The UK’s Online Safety Act has been the subject of scathing criticism by privacy rights groups in the wake of receiving royal assent, with opponents arguing the bill compels the creation of backdoors into encrypted messaging.
Across its two-and-a-half year journey to becoming law, the Online Safety Act has come under heavy scrutiny and criticism from many in the tech industry.
Its stated goal is to protect children from harm online and to prevent the spread of illegal content, but experts have criticized the extent of the legal requirements the act places on social media firms to implement these changes.
Section 122 of the Online Safety Bill provides Ofcom with the power to compel any tech firm to scan its content or child sexual abuse or terrorism content, or else face fines of up to £18 million or 10% of annual turnover.
This has profound implications for end-to-end encryption (E2EE) in the UK, as social media firms contend they cannot scan encrypted messages without breaching their commitments to uphold user privacy.
The Open Rights Group has criticized the bill for its powers to break encryption and provide government agencies with a ‘backdoor’ on popular messaging apps such as Signal, WhatsApp, or Telegram.
In a post on X (formerly Twitter) to mark the passing of the bill, the group once again registered its protestations against the bill’s powers.
“This grab bag of half-baked fantasy solutions to misunderstood (or misrepresented) problems has received Royal Assent, including powers to break encryption in messaging apps and censor content before it's even posted,” it stated.
Signal’s Meredith Whittaker, who took over as the firm’s first president in September 2022, also reiterated Signal’s threat to leave the UK if Ofcom asked it to build a backdoor to user messages.
Tapping the sign https://t.co/nIZ9lkTgR2October 26, 2023
Officials from other companies such as WhatsApp have threatened to remove their apps from the UK based on the same concerns.
“The fact remains that scanning everyone’s messages would destroy privacy as we know it. That was as true last year as it is today,” said Will Cathcart, head of WhatsApp at Meta in a post on X in September.
“WhatsApp will never break our encryption and remains vigilant against threats to do so.”
On its passage through the Lords, the government attempted to quell the concerns of tech firms by stating that Ofcom can only impose “technically feasible” requirements.
But the text of the bill and government communications surrounding it continue to state that firms will be required to use “best efforts” to develop technologies to allow for the scanning of content on public and private channels, which would see firms forced to compromise E2EE to meet legal requirements.
Collect, aggregate, and correlate data more effectively
DOWNLOAD NOW
The UK government has run campaigns against E2EE for years, arguing that the technology allows criminals to operate without fear of government oversight.
Tech companies have not faced official restrictions on the use of E2EE to date, and the government has argued that the Online Safety Act does not infringe on the freedom of users to choose E2EE apps.
The Online Safety Bill had been put ‘on ice’ in July 2022, and remained relatively unchanged and inactive until December 2022. In this time, many experts called for a rethink on core elements of the bill including its approach to E2EE but when it returned for readings in parliament the content remained largely unchanged.
Martin Albrecht, professor of cyber security and chair of cryptography in the Department of Informatics at King's College London, told BBC News in September that there is no “magical technology” that allows messages to remain private while being scanned.
“This magical technology simply doesn’t exist. You cannot scan messages without being able to see them”.💻👀Chair of Cryptography @martinralbrecht spoke to @BBCNewsUK on the recent clash between the government and Meta on encryption, and how your privacy could be at stake.🔒 pic.twitter.com/bdiXHxbBK6September 21, 2023
Others in the industry have praised the act’s various protections for users of online platforms, and argued that businesses and Ofcom alike have a responsibility to ensure good controls and practices are followed as a matter of urgency.
“The Online Safety Bill receiving Royal Assent is a moment that has been years in the making and should be welcomed by all who value internet safety,” said Chris Dimitradis, chief global strategy officer at ISACA, the association of IT professionals.
“If implemented effectively, this legislation will provide appropriate protection for UK citizens to be protected online. But to achieve this mission, Ofcom has a crucial role to play. It will be essential for the regulator to set robust data quality controls, clear technology standards and auditing codes of practice right from the onset.
“Only then can we ensure affected firms have a comprehensive integrated risk management framework in place to guide their implementation of the UK’s new laws.”
Dimitradis added that businesses have a responsibility to put checks and training in place in order to ensure they are compliant with the act, if they haven’t already.
“As a priority, they must equip their staff with the IT training and skills that they need to use, manage and understand data to avoid being caught breaking the law. This includes having the right processes in place to inform, correct and compensate stakeholders in the event of a breach of the legislation.”
Many of the act’s powers will come into force by the end of the year, but Ofcom has been given specific powers early so that it may establish plans by the time it is expected to begin enforcing controls.
In line with this, the regulator will run a consultation beginning on 9 November.
