The UK government has seemingly averted a major clash with the tech industry over a contentious provision in the Online Safety Bill that could compromise encryption. Both tech giants and encrypted messaging services have raised concerns that the bill would undermine the security and privacy of users by requiring encrypted messaging apps to incorporate content scanning capabilities upon request by the Internet regulator, Ofcom. Experts in security, privacy, and law have also criticized the bill, warning that its broad surveillance powers could actually endanger online safety. Despite these concerns, the government has largely ignored the implications for encryption.
Key Takeaway
The UK government has taken a step back from directly challenging the encryption capabilities of tech companies through the Online Safety Bill. Instead, it has introduced a compromise that suggests content scanning can only be ordered if “appropriate technology” exists and emphasizes the importance of developing CSAM-scanning tools that preserve user privacy. However, the lack of a clear statement on exempting end-to-end encryption platforms from scanning powers leaves room for ambiguity and further concern.
Government’s Compromise Falls Short in Protecting Encryption
The Online Safety Bill aims to address various online harms, including the tackling of child sexual abuse material (CSAM). In this regard, the government has actively encouraged the development of CSAM-scanning tools that could be applied to end-to-end encrypted (E2EE) messaging platforms without compromising user privacy. However, tech companies like Signal and Apple have strongly criticized this approach, arguing that it is not technically feasible to scan encrypted messages without jeopardizing privacy. WhatsApp and others have even threatened to cease operations in the UK if the bill is not revised to eliminate the threat to encryption.
Government’s Ministerial Statement Adds a Compromise
In a recent ministerial statement in the House of Lords, Lord Parkinson of Whitley Bay indicated that Ofcom, the Internet regulator, would not be required to order content scanning unless the “appropriate technology” exists. He stated that Ofcom would work with service providers to find reasonable and technically feasible solutions, drawing on evidence from skilled professionals. If the necessary technology does not exist, Ofcom cannot enforce its use. Lord Parkinson defended the government’s position, asserting that technology companies should use their resources and expertise to develop the best possible protections for children within encrypted environments.
Government’s Statement Receives Mixed Reactions
The government’s compromise has been met with mixed reactions. Some, like the Signal Foundation’s president, Meredith Whittaker, view it as an “important moment” and a form of victory, but acknowledge that it is not a definitive win. Privacy campaigners and digital rights advocacy groups, such as the Open Rights Group, welcome the government’s concessions but argue that the powers should have been entirely removed from the bill. Despite criticism, the government maintains that its position remains unchanged and that the bill takes an evidence-based approach to combating child sexual abuse online.
While the government’s statement may appear to be a partial climb-down, it still leaves room for ambiguity and concern, as the bill retains provisions that grant Ofcom powers to order content scanning on E2EE platforms. Privacy campaigners believe that it is essential to remain vigilant and continue advocating for the protection of encryption.
