Online Safety Bill: debate over client side scanning and encryption rolls on

Are scanning and privacy compatible?

Online Safety Bill: debate over client side scanning and encryption rolls on

In a recent BBC interview, secretary of state for science, innovation and technology repeated the government's arguments for enforcing oversight into encrypted messaging, as included in the Online Safety Bill, which is expected to become law later this year.

Donelan argued that this would give regulators the ability to detect and disrupt illegal content such as child sexual abuse material CSAM in private messaging.

Supporters of the Bill argue this could help protect children online and that it is supported by the public. In a response emailed to Computing, Richard Collard, head of child safety online policy at child protection charity NSPCC, said: "The Online Safety Bill sets out a balanced settlement that should encourage companies to mitigate the risks of child sexual abuse when designing and rolling out features like end-to-end encryption.

"Our polling shows the UK public overwhelmingly support measures to tackle child abuse in end-to-end encrypted environments, and the specific requirements in the Bill. Tech firms should be showing industry leadership by listening to the public and investing in technology that protects both the safety and privacy rights of all users."

The government also believes that technology can be developed to allow encryption as well as lawful access to content by the authorities when necessary. "Technology is in development to enable you to have encryption as well as to be able to access this particular information," Donelan said.

The most likely outcome would be to force tech vendors to introduce client side scanning, giving the authorities - in this case the regulator Ofcom - access to content on the screens of the end-user devices, end-to-end-encryption (E2EE) meaning that that information cannot be decrypted in transit between sender and receiver. Prominent messaging apps WhatsApp and Signal have already said they would quit the UK rather than introduce such a system; last month Apple made similar noises too.

Other solutions would seem to have to break encryption and introduce a backdoor. However, data is either encrypted or it isn't, and history has shown there is no such thing as a "backdoor for the good guys."

See also: Preparing for the tricky task of regulating online safety

A policy published paper last year argued that the Online Safety Bill should exclude encryption scanning, saying the cost would outweigh any benefits, and the issue has become a political hot potato with arguments for and against greatly increased powers for Ofcom and punishment of tech firms going backwards and forwards. However, measures to allow surveillance of encrypted messages remain in the Bill.

Matthew Hodgson, CEO of secure messaging app Element which is used by the MOD among others, said the halfway house the government seems to be seeking is impossible.

"The government still does not understand how technology or encryption works, despite numerous experts explaining this to them," he said in an email.

"Its own Safety Tech Challenge Fund failed to deliver an impossible solution to scan messages without breaking encryption. What more will it take for the government to finally accept how encryption works? For a 'tech positive' government, it might want to listen to British tech companies."

Forcing tech companies to "plough money into a never-ending R&D project" that will "never result in a workable product" is nonsensical, Hodgson argued.

"No technology exists which allows encryption and access to 'this particular information'. Detecting illegal content means all content must be scanned in the first place. By adding the ability to use scanning technology at all, you open the floodgates to those who would exploit and abuse it. You put the mechanism in place for mass surveillance on UK citizens by the ‘good guys' and the bad. It is utterly unacceptable to attempt to force tech companies to implement mass surveillance within their products."

However, an NSPCC spokesperson pointed to work by Ian Levy and colleagues at GCHQ as well as SafetoNet's video and image detection system which promises privacy by design, to indicate that technical solutions might not be impossible.