UK Government Pauses Demands For Broken Encryption In Its Online Safety Bill
The UK government is still pushing a bill that would give it more direct control of the internet, but it has, at least for the time being, decided against mandating broken encryption.
For months now, supporters of the Online Safety Bill have insisted the only way to stop the spread of child sexual abuse material (CSAM) is to engage in always-on scanning of user content. Services that utilized end-to-end encryption (like Signal, WhatsApp, and Apple's iMessage) would be forced to break encryption to scan content.
That mandate has provoked an intense amount of backlash from the affected service providers. The three listed above have all informed the UK government that they would pull their services from the UK, rather than comply with this mandate.
As these entities pointed out (on multiple occasions), introducing deliberate security flaws makes everyone less secure, not just those engaged in criminal activity. The government's own Information Commissioner arrived at the same conclusion: that breaking end-to-end encryption would actually make children less safe and more likely to be targeted/located by sexual abusers.
The good news is that, for the moment, the UK government has decided to drop this mandate, as 9to5Mac reports, quoting from a (paywalled) Financial Times article.
TheFinancial Timesreports that the government has now agreed to drop from the Online Safety Bill the requirement to scan messaging apps for illegal content.
The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is technically feasible" to do so, postponing measures that critics say threaten users' privacy.
A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour bid by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users' security.
It's a win, especially for UK citizens, who were facing loss of access to some of the most popular communication services on the planet. But it's not a complete victory for anyone. Minister Lord Stephen Parkinson still seems to believe it's possible to compromise encryption without, you know, compromising it. The big nerds at Big Tech just need to work harder at ushering this magical form of technology into existence.
Parkinson said that Ofcom, the tech regulator, would only require companies to scan their networks when a technology was developed that was capable of doing so.
[...]
As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the legislation] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content - which we know can be developed," the government said.
Pressing pause on the mandate, but still living in denial. There's no such thing as securely compromised encryption. Either it's secure or it isn't. Just because the security flaws have been introduced by a government mandate doesn't make these flaws any less exploitable by more malicious entities. And it doesn't make it any less likely governments with histories of human rights abuses will leverage these mandates and the resulting broken encryption to engage in even more human rights abuses.
It either works or it's broken. The UK government needs to fully accept this fact if it's ever going to move on towards actually doing something useful to protect children from sexual abusers. As long as it continues to pretend the impossible is constantly just over the tech horizon, it will only reduce its citizens communication options and put every user of these services - no matter where they're located - at risk.