After Passing Online Safety Bill, UK Government Gets Back To Harassing Meta About Its End-To-End Encryption
Last week, it appeared ever so briefly, the UK government might be finally giving up on its desires to legislate at least one end of messaging services' end-to-end encryption. Having faced resistance from nearly every encrypted service (all of which threatened to exit the UK if anti-encryption mandates were put in place) as well as internal reports strongly suggesting undermining encryption would be a truly terrible idea, it seemed those pushing the Online Safety Bill were finally willing to accept the uncomfortable fact that breaking encryption only results in broken encryption. What it doesn't do is end the online harms the UK government felt this bill addressed.
But the concession wasn't much of a concession. Nothing changed in the wording of the bill. All that really happened is a couple of proponents suggested the UK government wouldn't pull the trigger on encryption-breaking demands immediately. This concession was surrounded by statements suggesting government officials truly thought the only thing standing between it and safely" broken encryption was recalcitrant techies working for services like WhatsApp and Signal.
Parkinson said that Ofcom, the tech regulator, would only require companies to scan their networkswhen a technology was developed that was capable of doing so.
[...]
As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the legislation] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content -which we know can be developed," the government said.
The Online Safety Bill has now been passed by the UK Parliament. And, as Glyn Moody recently pointed out, all the anti-encryption language remains intact.
[UK] Technology Secretary Michelle Donelan insisted that nothing had changed in the long-awaited legislation, after privacy campaigners earlier this month claimed a victory following widespread reports of a shift in the Government stance on encryption.
Now that the bill has passed with the anti-encryption mandates still intact, it looks like the UK government is going back to leaning hard on uncooperative tech companies in hopes of pressuring them into abandoning encryption plans prior to the implementation of the new law. Facebook has long been the target of criticism from governments around the world that seem to feel they're entitled to demand Meta not protect its Facebook Messenger service with end-to-end encryption.
Years of ignored requests are culminating in a last-minute push by UK legislators, as Natasha Lomas reports for TechCrunch:
In an interview on BBC Radio 4's Today Program this morning, [Home Secretary] Suella Braverman claimed the vast majority of online child sexual abuse activity that U.K. law enforcement is currently able to detect is taking place on Facebook Messenger and Instagram. She then hit out at Meta's proposal to expand its use of E2EE without safety measures" to the two services - arguing the move would disable and prohibit law enforcement agencies from accessing this criminal activity [i.e. CSAM]".
Saying that one of the most popular messaging services is responsible for the most CSAM reports doesn't really say anything more than the service has a lot of users. It doesn't mean Meta somehow cares less about limiting the sharing of CSAM than other, less popular services. And I have no idea what safety measures" Braverman thinks can be attached to E2EE services without, you know, removing at least an E or two.
Braverman doesn't know or doesn't care. Or both. Her further comments indicate she'd prefer Meta just maintained its less-than-secure status quo, sacrificing users' privacy and security in favor of government gains.
First, there's the stick:
Asked by the BBC what the government would do if Meta goes ahead with its E2EE rollout without the additional measures she wants, Braverman confirmed Ofcom has powers to fine Meta up to 10% of its global annual turnover if it fails to comply with the Online Safety Bill.
Then there's the carrot - Bravermen says she wants to work constructively" with Meta to create some sort of magical form of encryption Meta can break at will without compromising user security.
Then there's the insanity:
My job is fundamentally to protect children not paedophiles, and I want to work with Meta so that they roll out the technology that enables that objective to be realised. That protects children but also protects their commercial interests," she said. We know that technology exists..."
Really? Where is it? Can you point to any examples of this encryption that remains secure despite deliberately introduced flaws? Have you tried it out? Have you performed a security audit on it? SHOW ME ON THE PUBLICLY RELEASED GOVERNMENT REPORT WHERE THIS TECHNOLOGY ALREADY EXISTS.
While it's true tech exists to detect hashes that match known CSAM, no tech exists to perform hash-matching on E2EE communication services. The only way to do this is to perform scanning on one side of the communication. And to do that, you have to remove the encryption from one end. Some have suggested this is a solution to the problem. But the only tech company that considered moving forward with voluntary client-side scanning abandoned that plan shortly after hearing from everyone (anti-encryption legislators excepted, of course) what a bad idea that would be.
So, in a sense, the tech does exist. But it's not something anyone truly concerned about safety, security, or privacy would consider to be a real solution to the CSAM problem. But that's what the UK government wants: insecure services that allow it to take a look at anyone's communications. And that should never be considered an acceptable outcome.