Mass Surveillance
Omnishambles over encrypted messages continues
At the eleventh hour of the Online Safety Bill’s passage through Parliament, the Government has found itself claiming to have both conceded that it won’t do anything stupid regarding encrypted messages, and that it may well press ahead with dangerous technologies if it wants to.
It is in a total mess over its proposals to break end-to-end encryption and scan our private messages, despite assurances to Parliament, and making the ground breaking admission to industry that client side scanning is currently trying to achieve the impossible.
Let’s explain what has just happened
On Monday, Open Rights Group hosted a meeting in Parliament with a wide range of civil society groups. At this meeting, colleagues from Amnesty International, Stonewall, Liberty, Big Brother Watch, EFF, Article 19, Citizen Lab and the not-for-profit Signal Foundation all spoke out about the problems with breaking end-to-end encryption. These partners talked movingly about the genuine threat that the Government’s proposals pose to LGBTQ people, human rights defenders and journalists worldwide.
At the same time that civil society was speaking of the dangers message scanning would create, industry was also speaking to the Government. It is rare for big tech and civil society to agree, but on this issue, there was unity over the problems the policy would create. We understand that Michelle Donelan, MP (with the Home Office in addition to DSIT), met with industry representatives on Monday.
We can speculate how that meeting went and that the UK Government were told bluntly that the technology simply doesn’t exist and can’t be made to work. If forced to try and break encryption, these companies would instead withdraw services from the UK market.
The Government conceded the technology does not exist
Following Monday’s round of last-minute meetings, it appeared there would be a concession from the Government. They would issue a clarifying statement at the third reading of the Online Safety Bill in the House of Lords. These sources led to the Financial Times story UK pulls back from clash with Big Tech over private messaging.
When the statement came in the Lords, there was a clear and unambiguous acknowledgement that Ofcom would not use their powers under clause 122 unless it were technically possible.
“If the appropriate technology doesn’t exist that meets those requirements, then OFCOM will not be able to use clause 122 to require its use.”
Hansard
This was meant to be viewed as a public acceptance that it is not technically possible and led to a flurry of headlines that the UK Government had backed down over its encryption plans.
Although ministerial statements do not change the text of the law, they matter. They have implications for when Ofcom, or a judge, comes to interpret the law.
The Government now claims to some people it hasn’t backed down
The Government now claims it hasn’t conceded anything, and the law remains unchanged. During an appearance on Times radio, Michelle Donelan MP said:
“We haven’t changed the bill at all.
“If there was a situation where the mitigations that the social media providers are taking are not enough, and if after further work with the regulator, they still can’t demonstrate that they can meet the requirements within the bill, then the conversation about technology around encryption takes place.”
She said further work to develop the technology was needed but also stated that government-funded research had demonstrated that it is feasible. That is a clear admission, in fact, that the technology is not currently available; however, their researchers have been at pains to go further and to explain that the technology is simply unfit for purpose, rather that saying it was in any way workable:
The independent evaluation concluded that although none of the tools propose to weaken or break the E2EE protocol, the confidentiality of the E2EE service users’ communications cannot be guaranteed when all content intended to be sent privately within the E2EE service is monitored pre-encryption.
The Home Secretary, Suella Braverman, writing in The Telegraph … noted that the programme had “demonstrated that it would be technically feasible to detect child sexual abuse in environments which utilise encryption.”
Awais Rashid, Professor of Cyber Security at the University of Bristol and Director of the REPHRAIN Centre, said: “The issue is that the technology being discussed is not fit as a solution.” Professor Rashid has worked on development of automated tools to detect child abuse material online as well as engineering privacy into software systems for 15 years.
“Our evaluation shows that the solutions under consideration will compromise privacy at large and have no built-in safeguards to stop repurposing of such technologies for monitoring any personal communications,” he said.
Rephrain researchers, UCL blog
Government is speaking with a forked tongue
The result is that it is unclear what the Government’s intentions are. On the one hand, they have been saying to industry that Ofcom won’t use these powers and acknowledge they are not technically possible and would at the very least require more work.
On the other hand, they are spinning a line in the media that the bill remains unchanged and clinging to their own ‘government-funded research’ (outside the academic and expert consensus, and directly contradicting their researchers’ public statements) that these powers are possible. This does also expose a problem with the bill as there is no real explanation as to how the Government will determine ‘technical feasibility’, and by what process and on which criteria – peer-reviewed publication, evidence or a private decision by civil servants and regulators.
The Government should come clean immediately and explain again to Parliament that only doing what is “technically feasible” means not implementing unsafe and dangerous technologies.
This mess highlights that Client Side Scanning is an unworkable demand
There needs to be more connection between the UK Governments regulatory policy and technical reality. The Government should make it clear to Parliament what it intends to happen with this policy, and Parliament should ask the Lords to look again at the inadequate safeguards that have been put in place around the use of these powers.
When the likes of Apple, accept they can’t get client-side scanning to work safely, it is time to give up on it and instead implement other proven policy solutions to tackle issues of child abuse.
Unfortunately, this Government wants its cake and to eat it. It wants to pretend it believes in a magical solution while knowing these, as proposed, are dangerous enough for companies to leave the UK market rather than implement them. It doesn’t want to admit that it has been pursuing a unicorn or be criticised by the opposition as capitulating to ‘big tech’. Still, it wants the tech industry to believe that the UK government’s tech policy is credible and trustworthy.
The Government are playing the public and industry for fools. It is time to be clear and tell the truth: trying to implement client-side scanning of encrypted messages is dangerous and impractical and opens the door to ever-greater snooping. It should never have been suggested, let alone get onto our statute books. This is a lesson for other governments to learn – as the UK’s Government has a twenty five year history of passing technology laws into statute that cannot be implemented and subsequently die.
While we do not think the principle of message scanning (a form of mass surveillance) should be accepted or passed into law, we welcome that for now, that the Government has acknowledged what is technically possible and told Parliament that the legislation requires that Ofcom will stick to what can actually be delivered. We deeply regret that Ministers are simultaneously trying to deny that it has made any change to its position.
As Governments worldwide seek to regulate and tackle this issue, they should take note of the total mess the UK has found itself in and base their regulatory policy within the realms of what is technically possible rather than indulging in fantasy. Unlike the UK’s current Government, they might find themselves in a position where they have to face the consequences of the laws they pass.