UK’s Online Safety Bill Will Actually Just Harm Everyone, Encrypted Service Provider Warns

Over the past couple of years, we've covered the UK's Online Safety Bill" extensively. And for good reason, seeing as it has the potential to effectively outlaw end-to-end encryption, and create an unworkable mess for any service (and it's pretty much all of them) engaging in content moderation.

The bill was originally called the Online Harms Bill," but underwent rebranding, possibly due to legislators and regulators realizing this might signal their true intent: to harm online communications and services. Now it's all about safety," and that means often claiming this is all being proposed to save the children of the UK from online harms - a claim that continues to be made even though a UK government commission pointed out banning or undermining encryption would actually harm kids.

The ever-expanding legislative proposal has received significant pushback. WhatsApp said it would not break its encryption to appease the UK government. Signal said the same thing, telling legislators it would simply refuse to offer its services in the UK if it was required to undermine or break its encryption.

Proton (of Proton Mail fame) has now weighed in on the harmful safety" bill in a post on its site, pointing out what some might have missed in this discussion. It's not just about regulating social media services. It's about regulating pretty much everything anyone does online.

Proton offers encrypted services, including cloud storage. It also offers a VPN. These may seem to be outside the parameters of the law (not including the encryption-targeting parts of it) since the bill aims to reduce the amount of harmful" content people encounter on widely used social media services. But the bill's language is all encompassing, which means Proton is likely not exempt from the proposed legislation.

At this stage, the bill is so broad that it's not entirely clear who would be subject to it. While primarily targeting social media companies, the bill defines content" as anything that is communicated publicly or privately". In practice, as tech companies (like Proton) often offer single accounts encompassing a number of different services, it's likely that services that are not meant to be subject to the law (like email) will inadvertently become subject to it by extension.

That essentially means that almost any online service that has users in the UK could be affected. It also means that messages you send your mom could be treated the same as something you post on social media for everyone to see, which comes dangerously close to violating UK citizens' explicit right to a private life.

This means Proton's executive may be just as liable for user-generated content as companies like Facebook and Twitter. And that could mean jail time if the UK government decides Proton isn't doing enough to enforce its terms of service and/or proactively monitoring content for anything the government decides is objectionable. That's a problem when you offer end-to-end encryption: you can't monitor content because you simply cannot see it.

If the bill passes in its current form, Proton (and services like it) would have only four options, none of them good.

• Remove its end-to-end encryption
• Weaken its end-to-end encryption
• Install client-side scanning
• Cease providing service in the UK

Supporters of the bill simply don't see the problem. If encryption prevents companies from complying with the law, either the encryption goes or they do. The collateral damage is someone else's problem.

Proton doesn't want to leave the UK. But if it can't protect the privacy of its users and still comply with the law, it looks like that will be the only option it has.

If this bill becomes law, the UK will become a third-world nation in terms of internet services. Its residents will have a dearth of options, none of which will be particularly palatable. The companies that remain will have demonstrated by their compliance they have little interest in the security and privacy of their users. And who in their right mind would choose to put their trust in that?