UK admits 'spy clause' can't be used for scanning encrypted chat – it's not 'feasible'
But don't celebrate yet ... it has simply kicked the online safety can down the road, Westminster style
Comment Sanity appears to have prevailed in the debate over the UK's Online Safety Bill after the government agreed to ditch proposals – at least for the time being – to legislate the scanning of end-to-end encrypted messages.
In response to questions regarding the technical feasibility of scanning securely encrypted messages and the assessments that Ofcom must make, Lord Parkinson, a Digital, Culture, Media and Sport minister, said: "If the appropriate technology does not exist that meets these requirements, then Ofcom will not be able to use Clause 122 to require its use."
Clause 122 in the Online Safety Bill relates to online terrorism and child exploitation content.
Parkinson said: "A notice can be issued only where technically feasible and where technology has been accredited as meeting minimum standards of accuracy."
Thus no scanning of end-to-end encrypted messages unless it is technically feasible to do so. Quantum computing, anyone?
Victory? Not so fast...
The statements have been widely interpreted as a victory for technology firms, many of which had threatened to exit the UK over the requirement that it must be possible for even strongly end-to-end encrypted messages to be scanned for illegal content.
However, it could also be argued that the changes only represent the bare minimum needed to get the bill across the line. The controversial clauses remain largely in place, with the buck passed to future administrations, or to when reading the messages becomes "technically feasible."
Matthew Hodgson, CEO of secure chat app developer Element, said: "The government saying 'no scanning until it's technically feasible' is nonsense. Scanning is fundamentally incompatible with end-to-end encrypted messaging apps. Scanning bypasses the encryption in order to scan, exposing your messages to attackers."
He told The Register that the statement and the reaction from some sections of the tech community left him terrified. "It's not a win at all," he said.
Hodgson continued: "The ministers must be feeling utterly smug… the pressure has been removed from them to change the bill and stop scanning, and they didn't have to do anything.
"It's terrible because the law still says that scanning can be obligated on encrypted messaging providers, it would still undermine end-to-end encryption. And all it is [doing] is pushing it slightly down the line until somebody decides it's technically feasible, which is a completely subjective thing."
Martina Larkin, CEO of internet freedom org Project Liberty, queried the thinking behind the clause. "No one is questioning that more must be done to protect people, especially children, online. However, the debate should not be about protecting children versus protecting privacy. We can have, and should have, both.
"When it comes to how we build a better web, everybody loses when rash decisions are made. Trying to protect children by building backdoors into encryption will have unprecedented negative consequences for online privacy, the use of people's data as well as the protection of free speech and democratic values. No one would ever willingly let a complete stranger read all of your mail, put cameras in their house, and follow their every move. So why do it online?"
- Now Apple takes a bite out of encryption-bypassing 'spy clause' in UK internet law
- Wrong time to weaken encryption, UK IT chartered institute tells government
- Online Safety Bill age checks? We won't do 'em, says Wikipedia
- International cops urge Meta not to implement secure encryption for all
We'll draw a discreet veil over the devices with potential for surveillance supplied by large technology companies that people have indeed cheerfully installed in their houses. Still, both Larkin and Hodgson make excellent points.
A spokesperson from Index on Censorship said: "The Online Safety Bill as currently drafted is still a threat to encryption and as such puts at risk everyone from journalists working with whistleblowers to ordinary citizens talking in private. We need to see amendments urgently to protect our right to free speech online."
Attempts to paint the UK government's apparent climbdown as a victory for big tech is missing the point. At best, a skirmish might have been won and a ceasefire temporarily declared. However, the larger battle over privacy and encryption on the internet has yet to be fought. ®