Government revises encrypted message scanning plans

Wants tech firms to implement client-side scanning

Government revises encrypted message scanning plans

The UK government has changed communications regulator Ofcom's powers within the Online Safety Bill, which could be used to compel tech firms to scan encrypted messages for child abuse images.

The move comes after prominent messaging apps and technical experts voiced concerns over the threat to people's privacy.

Parliament is currently reviewing the Online Safety Bill, which includes provisions enabling Ofcom to instruct digital platforms to employ accredited technology for scanning message contents.

However, critics say that implementing such technology would require the installation of software on devices to scan messages before they are sent, a process known as client-side scanning. Alternatively, tech companies could build a backdoor into their encryption. Both approaches would serve as a vulnerability threat actors could exploit.

The latest amendment to the Online Safety Bill, approved by the Lords on Wednesday, specifies that before Ofcom exercises its new powers, a report must be prepared by a "skilled person."

In earlier versions of the bill, this step was considered optional.

The "skilled person" report could assess the potential effects of scanning on freedom of expression and privacy, as well as explore the possibility of employing less intrusive technologies as alternatives.

Ofcom is obligated to consider the findings from this report when deciding whether it is necessary to compel a firm to scan messages. The regulator must also share a summary of its findings with the tech firms involved.

Ministers, police, and children's charities argue that Ofcom's enhanced powers are crucial for addressing the surge in child abuse cases, including imagery and grooming on online platforms.

They also believe these powers are necessary to curb the ability of child abusers to operate freely on encrypted platforms without consequences.

However, critics label these provisions as a "spy clause." They argue that, at the very least, scanning user messages should require authorisation from a judge.

"This is not the legal oversight that these important new powers require, and give short shrift to users' rights," Index on Censorship said of the government's new amendment.

"Judicial oversight is a bare minimum for a government-appointed body to be able to break encryption and access private messages."

The Open Rights Group, a digital rights advocacy organisation, also criticised the amendment to the Online Safety Bill.

"Given that this 'skilled person' could be a political appointee, and they would be overseeing decisions about free speech and privacy rights, this would not be effective oversight", the group wrote.

Last month, Apple said provisions in Online Safety Bill pose a substantial threat to people's privacy.

"End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists and diplomats. It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches."

The statement followed a joint letter from 80 national and international civil society organisations, academics and tech experts to Technology Minister Chloe Smith, urging a reconsideration of Ofcom's new powers.

"The UK could become the first liberal democracy to require the routine scanning of people's private chat messages, including chats that are secured by end-to-end encryption," the letter said.

Several messaging platforms, including Signal and WhatsApp, have taken a firm stance on maintaining the privacy and security of their encrypted messaging systems. They have openly said they will refuse any attempts to weaken privacy, even if directed to do so by the Online Safety Bill or any other regulatory authority.

WhatsApp has gone so far as to threaten to leave the UK if the government continues to weaken end-to-end encryption.

In May, European Union diplomats received internal legal advice indicating that a proposed law, requiring tech firms to scan private and encrypted messages for child abuse material, is likely to be annulled by the courts.

In the leaked advice, the legal service of the Council of the European Union warned that the proposed regulation presents a "particularly serious limitation to the rights to privacy and personal data" and there is a "serious risk" that it could be found to be in violation of multiple legal grounds upon judicial review.

Computing says:

This amendment misses the root of the problem. What caused upset is not that the government, specifically, would have been scanning encrypted messages; it's that anyone being able to read them fundamentally means weakening end-to-end encryption.

Moving the onus to tech companies does nothing to address the issue. If encrypted messages can be read by someone who is neither the sender and receiver, that is a weakness threat actors can exploit - all for the sake of a hypothetical criminal attack.

Let's not forget that MPs and other individuals in government are known to use WhatsApp for their own secure communications. Weakening end-to-end encryption could expose matters of national security.