The UK’s Online Safety Bill is Different from the Sandwich Packet: Defending a Secure Messaging Solution for Child Sexual Abuse

The so-called “spy clause” in the UK’s online safety bill, which experts argued would make end-to-end encryption all but impossible in the country, will not be enforced after the government admitted the technology to securely ScanEncrypted messages for signs of child sexual abuse Secure messaging services, including WhatsApp and Signal, had threatened to pull out of the UK if the bill was passed.

The draft law will return to the House of Commons today, where members of parliament will have their final chance to debate its content, despite predictions that the current government will be voted from power next year. “It is very different from the sandwich packet, not least because there’s no brie smears on it,” says Woods, a law professor at the University of Essex. Each of the different Conservative administrations has left their own mark on it. Woods believes that may have added to the baroque ornamentation.

Many others are much less critical of their critics. The bill today is over 260 pages, reflecting how ministers and MPs prioritised their own interests over preserving the country. Many of the original misinformation provisions have been removed or watered down. There has been a backlash against the requirement that messaging platforms scanning for child sexual abuse images, something that tech companies and privacy groups claim can only be achieved by weakened end-to-end encryption.

The platforms are threatening to pull out of the UK if the law is passed. They probably aren’t bluffing, and the bill probably will pass.

Encryption-breaking Scanners: a victory for the UK government in a battle of technology companies and privacy activists, and a campaign against the Brownian Bill

Tech companies and privacy activists are claiming victory after an eleventh-hour concession by the British government in a long-running battle over end-to-end encryption.

“It’s absolutely a victory,” says Meredith Whittaker, president of the Signal Foundation, which operates the Signal messaging service. Whittaker has been a staunch opponent of the bill, and has been meeting with activists and lobbying for the legislation to be changed. “It commits to not using broken tech or broken techniques to undermine end-to-end encryption.”

The UK government hadn’t specified the technology that platforms should use to identify CSAM being sent on encrypted services, but the most commonly-cited solution was something called client-side scanning. On services that use end-to-end encryption, only the sender and recipient of a message can see its content; even the service provider can’t access the unencrypted data.

CSAM can be scanned client-side, which means examining the message before it was sent, and comparing it to a database held on a server somewhere else. That, according to Alan Woodward, a visiting professor in cybersecurity at the University of Surrey, amounts to “government-sanctioned spyware scanning your images and possibly your [texts].”

In December, Apple decided to scrap its plans to build client-side scanning technology for cloud storage after learning that it couldn’t make the system work without violating users’ privacy.

The bill would likely pave the way for governments to monitor people in new ways, as opponents say that it will make searching for CSAM images easier. “You make mass surveillance become almost an inevitability by putting [these tools] in their hands,” Woodward says. The security forces will always be looking for something else if they think of exceptional circumstances.

Although the UK government said that it won’t force technology on tech companies, and that it isn’t using the powers under the bill, the controversial clauses are still in the legislation and are likely to pass into law. Woodward says that it is still not gone away, but a step in the right direction.

James Baker, campaign manager for the Open Rights Group, a nonprofit that has campaigned against the law’s passage, says that the continued existence of the powers within the law means encryption-breaking surveillance could still be introduced in the future. He thinks the powers in the bill would be a better idea.

Some people are not positive about the change of heart. Matthew Hodgson of UK-based Element says “nothing has changed.” “It’s only what’s actually written in the bill that matters. Scanning is fundamentally incompatible with end-to-end encrypted messaging apps. You expose your messages to attackers when you violate the encryption. So all ‘until it’s technically feasible’ means is opening the door to scanning in future rather than scanning today. It is not a change, it is kicking the can down the road.

Whittaker acknowledges that the law won’t be aggressively enforced. “But it’s major. We can recognize a win without claiming that this is the final victory,” she says.

The implications of the British government backing down will have far reaching effects outside the UK. Security services around the world have been pushing for measures to weaken end-to-end encryption, and there is a similar battle going on in Europe over CSAM, where the European Union commissioner in charge of home affairs, Ylva Johannson, has been pushing similar, unproven technologies.

“It’s huge in terms of arresting the type of permissive international precedent that this would set,” Whittaker says. “The UK was the first jurisdiction to be pushing this kind of mass surveillance. It stops that momentum. And that’s huge for the world.”