Nearly 70 UK-affiliated information security researchers, scientists and cryptographers are the latest to voice their concerns over the security risks of the Online Safety Bill.
The controversial Act made its return into Parliament last week, and it's expected to get back to the Commons for the last review stage very soon. Commentators—including encrypted messaging apps, VPN services and other security software providers—have long been calling the government against the danger of breaking encryption.
At this critical time, the experts seek to stress once again how the Online Safety Bill de-facto "undermines safety online." Will policymakers finally listen?
"Technology is not a magic wand"
"As independent information security and cryptography researchers, we build technologies that keep people safe online. It is in this capacity that we see the need to stress that the safety provided by these essential technologies is now under threat in the Online Safety Bill," concludes the open letter, which counts a total of 68 signatories.
The academics especially lashed out against the provisions of the Bill seeking to undermine encryption in the name of safety.
Encryption is the process of scrambling data into an unreadable form in order to protect it from third-party access. While it's largely implemented across different technologies—from security tools like virtual private network (VPN) to simply any website users access on a daily basis—the UK government specifically plans to weaken this protection on secure communication apps like WhatsApp, Signal, and email services.
The infamous Bill seeks to place itself as an effective response to the rise in child sexual abuse online, and any other dangers to citizens' safety on the net. Yet, by attempting to make the UK the safest place to be online, politicians seem to be achieving exactly the opposite outcome.
Experts warned how the "routine monitoring" of private communications is incompatible with today's standard of privacy. At the same time, weakening encryption will open "cryptography backdoors" for bad actors and the government to exploit in the future.
The lack of reliability of today's client-side scanning technologies is likely to produce false positives in most instances, too. Even worse as these algorithms can be repurposed to add hidden secondary capabilities. Ultimately, having—as they described—a "police officer in your pocket" would de-facto make everyone less safe.
"Technology is not a magic wand," warn the security experts. "Our concern is that surveillance technologies are deployed in the spirit of providing online safety. This act undermines privacy guarantees and, indeed, safety online."
68 (UK affiliated) researchers working on security and privacy have raised alarms about provisions in the UK #OnlineSafetyBill: "our concern is that surveillance technologies are deployed in the spirit of providing online safety."Read our letter here: https://t.co/DPHkBowkoQ pic.twitter.com/eMAZyViZfqJuly 5, 2023
This is only the most recent cry for help launched by the tech community, which has been busy trying to make policymakers understand that undermining privacy in the name of safety simply cannot work.
Only a week ago—the same week the Act made its return in the House of Lords—over 80 civil society organizations, academics and cyber experts from 23 countries pledged the UK government to remove end-to-end encrypted services from the scope of the Bill.
A day after, the Big Tech giant Apple joined the crowded ranks of the opposition by voicing its concerns over the scanning of encrypted communications. In May, a coalition of more than 45 organizations took to the defense of this crucial technology—especially for journalists and activists—on the occasion of the last World Press Freedom Day.
Secure messaging platforms like Element, WhatsApp and Signal said in February that they would quit the UK if the Act becomes law. This exodus to save encryption would ultimately "leave UK residents in a vulnerable situation, having to adopt compromised and weak solutions for online interactions," warned researchers.
The political debate
The Online Safety Bill is a clear example of the existing tensions between politics and technology. As the internet evolves, lawmakers attempt to keep up with the new threats of the digital age—too often, though, without the necessary knowledge to understand its implications.
"The biggest single issue with the Online Safety Bill is that it's too big. It tries to do too many things," Robin Wilton, Internet Society’s Director for Internet Trust, told TechRadar. "Every politician sees something in there that they want and so they will vote for it, even if there are other things to which they're either indifferent or they shouldn't want it because it's actually actively harmful."
According to Wilton, the current political debate raises the same privacy tensions spread around the Labour proposal on national identity cards a few years back. By playing the child safety card this time, the act has a much better chance of finally becoming law.
"[Child safety online] becomes the default justification regardless of whether that's the purpose of the policy," he said. " But, there's plenty of evidence to say that actually, if you want to ensure child safety online, the place you should start is child safety offline."
🔴 Give a little, they'll take a lot.Powers in the Online Safety Bill can and will be stretched by the government to scan our messages for whatever they want.Our Exec Director @jimkillock explains why the Lords must stop the spy clause.🟢 TAKE ACTION https://t.co/Z4FcHDDfcc pic.twitter.com/Eu8CL40tL6July 5, 2023
At the time of writing, the Online Safety Bill is still in the House of Lords. This means that it will soon get back in the Commons where MPs will decide whether or not accept any amendments the Lords might propose and, eventually, send it back for further review.
At this point, there are a few things to consider. For starters, with the Parliament session due to expire in autumn, it means that the time is almost up for the Bill. It was, in fact, already a leftover from the previous government, and due to this it cannot be carried on in its current form into the next. That's just theoretical, though, as the government is said to be willing to extend this parliamentary session if needed.
The second and perhaps biggest question is whether or not the Lords would decide to implement the so-called Davis amendment put forward by Conservative MP David Davis to remove the ability to monitor private messaging services from the scope of the bill.
"The government hates that idea. They think that would destroy the whole point of the bill, but that simple amendment would actually solve most of its privacy problems," explained Wilton.
Some of the Lords already voted to support the bill, so now the question is whether or not enough of them will in the final vote.
"The House of Lords can't actually stop the bill by amending it, they can only send a strong signal," said Wilton. "So, will it be strong enough for the Commons to actually change their mind?"