Online Safety Bill: International organisations, academics and cyber experts urge UK government to protect encrypted messaging
- Over 80 civil society organisations, academics and cyber experts from 23 countries write to the UK government over threat to the security and privacy of billions of people who use apps like WhatsApp and Signal.
- UK could become the first liberal democracy to require the routine scanning of people’s private chat messages.
- Removing the word “privately” from the draft legislation could preserve the security and privacy of billions of messaging app users.
Safeguard private communication
Over 80 civil society organisations, academics and cyber experts from 23 countries have written to the UK government to raise the alarm about proposed powers in the Online Safety Bill. These powers would require the scanning of encrypted messaging apps, such as WhatsApp and Signal, posing a threat to chat services which people use everyday to connect securely.
The letter, co-ordinated by the UK-based digital rights organisation, Open Rights Group, and the pan-European network of over 47 organisations, European Digital Rights (EDRi), notes that the UK could make chat platforms insecure for everyone. Privacy is an essential element for people’s security online, especially for young people, activists, human rights defenders, lawyers, doctors and journalists.
Investigative journalists find it essential to use end-to-end encrypted messaging to be able to research powerful people in the governments or companies. For example, the team of Organised Crime and Corruption Reporting Project (OCCRP) relies on safe, private communications to research Russian atrocities in the war with Ukraine.
Protect global digital security
The letter’s signatories also raise concerns that such measures would make people vulnerable to hacking and abuses of their private information without any control over who gets access to such sensitive data. It is not possible to scan in a way that only gets the ‘bad guys’ and leaves everyone else untouched. This law would adversely affect not only the 40 million users in the UK but the two billion people around the world who rely on secure messaging services.
The powers in the Bill could mean that people relying on messaging services to work and connect in the UK would have to download technology to their phones, which would allow private messages to be scanned. Technology, known as client-side scanning, which has been heavily criticised by experts, will turn chats into spaces that are dangerous for everyone’s privacy, security and free expression. The UK government asserts that client-side scanning will not compromise privacy, but evidence from cyber-security experts worldwide contradicts this view.
By introducing such intrusive measures, the UK government also risks damaging the country’s free market. Companies that respect the privacy of people using their services will be forced to leave the UK, moving away capital, resources and services.
The Prime Minister, Rishi Sunak, has said the UK will maintain peace, freedom and security around the world. The ability for people to communicate privately and securely is crucial to that objective.
Protect encrypted messaging
The signatories to this letter call on the government to put people’s safety and uphold democratic values by dropping private messaging platforms from the scope of the Online Safety Bill.
Dr Monica Horten, policy manager for freedom of expression at Open Rights Group, said:
“Where the UK leads, others will follow. The signatories to this letter are worried that these measures will embolden hostile and abusive regimes who will be only too pleased to use the UK as an excuse to monitor the private messages of their citizens. It puts at risk global security as well as placing a stain on our international reputation.
“How can the UK be on the one hand, a guarantor of international security, when on the other hand it is piercing a hole in the system that will damage that security?
“However, peers have the power to save the day if they accept an amendment to remove the word ‘privately’ from the Online Safety Bill. We strongly urge peers to support this amendment and say no to state-mandated surveillance of private chats.”
Ella Jakubowska, Senior Policy Advisor at EDRi, said:
“With this authoritarian proposal, the UK joins several EU countries in a concerted attack on the safety and integrity of everyone’s private communications. The EU version of this law would mandate the dangerous scanning of people’s private messages without due cause. But across Europe, several police departments specialised in child protection, public prosecutors, and survivors’ groups have pointed out that these measures would be ineffective at tackling the problem of online abuse.”
Ross Anderson, Professor of Security Engineering at Cambridge University and Edinburgh University said:
“The idea that you can do surveillance while respecting privacy is just magical thinking.
“The five prototypes funded by the Home Office were assessed by Rephrain, a team friendly to GCHQ, who found that not one of these prototypes comes close to meeting reasonable requirements for efficacy and privacy.
“This revives the magical thinking of the Blair government during the first Crypto War, in the late 1990s and early 2000s, which limited the strength of commercial cryptography. That has had devastating effects on security, leading to buildings that are easy to burgle, cars that are easy to steal, and government communications that are easy for our enemies to intercept.”
Notes to Editors
- Tech companies have also raised concerns about the threat to privacy and security posed by private message scanning. In April, WhatsApp, Signal and Element and others, said that the Bill, “poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws”. https://www.bbc.co.uk/news/technology-65301510
- The proposed ‘Regulation laying down rules to prevent and combat child sexual abuse’(2022/0155(COD)) is a draft EU law currently being debated by the EU’s three legislative institutions. It would require all digital service providers operating in the EU to assess the risk of the dissemination of child sexual abuse material and of grooming on their platform or service. On this basis, the law can compel them to implement age verification measures and the scanning of both public-facing and private communications. Legal advisors for the European Parliament, European Commission and Council of EU member states have all warned that the proposal is likely to disproportionately violate fundamental human rights. For more information, see: https://edri.org/wp-content/uploads/2023/05/CSAR-summary-booklet.pdf
Read the open letter in full
Civil society organisations urge UK to protect global digital security and safeguard private communication
Find out moreDon’t Scan Me!
