Online Safety Bill Criticism: UK authorities can't even secure their own data. How do they dare to undermine encryption?

The UK Online Safety Bill has been heavily criticised by privacy groups and legal experts. This collection of criticism shows why this bill must not move forward.

UK Online Safety Bill is criticized for undermining human rights like the right to privacy.

The Online Safety Bill aims to make the UK "the safest place in the world to be online" - and it might actually become a law later this year. However, criticism of the Online Safety Bill is never ending. This UK bill aims to lay down rules in law about how platforms should deal with harmful content. But the plans for a new "internet safety law" will do more harm than good and reduce everybody's security online. And the recent inabilities of the UK government to protect data show that criticism of the Online Safety Act is more than appropriate.


While the Online Safety Bill aims at ‘improving security’ by forcing internet service providers to scan data for harmful content - even if encrypted - it will make it much more difficult to secure data online.

Recent attacks on data held by the UK government show that the opposite it true: The UK government should strengthen encryption of data to secure it, not weaken it.

For instance, in August alone the Electoral Commission has been hacked - the state body in charge of elections, then there was the mass exposure of birth, marriage and death data by UK authorities, and the bulk release of confidential personnel data of Nothern Irish police officers, which could even endanger the lives of these officers as terrorists got hold of their information.

But to “protect the children”, the same state that was unable to protect its citizens’ data on its own servers wants to push through the Online Safety Bill - which would allow the government to get hold of even more data of its citizens, possibly even encrypted communication.

The Register says: “This is akin to giving an alcoholic uncle the keys to every booze shop in town to “protect children”: you will find Uncle in a drunken coma with the doors wide open and the stock disappearing by the vanload.”

The threat is undeniable: The Online Safety Bill demands a government backdoor to data held by online services. But how will these services - let alone the government - protect this data from malicious attacks if not with end-to-end encryption?

What is the Online Safety Bill?

The aims of the Online Safety Bill are:

  • to prevent the spread of illegal content and activity such as images of child abuse, terrorist material and hate crimes,
  • to protect children from harmful material
  • to protect everyone from “legal but harmful” content

218 pages long, with 197 sections and 15 schedules, the Online Safety Bill is a clunking attempt to regulate content on the internet. In its language the bill is often very vague and, thus, likely to overreach its goal.

The results will be less security online (due to backdooring encryption) and less freedom (due to heavy self-censorship by platforms).

The legislation puts the responsibility on tech giants like Facebook and Google to figure out how to meet the legal requirements and how to moderate content shared on their platforms. It also empowers the regulator Ofcom to judge whether the tech companies do a good enough job or must pay a fine for not complying with the bill.

Companies that fail to comply with the new rules could face fines of up to £18m, or 10% of their annual global turnover, whichever is highest.

Ruth Smeeth, CEO of campaign group Index on Censorship and former Labour MP, said:

“This is a fundamentally broken bill - the next prime minister needs a total rethink. It would give tech executives like Nick Clegg and Mark Zuckerberg massive amounts of control over what we all can say online, would make the UK the first democracy in the world to break encrypted messaging apps, and it would make people who have experienced abuse online less safe by forcing platforms to delete vital evidence.”

The first draft paper of this bill was already introduced back in 2019 by former PM Theresa May.

Since then a strong debate has been going on arguing in favour and against this draft. As a whole this ongoing discussion, endless revisions and amendments show how flawed it is. Criticism of the Online Safety Bill does not stop.

The Online Safety Bill threatens citizen's security because of the requirement for backdoors.

Criticism of Online Safety Bill

  1. Threat to privacy
  2. Threat to freedom of speech

1. Threat to privacy

The most criticized flaw of the UK Online Safety Bill is its threat to encryption: The bill contains a clause that requires tech companies to use their “best endeavours” to deploy or develop new technology if the existing technology is not suitable for their platform to scan content for child sexual abuse material. For encrypted messaging services, this would mean client-side scanning of data.

Critics fear that this would effectively ban secure messaging in the UK.

Home secretary, Priti Patel, claims that this approach does not undermine people’s privacy: “Privacy and security are not mutually exclusive – we need both, and we can have both, and that is what this amendment delivers.”

However, client-side scanning - also proposed by the EU Commission - destroys the security and privacy of encryption as it introduces a backdoor - one that could also be abused by malicious actors.

If client-side scanning were introduced, any chat message and any email you ever send would be available to third-party monitoring.

2. Threat to freedom of speech

The draft Online Safety Bill would generally require search engines and user-to-user communications such as email and messaging apps, to stop the spread of illegal material on the internet.

Heavily criticized is also the requirement for large platforms such as Facebook, Twitter and so on to create and enforce terms of services which contain categories of “legal but harmful” content, which is also to be taken down.

These categories are to be defined by the Secretary of State for Digital, Culture, Media and Sport (DCMS), in consultation with Ofcom and Parliament. Earlier the DCMS has described possible categories, according to the ministry “misinformation and disinformation” would then be forbidden.

While everyone recognizes the threat of disinformation, particularly if sponsored by a foreign state such as China or Russia, the UK Online Bill in its draft form poses a great threat to freedom of speech and freedom of expression online.

Backbencher David Davis has criticized the bill as “the biggest accidental curtailment of free speech in modern history”.

He said to the Guardian that

”We all want the internet to be safe. Right now, there are too many dangers online, from videos propagating terror to posts promoting self-harm and suicide. But the bill’s well-intentioned attempts to address these very real risks threatens being the biggest accidental curtailment of free speech in modern history.”

The major problem of the bill is that potentially problematic content is not clearly defined and identified, for instance as illegal conetnt such as hate speech or promoting terrorism. Insetad, it creates a new category of speech which is legal but ‘harmful’.

