One of the controversial aspects of the UK Online Safety bill is banning effective encryption. It appears that has been paused.
The UK Online Safety bill is continuing to be massively controversial for very good reasons. As we noted earlier, the bill does a number of things. First, it mandates privacy busting age verification requirements. This was actually a topic the Open Rights Group recently highlighted. Additionally, it criminalizes “harmful content” where trolling someone could land people in jail. Over top of that, it bans effective encryption, requiring all encryption to contain back doors that ‘only the good guys’ can get into while keeping criminals out.
The last one is, of course, not possible. All you are doing is undermining everyone’s security. If a weakness is introduced, it can be exploited by bad actors, full stop. In this day and age, a lot can be compromised if this is introduced. Whether that is SSL, compromising, for instance, your banking information, VPN security which can compromise business communications, or documents that have been securely encrypted, everything that includes an extra level of security breaks down, making everything less secure.
The problem here isn’t just that security breaks down for people within the UK, but rather, it compromises everyone’s security around the world. If you are an American business representative sending sensitive information to another business, what happens if the encryption used is approved by the UK? It means that the security employed has been tampered with. As a result, it introduces a new risk that bad third party actors can break the encryption and access those “secure” documents, using whatever weakness was introduced. You might not have any connection to the UK. The person on the other end of the line may not have any connection to the UK. Yet, despite all of this, your information is still potentially compromised because of this.
Apparently, the UK government has decided to put a pause on the effective encryption ban aspects of the Online Safety bill. From TechDirt:
The good news is that, for the moment, the UK government has decided to drop this mandate, as 9to5Mac reports, quoting from a (paywalled) Financial Times article.
The Financial Times reports that the government has now agreed to drop from the Online Safety Bill the requirement to scan messaging apps for illegal content.
The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is “technically feasible” to do so, postponing measures that critics say threaten users’ privacy.
A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour bid by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users’ security.
It’s a win, especially for UK citizens, who were facing loss of access to some of the most popular communication services on the planet. But it’s not a complete victory for anyone. Minister Lord Stephen Parkinson still seems to believe it’s possible to compromise encryption without, you know, compromising it. The big nerds at Big Tech just need to work harder at ushering this magical form of technology into existence.
Parkinson said that Ofcom, the tech regulator, would only require companies to scan their networks when a technology was developed that was capable of doing so.
[…]
“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the legislation] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content — which we know can be developed,” the government said.
Pressing pause on the mandate, but still living in denial. There’s no such thing as securely compromised encryption. Either it’s secure or it isn’t. Just because the security flaws have been introduced by a government mandate doesn’t make these flaws any less exploitable by more malicious entities. And it doesn’t make it any less likely governments with histories of human rights abuses will leverage these mandates and the resulting broken encryption to engage in even more human rights abuses.
That is definitely a bit of good news for a change on this. The bill still has other deep flaws, but at least this part of the bill will get delayed for now. It bears repeating that what the UK government is doing here is essentially demanding the impossible. It’s like safely compromising the safety of a vehicle – the vehicle’s safety is either compromised or it’s not. The government is trying to find a middle ground that doesn’t, and never will, exist. No amount of “nerd harder” will ever fix this.
Now, the hope is that this part of the bill never comes to fruition. It’s a ridiculous concept that puts people’s safety at risk around the world. A bit ironic considering this is called the “Online Safety” bill.
Drew Wilson on Twitter: @icecube85 and Facebook.