Online Harms: Encryption under attack
The UK government wants to make the web “safer” by using the Online Harms Bill to weaken encryption of private messages. It’s a move that will make the web anything but safe.
The Online Harms Bill will be laid before Parliament soon. This legislation, part of the Digital Charter’s vision of making the UK “the safest place in the world to be online”, will impose a legally binding obligation on service providers to prevent bad things from happening on the Internet.
Service providers, including many ORG members, will be required to do this through the imposition of a “duty of care” – a concept awkwardly borrowed from health & safety – which will require them to monitor the integrity of their services not by objective technical standards, but by subjective “codes of practice” on both illegal and legal content.
Although the framework has been drawn up with large American social media platforms in mind, it would apply to any site or service with UK users which hosts user-generated content. A blog with comments will be fair game. An app with user reviews will be fair game.
And if the Bill’s hardliners have their way, even your private communications – meaning your everyday conversations with your friends, your family, and your co-workers – will be fair game.
When the Online Harms framework was first put forward for consultation last year, Open Rights Group – working together with many other organisations across the civil society sector – successfully advocated for private communications to be removed from the scope of the legislation. But one year later, those plans are back with a vengeance.
We know that the Bill’s supporters are pushing hard for your private communications, on private channels, to be subject to the Online Harms Bill’s “duty of care”. This will include the content on your personal messaging apps, the content on your group chats with your schools and communities, and even the content on the internal company software your employer uses to help you work from home.
Why? Because anyone using private communications on the internet may be trafficking in child abuse material.
One charity insists that companies struggling to achieve impossible compliance with the “duty of care” and the Online Harms Bill:
“should not be able to balance partial mitigation of child abuse risks against wider societal benefits, for example improved user privacy.”
Another says:
“if private communications remain out of scope, the Government would, in effect, be giving the green light to further roll-out of encrypted services, which enable child sexual abuse material to be shared widely, even on mainstream platforms.”
Some of these voices are demanding that the Online Harms bill must mandate the use of encryption to be conditional upon successful implementation of the “duty of care”. Again, one charity has said:
“Government should explicitly require the regulator to assess the impact of end-to-end encryption, and if a platform cannot demonstrate it has adequately mitigated the associated risks, it should be prevented from proceeding (or continuing) with it.”
In other words, these charities want the Online Harms regulator (likely Ofcom) to be able to ban online services from being able to use encryption unless they can meet the standards of a highly subjective “duty of care”.
We cannot stress enough how dangerous it is to even entertain the thought that the Online Harms Bill should create some sort of “licensing” system for the use of encryption – one where a regulator should have the power and the authority to suspend a company’s ability to protect its systems, and its users, through the use of encryption.
Let’s be clear: any intentional undermining or compromising of encryption, even for legitimate purposes, weakens everyone’s security online.
Customers want encryption because they want privacy from commercial snooping, and to reduce the risks of private communications from leaking. Private messaging is moving towards encryption because customers want it, for very valid reasons. Child abuse material is a very serious concern, but it must not be presented as a reason to deny legitimate users the safety and privacy they deserve by right.
To require companies to remove the protections provided by encryption so that they can meet their compliance obligations under a “duty of care”, and to empower a regulator to ban the use of encryption from companies which refuse to compromise their systems by doing so, would create a degree of surveillance and government intrusion that simply should not be tolerated in a democratic society.
However, these two issues – the privacy of your personal communications, and the use of encryption – are just two of the many risks to freedom of expression and privacy contained within the Online Harms Bill.
As the framework progresses, Open Rights Group will be campaigning – along with our partners in civil society, as well as with the Global Encryption Coalition – to protect your private communications, to defend the use of encryption, and to safeguard freedom of expression from collateral censorship.
We’ll need your help to get there, and we hope you’ll join us.