Urupong - stock.adobe.com

IT experts issue new warnings over Online Safety Bill plans to weaken end-to-end encryption

BCS, The Chartered Institute for IT, argues the government is seeking a technical fix to terrorism and child abuse without understanding the risks and implications

This article can also be found in the Premium Editorial Download: Computer Weekly: The dangers of breaking encryption

Plans by the government in the Online Safety Bill (OSB) to require tech companies to scan encrypted messages will damage the UK’s reputation for data security, the UK’s professional body for IT has warned.

BCS, The Chartered Institute for IT, which has 70,000 members, said government proposals in the new law to compromise end-to-end encryption are not possible without creating systemic security risks and, in effect, bugging millions of phone users.

The warning, in a study by the BCS Fellows Technical Advisory Group, comes as the controversial bill introducing new powers to monitor encrypted communications for child abuse and other illegal content returns for its third reading in the House of Lords.

The BCS argues in The Online Safety Bill and the role of technology in child protection, produced by a panel of 21 technology experts, that the government is seeking to impose a technical solution to a problem that can only be solved by broader interventions from police, social workers and educators.

Some 70% of BCS members say they are not confident that it is possible to have both truly secure encryption and the ability to check encrypted messages for criminal material.

The chair of the BCS Fellows Technical Advisory Group, Adam Leon Smith, told Computer Weekly that the government cannot rely on untested technology to meet the objectives of the Online Safety Bill, which aims to protect internet users from illegal or harmful content.

“The government is trying to legislate technology into existence. Rather than looking at broader approaches such as education, training and public awareness, it is looking for technology to solve the problems,” he said.

Economic impact

The Online Safety Bill gives the regulator Ofcom powers to require communications services to install “accredited technology” to inspect the contents of messages sent by end-to-end encrypted services for child abuse or terrorism content.

Ofcom will have powers to impose scanning technology without requiring authorisation from a court or an independent judicial commissioner, in effect bypassing the existing safeguards governing surveillance in the UK’s Investigatory Powers Act 2016.

The proposals have led to a backlash from encrypted messaging providers, including WhatsApp, Signal and Element, which have threatened to withdraw their services from the UK if the bill becomes law.

The BCS’s expert group said the proposed legislation was likely to damage the UK’s international reputation on data security and its reputation as an effective regulator of technology.

As well as undermining the market for products developed in the UK, the OSB would make the UK an insecure link in cross-border communications, it said.

“My fear for individuals is they will be forced to use technologies which do not protect privacy but claim that they do. My fear for businesses in the UK is they will become second-class citizens compared to their trading partners in terms of data adequacy,” said Smith.

In Australia, a 2021 study by the Internet Society found that the Australian Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, better known as TOLA – which gave the state powers to require communications companies to assist in providing access to encrypted data – had the potential to cost the Australian economy multiple billions of dollars and to undermine trust in digital services and the internet.

Government response

A government spokesperson said: “We are unambiguously pro-innovation and pro-privacy. However, we have made clear that companies should only implement end-to-end encryption if they can simultaneously prevent abhorrent child sexual abuse on their platforms.”

The spokesperson said the Online Safety Bill does not give Ofcom or the government any powers to monitor users’ private messages. 

“As a last resort, and only when stringent privacy safeguards have been met, the Online Safety Bill will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content,” the spokesperson added.

Client-side scanning

Ofcom is expected to mandate technology known as client-side scanning to inspect the contents of communications sent by secure messaging services and mobile phones before they are encrypted.

This would require communications service providers to install software capable of analysing messages and to send reports back either to a government agency or a technology provider.

The BCS argues that client-side scanning would introduce a systemic vulnerability that could be exploited by criminals or hostile nation-states that is likely to outweigh any benefit to law enforcement.

BCS recommendations

  • Policymakers need improved understanding of the technology issues posed by the Online Safety Bill, to avoid unintended consequences as the bill moves into law.
  • Legislation should address not just technical intervention, but also education, training of professionals, and public awareness programmes.
  • Online safety policies should aim to provide young people, their parents and advisers with an understanding of risks and how to mitigate them, rather than assuming technology will prevent those risks from arising.
  • Compromising end-to-end encryption used by popular messaging apps is not possible without introducing systemic risks and “bugging” millions of users’ phones.
  • Age-verification proposals are not yet proven to prevent illegal access to material adequately. Similarly, current detection of child sexual abuse material is highly unreliable.
  • The UK’s international reputation for data security is likely to decline with legislation that undermines encryption – as illustrated by public statements from WhatsApp and Signal.

