UK Government ‘Concession’ On Breaking End-to-End Encryption In The Online Safety Act (Just Passed) Turns Out Not To Be One
Last week Techdirt wrote about an important development in the long-running saga of the UK's Online Safety Act, which has just become law. The UK government said at that time it would not use controversial powers in the new law to break end-to-end encryption until it was technically feasible" to do so while preserving users' privacy. That seemed to be a recognition that it was impossible to carry out scanning that safeguarded privacy with any existing technology, despite previous claims to the contrary. Since it is extremely unlikely such technology will ever exist, the hope was that the UK government was effectively dropping the idea with this concession. But in the days that followed, this optimistic interpretation has seemed less certain. When the technically feasible" caveat was first mentioned, the Guardian pointed out:
the government has not changed the wording of the bill, which still gives [the UK regulatory body] Ofcom the power to issue an accredited technology notice. A government spokesperson said: Our position on this matter has not changed".
Further evidence that the underlying intent hasn't changed is found in an article in the Independent:
[UK] Technology Secretary Michelle Donelan insisted that nothing had changed in the long-awaited legislation, after privacy campaigners earlier this month claimed a victory following widespread reports of a shift in the Government stance on encryption.
Donelan gave more details of how the new Online Safety Act would work in practice:
In terms of end-to-end encryption, when a platform about to encrypt or already has encrypted - if there were concerns then raised with the regulator that there was paedophilia or child abuse on there, then the regulator would have a conversation with that platform, see what mitigations they could put in place to adhere to the legislation.
If none of that worked,we need a safety net built into this piece of legislation - and the safety net works by the regulator saying you now need to invest in technology that will allow you to maintain the privacy element of encryption, protect encryption, but also enable us to have access and find these criminals, these heinous individuals, these paedophiles, these stains on society.
It may never have to be used. But we think it is important that we put that safety net in legislation.
So it seems the UK government's idea is that Internet companies will be ordered to come up with ways to break end-to-end encryption while maintaining privacy. But don't worry, because that magic encryption backdoor will only be there as a safety net", not as something that will ever be used routinely. Of course.
Once again, the UK government is attempting an impossible balancing act. On the one hand, it needs to keep the extreme wing of its party happy by bringing in surveillance of encrypted communications. On the other, it doesn't want the UK to lose key messaging services like Signal, WhatsApp and iMessage, which have all said they won't implement back doors. Its solution seems to be the usual demand that tech companies nerd harder", plus a promise that the new surveillance powers would only be used if the mitigations" don't work.
The hardliners who don't understand the technology might be happy with that approach, but the tech companies won't be. As soon as the latter are ordered to begin that harder nerding, they will probably pull out of the UK. In other words, despite the technically feasible" fig leaf, nothing has changed. The UK government's desperate attempt to come up with Schrodinger's encryption backdoor - there for the police, but not there for the tech companies - has failed. It had to choose between mass surveillance and messaging services; by passing the Online Safety Act with the text unchanged, it seems to have chosen surveillance.
Follow me @glynmoody onMastodon.