Online Safety Bill: Suella Braverman fails to understand encryption risk
Open Rights Group has responded to an opinion piece in the Telegraph by the Home Secretary, Suella Braverman MP that claims that: “The government, tech experts, and wider industry partners have demonstrated that it is technically feasible to detect child sexual abuse in environments which utilise encryption whilst still strongly maintaining user privacy.” All the evidence shows that this claim does not stack up.
Dr Monica Horten, Policy Manager for freedom of expression at Open Rights Group, said:
“Braverman has failed to grasp how the technology works and how the actual measures in the Online Safety Bill will operate. It has been demonstrated that these proposals cannot guarantee privacy.
“Encryption keeps all of our communications safe and secure, and it is particularly important for journalists, activists, human rights defenders, lawyers, and the children and young people that the government claims it is protecting.
“Cyber experts, privacy campaigners and tech companies have repeatedly warned that plans to scan encrypted messages pose a security threat to people in the UK and around the world. The government is risking the UK’s international reputation by persisting with this policy.”
Braverman is wrong to claim that detection software does not compromise privacy
Contrary to Braverman’s claim, tech experts have amply demonstrated that detecting child sexual abuse material in encrypted environments cannot maintain guarantees of users’ privacy. The government has consistently dodged the question of naming the technology it wants to implement, and Braverman does not provide any further information. However, we believe she is referring to a technology known as client-side scanning. Client-side scanning fundamentally breaks the promise of confidentiality by putting a third party monitor in the room before the message is encrypted.
Experts have repeatedly explained that any compromise of end-to-end encryption can add “backdoors”, which leave users exposed to hackers and bad actors who could steal personal data, and get unauthorised access to personal messages. It would be a terrifying template in the hands of hostile regimes.
We urge the government to remove the powers in the Online Safety Bill that will allow Ofcom to impose this technology on private chat platforms.
Confidentiality cannot be guaranteed
Braverman refers to the Safety Tech Challenge Fund, a UK government funded programme that supported the development of proof-of-concept tools for detecting child sexual abuse on encrypted systems. An evaluation of five of those projects found that: “Although none of the PoC tools propose to weaken or break the end-to-end encryption protocol, from a human rights perspective, the confidentiality of the E2EE service users’ communications cannot be guaranteed when all content intended to be sent privately within the E2EE service is monitored pre-encryption.”1
Over 80 civil society organisations, academics and cyber experts disagree with Braverman
Over 80 civil society organisations, academics and cyber experts from 23 countries have warned of the threats to security posed by the proposals to scan private messages. The signatories state that, “this poses a significant risk to the security of digital communication services not only in the UK, but also internationally”.
They also criticise the government’s claims that they can scan messages without breaking end-to-end encryption: “Technology, known as client-side scanning, which has been heavily criticised by experts, will turn chats into spaces that are dangerous for everyone’s privacy, security and free expression. The UK government asserts that client-side scanning will not compromise privacy, but evidence from cyber-security experts worldwide contradicts this view.
Read the letter here: https://www.openrightsgroup.org/press-releases/online-safety-bill-protect-encrypted-messaging/
Tech companies
Tech companies have also voiced their concerns with WhatsApp and Signal saying they would withdraw from the UK if they were forced to weaken the security of their products. Yesterday, Apple became the latest tech company to state their opposition to the proposals.
Footnote
REPHRAIN: Towards a Framework for Evaluating CSAM Prevention and Detection Tools in the Context of End-to-end encryption Environments: a Case Study pp2: https://bpb-eu-w2.wpmucdn.com/blogs.bristol.ac.uk/dist/1/670/files/2023/02/Safety-Tech-Challenge-Fund-evaluation-framework-report.pd
OPen Letter: Protect Encrypted messaging
Over 80 civil society organisations, academics and cyber experts write to the UK government over threat to the security and privacy of billions of people who use apps like WhatsApp and Signal.
Find out more