The U.K. Parliament is pushing ahead with a sprawling internet regulation bill that will, among other things, undermine the privacy of people around the world. The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force backdoors into messaging services, which will destroy end-to-end encryption. No amendments have been accepted that would mitigate the bill’s most dangerous elements.
If it passes, the Online Safety Bill will be a huge step backwards for global privacy, and democracy itself. Requiring government-approved software in people’s messaging services is an awful precedent. If the Online Safety Bill becomes British law, the damage it causes won’t stop at the borders of the U.K.
The sprawling bill, which originated in a white paper on “online harms” that’s now more than four years old, would be the most wide-ranging internet regulation ever passed. At EFF, we’ve been clearly speaking about its disastrous effects for more than a year now.
It would require content filtering, as well as age checks to access erotic content. The bill also requires detailed reports about online activity to be sent to the government. Here, we’re discussing just one fatally flawed aspect of OSB—how it will break encryption.
An Obvious Threat To Human Rights
It’s a basic human right to have a private conversation. To have those rights realized in the digital world, the best technology we have is end-to-end encryption. And it’s utterly incompatible with the government-approved message-scanning technology required in the Online Safety Bill.
This is because of something that EFF has been saying for years—there is no backdoor to encryption that only gets used by the “good guys.” Undermining encryption, whether by banning it, pressuring companies away from it, or requiring client-side scanning, will be a boon to bad actors and authoritarian states.
The U.K. government wants to grant itself the right to scan every message online for content related to child abuse or terrorism—and says it will still, somehow, magically, protect people’s privacy. That’s simply impossible. U.K. civil society groups have condemned the bill, as have technical experts and human rights groups around the world.
The companies that provide encrypted messaging—such as WhatsApp, Signal, and the UK-based Element—have also explained the bill’s danger. In an open letter published in April, they explained that OSB “could break end-to-end encryption, opening the door to routine, general and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human rights activists and even politicians themselves.” Apple joined this group in June, stating publicly that the bill threatens encryption and “could put U.K. citizens at greater risk.”
U.K. Government Says: Nerd Harder
In response to this outpouring of resistance, the U.K. government’s response has been to wave its hands and deny reality. In a response letter to the House of Lords seen by EFF, the U.K.’s Minister for Culture, Media and Sport simply rehashes an imaginary world in which messages can be scanned while user privacy is maintained. “We have seen companies develop such solutions for platforms with end-to-end encryption before,” the letter states, a reference to client-side scanning. “Ofcom should be able to require” the use of such technologies, and where “off-the-shelf solutions” are not available, “it is right that the Government has led the way in exploring these technologies.”
The letter refers to the Safety Tech Challenge Fund, a program in which the U.K. gave small grants to companies to develop software that would allegedly protect user privacy while scanning files. But of course, they couldn’t square the circle. The grant winners’ descriptions of their own prototypes clearly describe different forms of client-side scanning, in which user files are scoped out with AI before they’re allowed to be sent in an encrypted channel.