Is the UK’s Online Safety Act a threat to encryption?

Image of the UK flag - Destination Certification

Today, we’re going to take a look at the UK’s recently passed Online Safety Act, which has raised concerns about its potential to impact privacy and security across the globe. The legislation is complex, and a newsletter isn’t the format to go through its entirety or nitpick through all of the legalese. Instead, we will focus on how it could affect end-to-end encryption, one of the most important technologies for preventing companies, governments and hackers from reading the contents of our communications.

What does the Online Safety Act say?

The legislation is partially concerned with user-to-user services. You can check out the official definition in Part 2 of the legislation, but both social media platforms and messaging apps fall under its umbrella.

In section 121, the legislation states that the regulator, OFCOM, may submit notices to these providers that order them to use “accredited technology” to identify and take down terrorism or child sexual exploitation and abuse (CSEA) content. Further, the legislation states that ‘technology is “accredited” if it is accredited (by OFCOM or another person appointed by OFCOM) as meeting minimum standards of accuracy in the detection of terrorism content or CSEA content (as the case may be).’

When OFCOM issues these notices, they must contain the details of which accredited technology the service provider must use, as well as how it will be implemented [see section 125 (6)], among other things.

How can a provider identify and take down content protected by end-to-end encryption?

Let’s run through how this could work when it comes to end-to-end encryption. Hypothetically, OFCOM would issue a notice to WhatsApp or Signal, demanding that they use technology to scan for and remove terrorism and CSEA content from their platforms. However, because of how the underlying cryptographic protocols are set up, neither provider can see any of the content shared on their platforms. In the case of WhatsApp, the company can see the metadata, such as who is communicating with whom and when they communicate, but Signal stores substantially less information.

By definition, end-to-end encryption means that the provider cannot see the content because the data is encrypted from client to client. The provider does not have the keys to access it, even when it passes through its servers.

So, if a notice was issued, neither WhatsApp nor Signal are capable of complying under their current configurations. The only way they would be able to comply would be to break their protocols for everyone. If some sort of backdoor or security weakness was installed for the UK Government, it would make the protocols more vulnerable and could make it much easier for hackers to compromise them as well. This would pose a threat to all users.

It is absolutely true that terrorists, child abusers and other criminals use encryption technologies to hide their crimes from the authorities. But if we weaken these technologies, then we also put those who use them for other purposes at risk. End-to-end encryption is critical for activists in authoritarian countries, journalists, politicians, high-level executives, people trying to escape domestic violence, and even just normal people who don’t want companies to know the intimate details of their personal lives.

While these tools can be used for bad, undermining their security would also limit their potential for good. If they were weakened, criminals could move to decentralized communication tools that operate outside of the UK’s jurisdiction. While this option is available for everyone, it has higher technical barriers, so only those who are highly motivated or skilled are likely to use them, meaning that everyone else could lose the privacy and security granted by simple tools like WhatsApp and Signal.

What are the practical ramifications of the Online Safety Act?

Like a lot of technology legislation, the Act is fairly convoluted and difficult to parse. There’s a lot of ambiguity, and without a crystal ball, it’s hard to see how it will actually be applied in the future. But when you consider the power dynamics at play, it seems unlikely that it will have any effect on end-to-end encryption globally.

In discussing the Bill in the House of Lords, Lord Parkinson stated, “…there is no intention by the Government to weaken the encryption technology used by platforms, and we have built strong safeguards into the Bill to ensure that users’ privacy is protected.” While our reading of the Act is less confident of these safeguards, Lord Parkinson is correct that there is nothing explicit about weakening encryption technology.

While the legislation does have concerning elements, it seems doubtful that any reasonable UK Government would order a global provider to undermine its end-to-end encryption technology. This is because the UK is a relatively small market of around 70 million people, and it seems that the likes of WhatsApp, Signal and other providers would not be willing to weaken their global service just to appease the UK Government.

WhatsApp CEO Will Cathcart stated, "The reality is, our users all around the world want security – ninety-eight percent of our users are outside the UK, they do not want us to lower the security of the product and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those ninety-eight percent of users."

If the UK Government attempted to force these companies into undermining their encryption, it seems likely that the providers would just pull their services from the country, which would probably turn into a PR disaster for the UK Government. A lot of citizens would be outraged if they couldn’t use WhatsApp, Signal, Telegram or iMessage anymore.

While we don’t think that the Online Safety Act will ultimately result in weakening end-to-end encryption at a global level, the law does still have some concerning vocabulary, so we’ll have to wait and see.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]