We examine the current status of End-to-End encryption under the Online Safety Bill’s newest amendment.
We reported on the Online Safety Bill (the “Draft Bill”) in May 2021 shortly after its publication. The Draft Bill has now progressed and the third reading in the House of Lords took place in early September. On Tuesday 18 July, the House of Commons agreed a motion to extend the period of review by 103 days to ensure the Draft Bill would not lapse. Since its publication the Draft Bill has undergone several changes and has had more than 70 pages of additions. However, the most recent House of Lords amendment is creating further debate in both the public and legal spheres.
The effects of the Draft Bill’s Chapter 5 provisions on End-to-End encryption have been discussed since the Draft Bill’s publication in May 2021. The provisions of the Draft Bill require online tech companies to use “accredited technology” to identify child sexual abuse content (CSAM) “whether communicated publicly or privately.” However, on End-to-End encryption platforms not even the provider itself can see the contents of the communications. Therefore, asking a company to identify CSAM would inevitably compromise this End-to-End encryption. Further, opposers to the provisions say that allowing for any form of scanning creates vulnerabilities for criminals to exploit and allows for monitoring of any kind of content beyond CSAM in the future. The Draft Bill excludes text messages, video calls, and emails from the requirement for encryption measures, as well as messages sent by law enforcement, the public sector, and emergency responders. The exclusion of the public sector and law enforcement from the provisions has also called into question the effectiveness of the Draft Bill.
The consensus amongst legal and cybersecurity experts is that the only way to monitor for CSAM while leaving messages encrypted in transit is to use some kind of client-side scanning. Apple announced in 2021 that it would use a similar system for image uploads to iCloud but subsequently abandoned the idea when it became subject to criticism on the privacy issues. Many objections have been raised to this form of scanning including the basic proposition that AI scanning solutions are intrinsically unreliable and limited.
The House of Lords has been considering objections on this point and has therefore enacted the following amendment to the Draft Bill. OFCOM (the proposed online safety regulator under the Draft Bill) will now be required to commission a report by a “skilled person” before giving technology companies technical notices to scan encrypted messages. According to Lord Parkinson, the “skilled person” is intended to be an independent expert and OFCOM would need to consider how the scanning of encrypted messages in each circumstance would impact on privacy and freedom of expression prior to requiring a company to introduce the technology necessary to read encrypted messages. However, some commentators still believe that these measures do not go far enough to protect privacy and that the implementation of the Draft Bill at all could prevent the UK from becoming a “technological superpower”, which is a stated intention of the current Prime Minister.
This proposed amendment to the Draft Bill was preferred over two alternative amendments proposed by Lord Moylan and Lord Stevenson respectively. The first of these would have prohibited Ofcom from imposing any requirements on technology companies that would weaken or remove End-to-End encryption, and the second alternative would have required OFCOM to seek approval from an independent judicial commissioner before issuing a technical notice requiring a technology company to scan encrypted communications. This approval would have included the consideration of evidence and would have operated on a judicial review basis considering proportionality and regard to freedom of expression/privacy, which aligns with the approach to monitoring of bulk communications data set out in the Investigatory Powers Act
Whatsapp has released a statement regarding the impact the requirements of the Draft Bill could have on their encrypted messaging platform, which has been signed by both Signal and Threema. Apple has also released a statement with a similar message. Some technology platforms have even suggested that they would leave the UK if required to weaken their encryption. Further, over 70 IT security and privacy academics have written an open letter stating the Draft Bill undermines privacy and safety online. In the legal world, the Open Rights Group have obtained a legal opinion from Dan Squires KC and Emma Foubister from Matrix Chambers summarising the issues with requiring social media platforms to proactively screen user content. The opinion states that the Draft Bill risks “fundamental encroachments into the rights of freedom of expression to impart and receive information” and suggests that the proposals in the Draft Bill will “give rise to interference with freedom of expression in ways that are unforeseeable and unpredictable and through entirely opaque processes, and in ways which risk discriminating against minority religious or racial groups”.
It is important to note that since the 2016 Investigatory Powers Act came into force, the Government already possesses the power to demand that electronic communication services remove encryption.
Other changes of note
Just before the Draft Bill passed through the House of Lords, the government announced that it would add a number of new provisions with the objective of:
- Strengthening the existing provisions that protect children against content that promotes suicide, self-harm or eating disorders.
- Explicitly requiring online providers such as social media platforms and pornography sites to impose age verification or estimation measures to prevent children from accessing their services and to make sure that those measures are highly effective in establishing whether the user is a child or not. New measures will also hold top tech executives personally responsible for keeping children safe on their platforms. This will be coupled with further verification measures to reduce “anonymous trolls” by requiring identity verification.
- Making it easier for bereaved parents and coroners to obtain access to data from social media platforms. This will help families and law enforcement understand if online activity contributed to their death in any way.
- Requiring OFCOM to carry out research into the harms arising from app stores.
- Requiring OFCOM to take steps to improve the general public’s ability to identify disinformation and evaluate trusted sources of information. The regulator will need to publish a strategy every 3 years on how it plans to deliver this.
- Requiring OFCOM to publish guidance which summarises, in one clear place, measures that services can take to reduce the risk of harm to women and girls, and which demonstrates best practice. OFCOM will need to consult with the Domestic Abuse Commissioner and Victims Commissioner when producing the guidance, to ensure it reflects the voices of victims, as well as the views of experts on this important issue.
- Bring measures to protect children into force as quickly as possible after enactment of the Draft Bill.
- Add four new revenge porn offences including a maximum sentence of 2 years for threatening to share intimate images and the criminalisation of cyber flashing.
Before the Draft Bill finally receives Royal Assent, it will require further scrutiny and further consideration of these proposed amendments. Even after the Draft Bill is enacted into UK law, decisions as to how it will work in practice will have to be made. OFCOM has already stated that it expects some of the decisions to take months. The final outcome of the Draft Bill remains unclear and the future of several provisions is still undecided.
“The Draft Bill will give rise to interference with freedom of expression in ways that are unforeseeable and unpredictable and through entirely opaque processes, and in ways which risk discriminating against minority religious or racial groups” ~ Dan Squires KC and Emma Foubister's legal opinion