Another scanning technology under consideration, homomorphic encryption, which makes it possible to perform calculations on encrypted data to identify its content, would also weaken encryption.

BCS experts are divided over how long it will take to develop a useable version of homomorphic encryption, with estimates ranging from a few years to 20 years, said Smith.

“But it wouldn’t be end-to-end encryption. It would be a weakened version of it,” he added.

Privacy trade-off should be proportionate

The trade-off proposed by the Online Safety Bill, which will weaken the privacy of all citizens, including children, according to the BCS report, should be evidence based and proportionate to the problem.

Although end-to-end encryption has grown significantly since 2015, it has not led to a decrease in UK prosecutions for images of abuse.

And in Germany, a study by the Max Planck Institute showed that increased digital surveillance did not lead to an increase in criminal convictions.

At the same time, police have shown that they have been able to penetrate fully encrypted communications systems following a series of cross-border operations to harvest messages from the EncroChat and Sky ECC phone networks and other encrypted services.

Risks of client-side scanning not well understood

Research published by Imperial College London in May found that the risks of using client-side scanning are not yet well enough understood to justify its deployment on hundreds of millions of devices. The university researchers warned that government agencies, including intelligence and law enforcement, could embed hidden features such as facial recognition or other surveillance capabilities in client-side scanning technology.

The UK’s National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online (REPHRAIN) has called on politicians to consider an independent scientific evaluation of scanning technology before voting through the bill.

And in July, some 70 UK information security and cryptography researchers warned in an open letter that the proposals for mandating technology to monitor encrypted messaging services in the OSB could be exploited by hostile governments or hackers for malicious purposes if they were introduced.

Their open letter from security and privacy researchers in relation to the Online Safety Bill also argued that reliable solutions for detecting child sexual abuse images did not yet exist and risked generating false positives.

That could lead to private, intimate or sensitive messages being wrongly passed on to reviewers in technology companies or law enforcement, the letter stated.

It could also inundate police and intelligence services with large quantities of data, including false positives, that would be difficult to process.

House of Lords rejected amendments

The House of Lords introduced an amendment to the Online Safety Bill in July, which will require the regulator to commission a report by a “skilled person” before giving tech companies technical notices to require them to install technology to scan encrypted messages. It is not clear what qualifications the person would need or what assessment would be required before permitting scanning.

However, politicians have been wary of criticising provisions in the Online Safety Bill that would damage privacy as it is being presented as a bill to combat child abuse and terrorism, causes that it is difficult to argue against.

“It can be incredibly difficult for politicians to speak out about it, and it is unfortunate that there does not seem to be a political appetite to block this bill,” Smith said.

Labour dropped a proposed amendment that would have required an independent judicial commissioner to review whether the measures were proportionate and that appropriate regard had been given to freedom of expression and privacy rights.

The Lords also dropped a proposed amendment by Conservative peer Lord Moylan, which would prohibit Ofcom from imposing any requirement on technology companies that would weaken or remove end-to-end encryption.

Vulnerabilities will be exploited by rogue states

Matthew Hodgson, CEO of the encrypted messaging and collaboration platform Element, and technical co-founder at Matrix.org, told Computer Weekly that scanning technology would create vulnerabilities that could be exploited by hackers and rogue states.

He said the UK was in danger of setting a precedent for less democratic nations to introduce similar surveillance on communications.

“Detecting illegal content means all content must be scanned in the first place. By adding the ability to use scanning technology at all, you open the floodgates to those who would exploit and abuse it. You put the mechanism in place for mass surveillance on UK citizens by the ‘good guys’ and the bad,” he said.

“Detecting illegal content means all content must be scanned in the first place. By adding the ability to use scanning technology at all, you open the floodgates to those who would exploit and abuse it”
Matthew Hodgson, Element and Matrix.org

“Bad actors don’t play by the rules. Rogue nation states, terrorists and criminals will target that access with every resource they have. The OSB is outright dangerous,” he added.

Commenting on the BCS report, Robin Wilton, director of internet trust at the Internet Society, said the government should increase its support for policies with less dangerous consequences, including public awareness campaigns, professional training and conventional police work.

“The trust that the government places in emerging technologies to solve societal problems is unproven. Technologies that compromise encryption through circumvention or backdoor access would expose UK residents to a new array of online harms, including blackmail and scams,” said Wilton.

BCS chief executive Rashik Parmar said those responsible for creating the technology mandated by the Online Safety Bill must ensure it meets the highest standards of competence, inclusivity, ethics and accountability.

Read more about the debate on end-to-end encryption

Read more on Privacy and data protection