UK’s Disastrous Online Safety Bill Passes, Imperilling Security and Privacy in the UK

Despite universal condemnation and constant protest, UK lawmakers passed the Online Safety Bill anyway.

Anti-encryption, age verification, and other laws are now the law of the land in the UK. This thanks to the disastrous Online Safety Bill passing very recently. The new law is hugely controversial for a huge variety of reasons. Unfortunately, UK politician’s didn’t want to hear any of it. They gave the middle finger to the public at large and all common sense and decided that oppression of the internet and degradation of human rights is the biggest priority in this case.

We’ve followed the developments off and on, witnessing this law inch closer to final passage. Wikipedia, for their part, threatened to leave the UK if they were ordered to go along with the age verification elements. There was, at one point, word that the anti-encryption elements might be delayed, but questions have since emerged over just how much of a temporary reprieve that actually is in the end. Some argue that the delay is meaningless especially given how the text of the law hasn’t actually changed.

Among the controversial elements of the law were the anti-harassment provisions. Essentially, if you say something mean online, the police could bust down your door, arrest you, and throw you in jail. While no one likes harassment, such a response is an extreme overreaction and ripe for abuse.

Another controversial aspect is the age verification elements. Websites would be required to collect and retain deep personal information about its visitors to make sure that they don’t access anything “pornographic”. Such data collecting opens the door for hackers to break in, steal such a database, and hold people’s personal information for ransom afterwards. It is precisely this kind of privacy invading stuff that had Wikipedia threatening to leave the UK in the first place.

Then there is the terrible anti-encryption provisions. In a nutshell, the UK is demanding that any encryption in use must have a back door for law enforcement to access any communication. This while supposedly saying that people’s personal privacy is otherwise protected. Obviously, as anyone respectable who has worked in security knows, such a technology doesn’t exist and can’t really exist in any reasonable manner. This is, on the face of it, asking the impossible. A compromise in security, intentional or not, is a compromise in security. There’s no “compromise it in such a way that only the ‘good guys’ can access the contents”.

UK digital rights organization, Open Rights Group, issued a warning in response to the passage of the legislation:

Open Rights Group has warned that Online Safety Bill, which has been passed in parliament, will make us less secure by threatening our privacy and undermining our freedom of expression. This includes damaging the privacy and security of children and young people the law is supposed to protect.

ORG’s Campaigns Manager James Baker said:

“No one disputes that tech companies could do more to keep children safe online but the Online Safety Bill is an overblown legislative mess that could seriously harm our security by removing privacy from internet users. The bill will also undermine the freedom of expression of many people in the UK.

“While the UK government has admitted it’s not possible to safely scan all of our private messages, it has just granted Ofcom the powers to force tech companies to do so in the future. These are powers more suited to an authoritarian regime not a democracy and could harm journalists, and whistle-blowers, as well as parents, domestic violence victims and children who want to keep their communications secure from online predators and stalkers.

“The Bill also poses a huge threat to freedom of expression with tech companies expected to decide what is and isn’t legal, and then censor content before it’s even been published. This re-introduces prior restraint censorship for the written word back into UK law for the first time since the 1600s. In addition, young people, whom the law is supposed to protect, could be denied access to large swathes of the web, including resources that provide them with information and support.

“Perhaps the biggest failing has been the lack of detail in how these extraordinary powers will be implemented. It’s down to Ofcom to sort this mess and we call on them to work with cyber experts, tech companies and civil society to minimise the harms to our fundamental rights.”

Techdirt also noted that the compromise on encryption that was rumoured to be happening wasn’t much of a compromise after all:

Donelan gave more details of how the new Online Safety Act would work in practice:

In terms of end-to-end encryption, when a platform about to encrypt or already has encrypted – if there were concerns then raised with the regulator that there was paedophilia or child abuse on there, then the regulator would have a conversation with that platform, see what mitigations they could put in place to adhere to the legislation.

If none of that worked, we need a safety net built into this piece of legislation – and the safety net works by the regulator saying you now need to invest in technology that will allow you to maintain the privacy element of encryption, protect encryption, but also enable us to have access and find these criminals, these heinous individuals, these paedophiles, these stains on society.

It may never have to be used. But we think it is important that we put that safety net in legislation.

So it seems the UK government’s idea is that Internet companies will be ordered to come up with ways to break end-to-end encryption while maintaining privacy. But don’t worry, because that magic encryption backdoor will only be there as a “safety net”, not as something that will ever be used routinely. Of course.

Once again, the UK government is attempting an impossible balancing act. On the one hand, it needs to keep the extreme wing of its party happy by bringing in surveillance of encrypted communications. On the other, it doesn’t want the UK to lose key messaging services like Signal, WhatsApp and iMessage, which have all said they won’t implement back doors. Its solution seems to be the usual demand that tech companies “nerd harder”, plus a promise that the new surveillance powers would only be used if the “mitigations” don’t work.

The hardliners who don’t understand the technology might be happy with that approach, but the tech companies won’t be. As soon as the latter are ordered to begin that harder nerding, they will probably pull out of the UK. In other words, despite the “technically feasible” fig leaf, nothing has changed. The UK government’s desperate attempt to come up with Schrödinger’s encryption backdoor – there for the police, but not there for the tech companies – has failed. It had to choose between mass surveillance and messaging services; by passing the Online Safety Act with the text unchanged, it seems to have chosen surveillance.

So, definitely quite the sombre day for the people of the UK – especially for those who value privacy and security. The next question in all of this is what the fallout of all of this will be. Will there be a mass exodus of businesses from the UK once the government starts asking for a compromised not compromised encryption? Will privacy minded companies start blocking UK IP addresses altogether because of the age verification elements? Time will certainly tell, but the situation certainly isn’t looking good for UK residents.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top