After passing the Online Safety bill, the UK government is pressing Facebook to “safely” break its encryption.
Last week, we reported on the disastrous passage of the Online Safety bill in the UK. The bill is problematic on a number of fronts. Whether it is ridiculous age-verification requirements that compel companies to collect even more personal information on you or the anti-encryption provisions that require companies to put back doors into their communication systems so that the government can spy on everything you say, the implications are enormous both domestically for the people of the UK and those abroad.
Apparently, numerous companies have threatened to leave the UK should these demands actually come to fruition. If that happens, it would be a repeat of the exodus of innovation and investment in Australia back in 2019 when that country passed its own anti-encryption laws in a rushed process. In fact, Signal has already reaffirmed plans to leave when the UK government comes knocking – opting to protect the privacy of the users instead of bending at the knee to the British government.
All of this stems from what the law is asking companies to do when it comes to encrypted services. They want the encryption compromised to government can access it while, at the same time, have the encryption not compromised so that people’s personal information can remain safe and secure. One of these things is not like the other. Either the encryption in question is compromised or it is not. There’s no middle ground where it is only compromised for a certain party.
Yet, asking the impossible under the fantasy that companies can build anything the government can dream up is exactly where the British government seems to live right now. A report on TechCrunch, suggests that this is what the UK government is currently asking:
Buckle up for another encryption fight: Hot on the heels of securing parliament’s approval for its Online Safety Bill yesterday, the U.K. government is amping up pressure on Meta not to roll out end-to-end-encryption (E2EE) on Facebook Messenger and Instagram — unless it applies unspecified “safety measures” which the Home Secretary said should allow law enforcement to continue to detect child sexual abuse material (CSAM) at the same time as protecting user privacy.
In an interview on BBC Radio 4’s Today Program this morning, Suella Braverman claimed the vast majority of online child sexual abuse activity that U.K. law enforcement is currently able to detect is taking place on Facebook Messenger and Instagram. She then hit out at Meta’s proposal to expand its use of E2EE “without safety measures” to the two services — arguing the move would “disable and prohibit law enforcement agencies from accessing this criminal activity [i.e. CSAM]”.
Finally, though, this August, Meta announced it would enable E2EE by default for Messenger by the end of the year. But that plan is facing renewed attacks from the U.K. government — newly armed with the big stick of legal duties incoming via the Online Safety Bill.
Experts have been warning for years that surveillance powers in the legislation pose a risk to E2EE. But policymakers didn’t listen — all we got was a last minute fudge. That means platforms like Meta and U.K. web users are faced with another round of crypto warring.
This battle does, indeed, have shades of the US fight with Apple over it’s encryption of phones. US spooks had long screamed about how encrypted iPhones would mean that law enforcement couldn’t do their jobs when pursuing criminals. The claims ended up being greatly exaggerated as the encryption, as it turned out, could be broken by those very law enforcement officials. It turned out to be yet another scaremongering campaign against encryption at the time.
At the end of the day, there’s no such thing as a safely broken encryption scheme. Either the encryption is broken or its not. Threatening to fine Facebook 10% annual turnover for failing to comply isn’t going to change this impossible ask. The only thing the government accomplishes if it does manage to succeed is make everyone less safe and secure online. Would you let your child use compromised encryption, exposing them to whatever bad thing is out there on the internet, all in the name of government’s ability to spy on everything that is said online? No. It’s a ridiculous ask.
Tim Cushing of Techdirt basically came to the same conclusions we did:
Then there’s the insanity:
“My job is fundamentally to protect children not paedophiles, and I want to work with Meta so that they roll out the technology that enables that objective to be realised. That protects children but also protects their commercial interests,” she said. “We know that technology exists…”
Really? Where is it? Can you point to any examples of this encryption that remains secure despite deliberately introduced flaws? Have you tried it out? Have you performed a security audit on it? SHOW ME ON THE PUBLICLY RELEASED GOVERNMENT REPORT WHERE THIS TECHNOLOGY ALREADY EXISTS.
While it’s true tech exists to detect hashes that match known CSAM, no tech exists to perform hash-matching on E2EE communication services. The only way to do this is to perform scanning on one side of the communication. And to do that, you have to remove the encryption from one end. Some have suggested this is a solution to the problem. But the only tech company that considered moving forward with voluntary client-side scanning abandoned that plan shortly after hearing from everyone (anti-encryption legislators excepted, of course) what a bad idea that would be.
So, in a sense, the tech does exist. But it’s not something anyone truly concerned about safety, security, or privacy would consider to be a real solution to the CSAM problem. But that’s what the UK government wants: insecure services that allow it to take a look at anyone’s communications. And that should never be considered an acceptable outcome.
If the answer to the UK government is that demanding safely broken encryption is asking the impossible, and the UK government responds with “try harder”, then that only adds fuel to the fire that is the impending innovation exodus of security tech companies out of the country. If the UK can’t be bothered to pass actually sane laws, then those companies are going to find another country that has sane laws in the first place. It’s a big world with many countries. The economic benefits of hosting these companies are going to evaporate because the government decided it was best to live in security fantasy land.
Drew Wilson on Twitter: @icecube85 and Facebook.