This article is more than 1 year old
Wrong time to weaken encryption, UK IT chartered institute tells government
Plus: Signal, WhatsApp, and Viber also write online protest over Online Safety Bill back door
The UK’s chartered institute for IT has slammed proposed legislation that could see the government open a “back door” to encrypted messaging.
BCS, formerly the British Computer Society, has warned that weakening encryption of secure messaging apps in online safety legislation would damage public trust in technology.
The controversial Online Safety Bill is set to be heard in the House of Lords for scrutiny this week. It sets out wide-ranging measures designed to protect people, particularly children, in their online lives.
However, critics have argued that — however well-intentioned — the legislation could create a back door for governments to read encrypted messages.
In a statement, BCS chief executive Rashik Parmar, said: “It’s the wrong time to weaken encryption when it is vital to public trust in the value of technology. Every genuine tech professional wants children to be safe online; but we need to guard the basic security that underpins everyone’s privacy.
“There is grave concern that the Online Safety Bill’s requirements around identifying illegal content could break the principle of end-to-end encryption with the promise of a magical backdoor. Once a backdoor has been compromised, data and content protected by the encryption becomes accessible. This is exactly what many bad actors would welcome.
'If privacy is outlawed, only outlaws will have privacy'
In an open letter this morning, addressed to "anyone who cares about safety and privacy on the internet," end-to-end-encrypted communication platforms Element, Session, Signal, Threema, Viber, WhatsApp and Wire urged UK.gov to reconsider its current plans.
They called the bill an "unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world" adding that the move would embolden "hostile governments who may seek to draft copy-cat laws."
Global providers of end-to-end encrypted products and services cannot weaken the security of their products and services to suit individual governments. There cannot be a "British internet," or a version of end-to-end encryption that is specific to the UK.
The UK Government must urgently rethink the Bill, revising it to encourage companies to offer more privacy and security to its residents, not less. Weakening encryption, undermining privacy, and introducing the mass surveillance of people's private communications is not the way forward.
“Building confidence in technology is a global priority in 2023. A bill aimed at keeping us safe online should protect encrypted messaging,” he said.
We've been here before
This is not the British government's first encryption-breaking rodeo. It has for years called upon tech companies to break encryption so law enforcement can listen in: most notably former Home Sec and then PM Theresa May, and later former Home Sec Amber Rudd and former UK Home Secretary Priti Patel.
Erstwhile Prime Minister David Cameron even proposed banning online messaging applications that support end-to-end encryption in 2015.
What about this bill?
The Online Safety bill legislation is set to give media regulator Ofcom powers to make platforms identify and remove child abuse content. Any compnies refusing to comply could face large fines.
In February, encrypted chat service Signal said it would put an end to its UK operations if the Online Safety Bill was enacted in its current state. Proposals for device-side scanning — designed to protect children from harmful content — break the security of end-to-end encryption at the same time, it argued.
There cannot be a 'British internet,' or a version of end-to-end encryption that is specific to the UK
The legislation contains what critics have called "a spy clause" [PDF]. It requires companies to remove child sexual exploitation and abuse (CSEA) material or terrorist content from online platforms "whether communicated publicly or privately." As applied to encrypted messaging, that means either encryption must be removed to allow content scanning or scanning must occur prior to encryption.
Meredith Whittaker, president of the Signal Foundation, told The Register: "Many millions of people globally rely on us to provide a safe and secure messaging service to conduct journalism, express dissent, voice intimate or vulnerable thoughts, and otherwise speak to those they want to be heard by without surveillance from tech corporations and governments."
- Children should have separate sections in social media sites, says UK coroner
- Cooler heads needed in heated E2EE debate, says think tank
- What's that? Encryption's OK now? UK politicos Brexit from Whatsapp to Signal
- 'Real' people want govts to spy on them, argues UK Home Secretary
- Five Eyes nations stare menacingly at tech biz and its encryption
"We have never, and will never, break our commitment to the people who use and trust Signal. And this means that we would absolutely choose to cease operating in a given region if the alternative meant undermining our privacy commitments to those who rely on us."
In response to Whittaker's remarks, Dr Monica Horten, policy manager for freedom of expression at Open Rights Group, also urged the UK government to drop the clause.
When the legislation was first proposed in March, 2022, Nadine Dorries, digital secretary at the time, said, “Tech firms haven’t been held to account when harm, abuse and criminal behaviour have run riot on their platforms. Instead, they have been left to mark their own homework. If we fail to act, we risk sacrificing the wellbeing and innocence of countless generations of children to the power of unchecked algorithms.” ®