The content that could be covered by this is almost infinite, except by the definition that it ‘harms’ some people.

However, harmful content may be a matter of opinion; it is very subjective.

What is more it that many companies will choose the path of the least risk: If in doubt, delete the comment. This will lead to regulatory overreach and an unprecedented form of self-censorship in any free and open democracy.

Yet Jonathan Sumption has very rightly concluded:

“But knowledge and experience are not closed or immutable categories. They are inherently liable to change. Once upon a time, the scientific consensus was that the sun moved around the Earth and that blood did not circulate around the body. These propositions were refuted only because orthodoxy was challenged by people once thought to be dangerous heretics. Knowledge advances by confronting contrary arguments, not by hiding them away. Any system for regulating the expression of opinion or the transmission of information will end up by privileging the anodyne, the uncontroversial, the conventional and the officially approved.”

Open Letter to Prime Minister Sunak

Being an encrypted email service, we at Tutanota fight for the Human Rights to privacy and freedom of speech online. Together with others such as Access Now, The Tor Project, and Phil Zimmermann we have signed an open letter to call on the UK government to amend the Online Safety Bill.

It is crucial that the bill will not undermine encryption.


Dear Prime Minister Sunak,

With cyber attacks becoming ever-more frequent and sophisticated, the reliance of UK citizens and businesses on end-to-end encryption to keep themselves safe and secure has never been greater.

Encryption is critical to ensuring Internet users are protected online, to building economic security through a pro-business UK economy that can weather the cost of living crisis, and to assuring national security. As you begin your new role as Prime Minister, the undersigned civil society organisations and companies, including members of the Global Encryption Coalition, urge you and your government to ensure that encryption is not weakened.

Despite its intention to make the UK safer, the Online Safety Bill currently contains clauses that would erode end-to-end encryption in private messaging. As noted in an open letter by leading UK digital rights organisations, the Bill poses serious threats to privacy and security in the UK “by creating a new power to compel online intermediaries to use ‘accredited technologies’ to conduct mass scanning and surveillance of all citizens on private messaging channels.” Leading cybersecurity experts have made clear that even message scanning, mistakenly cited as safe and effective by its proponents, actually “creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic.”

Undermining protections for end-to-end encryption would make UK businesses and individuals less safe online, including the very groups that the Online Safety Bill intends to protect. Furthermore, because the right to privacy and freedom of expression are intertwined, these proposals would undermine freedom of speech, a key characteristic of free societies that differentiate the UK from aggressors that use oppression and coercion to achieve their aims.

UK businesses are set to have less protection for their data flows than their counterparts in the United States or European Union, leaving them more susceptible to cyber-attacks and intellectual property theft. UK digital businesses will also face new challenges in foreign markets. When Australia passed a similar law undermining end-to-end encryption in 2018, the Australian digital industry lost an estimated $AUS 1 billion in current and forecast sales and further losses in foreign investment as a result of decreased trust in their products. As the UK economy faces significant challenges in the wake of COVID-19 and the impacts of the War in Ukraine, it is critical that the Bill does not undermine UK tech leadership and economic security.

Undermining end-to-end encryption or introducing content scanning obligations for private messaging will also remove protections for private citizens’ data. Opening a backdoor for scanning also opens a backdoor for cyber criminals intent on accessing our bank account details, private messages and even the pictures we share online privately with family and friends. We all deserve the protection that end-to-end encryption provides, but the most vulnerable in society - children and members of at-risk communities - need it most of all.

For economic security, a free society and the safest Internet possible for UK citizens, we call upon you and the UK government to ensure that the Online Safety Bill does not undermine end-to-end encryption.

Signatories

Access Now

The Adam Smith Institute

Advocacy for Principled Action in Government

Aspiration

Associação Portuguesa para a Promoção da Segurança da Informação (AP2SI)

Betapersei, S.C.

Big Brother Watch

Blacknight Internet Solutions Ltd

Jon Callas, Director of Public Interest Technology, EFF

L. Jean Camp, Professor, Indiana University

Center for Data Innovation

Center for Democracy and Technology

Centre for Policy Studies

CIPPIC (Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic)

Collaboration on International ICT Policy for East and Southern Africa

comun.al, Digital Resilience Lab

CRYPTO ID - BRAZIL

DNS Africa Media and Communications

Electric Coin Co. (creators and supporters of Zcash)

Electronic Frontier Foundation

Encrypt Uganda

Fight for the Future

Global Partners Digital

Index on Censorship

Dr. Philip Inglesant

Internet Freedom Foundation, India

Internet Society

Internet Society - Brazil Chapter

Internet Society Catalan Chapter

Internet Society Côte d’Ivoire Chapitre

Internet Society Colombia Chapter

Internet Society Ghana Chapter

Internet Society India Hyderabad Chapter

Internet Society Tanzania Chapter

Internet Society Tchad chapter

Internet Society Liberia Chapter

Internet Society Niger Chapter

Internet Society Portugal Chapter

Internet Society UK England Chapter

Interpeer gUG (haftungsbeschraenkt)

JCA-NET(Japan)

Kijiji Yeetu

C. de Larrinaga

Matthew Lesh, Head of Public Policy, Institute of Economic Affairs

Liberty

MEGA

Alec Muffett, Security Researcher

Numex

OpenMedia

Open Rights Group

Organization for Identity and Cultural Development

Chip Pitts

Ranking Digital Rights

Sharon Polsky MAPP, President, Privacy & Access Council of Canada

Runa Sandvik, Founder, Granitt

Superbloom

Surfshark

Susan Landau, Bridge Professor of Cyber Security and Policy, Tufts University

Tech for Good Asia

The Tor Project

Tutanota

TwelveDot Incorporated

University of Bosaso

Phil Zimmermann