The Online Safety Bill: An attack on encryption
We all want to be able to address abuse on the internet.
In the UK, the government is trying to achieve this through the Online Safety Bill (OSB). Developing such a bill is difficult as technology evolves far faster than legislation.
But even allowing for that challenge, and that the OSB has some genuinely good intentions, the proposed legislation is still remarkably poor.
What could have been a constructive piece of legislation has ended up as a bloated and overreaching proposal, drafted with little technical prowess. As it currently stands the bill weakens the UK’s digital security, threatens basic privacy, stymies the UK tech industry, and introduces the prospect of ever-creeping censorship and blanket surveillance.
Instead of setting a principled example to the rest of the world, the OSB sees the UK proposing state surveillance and censorship. It’s far closer to the approach seen from regimes in Russia and China than anything in Europe or the US.
The bill takes a wrecking ball to the very fabric of encryption, by requiring encrypted messaging apps to scan for abusive content within the app (or the app’s underlying operating system).
This fundamentally undermines encryption, by providing a mechanism that can be hijacked and abused to access arbitrary user data. It is the online equivalent of installing a CCTV camera into everyone’s bedroom, hooked up to an artificial intelligence (AI) classifier which sends footage back to the authorities whenever it thinks it sees something illegal happening.
Today’s built-in scanning AI from Apple can’t even distinguish a cow from a horse - so even if blanket surveillance was a good idea in the first place, the chances of AI scanning causing your phone to upload any and all remotely questionable photos to the authorities (Ofcom, no less) would be enormous. The privacy implications are catastrophic.
By forcing this ‘backdoor’ into end-to-end encryption (E2EE), the resulting surveillance mechanisms would be able to access anyone's messages, at any time, forwarding them to the authorities if suspected as illegal. This weakens security for everyone; from the 99 percent of normal law-abiding people through to businesses and governments.
And if you think that competing nation states, terrorists and criminals won’t be able to make use of that same access you’re sorely mistaken.
It means that healthcare information, financial details, conversations regarding air traffic control, electricity grids, nuclear power stations, military manoeuvres…. none of it would be protected by end-to-end encryption.
And all that loss of security will be for nothing because - no surprise - bad actors don’t play by the rules.
End-to-end encryption has been around for decades. Malicious people and groups can use a huge variety of unregulated systems to communicate, or even build their own (e.g. EncroChat).
In short, forcing third party access to end-to-end encrypted systems robs ‘the good guys’ of their security and leaves ‘the bad guys’ free to carry on doing what they’ve always done.
The stench of censorship
That the likes of Facebook have failed in their duty to moderate content is part of what has led to the OSB. Yet that model in itself - a centralised, hierarchical platform that ends up in the unenviable position of having to adjudicate what’s ‘acceptable’ - is precisely what the OSB puts forward as its solution.
Before the bill even made it to the House of Lords, you can see the creeping political censorship. In a written statement on 17 January 2023, the government added an amendment that “posting videos of people crossing the channel that show that activity in a positive light” should be considered “priority illegal content.”
The same amendment also threatens to make “senior managers criminally liable” for failure to abide by the OSB.
How long before ‘peaceful demonstration’ can not be shown in a positive light? In the future will any alternative opinion be allowed? Or are we to head straight into a state-controlled Orwellian landscape on pain of imprisonment?
Strengthening Big Tech’s monopolies
While recent EU legislation (in particular the Digital Markets Act) has planted the seeds for a competition-led fightback against Silicon Valley monopolies, the OSB does the opposite. Its moderation requirements, potential fines and jail time for non-compliance put a huge burden on platform providers, that only the big tech players have the resources to entertain. This will annihilate the UK’s tech startup scene, while obliterating user privacy.
Now the bill has reached the House of Lords, we’ll begin to hear a response from the industry at large. One suspects Nick Clegg - Deputy Prime Minister of the UK from 2010 to 2015, and now president of global affairs (aka chief lobbyist) at Meta Platforms - will kick into action along with the rest of Big Tech.
If Clegg is unsuccessful there’s a very real possibility WhatsApp (and possibly Meta as a whole) withdraws from the UK if the legislation passes. The UK's small population, in comparison to WhatsApp's 2 billion users, is not a significant market. Likewise Signal and multiple others.
While Big Tech considers whether the UK remains a viable market for its products, those monoliths at least have the resources to contest decisions. As a smaller UK-headquartered secure communication startup, that’s not a luxury Element has.
Oversee or overseas?
The OSB’s draconian stance is in stark contrast to the UK’s Chancellor of the Exchequer, Jeremy Hunt, wanting to make the UK a tech hub, or for that matter Rishi Sunak’s enthusiasm for UK tech. If the OSB remains in its current state, anyone with an iota of common sense would choose to establish their business elsewhere.
Given its progressive digital privacy regulations, relocating within the EU would be a logical choice for many UK tech companies (assuming ChatControl does not come to pass). Or of course the US, with its huge marketplace, constitutional protection against censorship, and well-established venture capital ecosystem.
The very notion of UK firms relocating brings us to the OSB being unenforceable. The threat to imprison overseas-based platform owners is a baseless threat when it comes to the Big Tech firms OSB is trying to address. Mark Zuckerberg will never face a day in a UK prison; it’s bizarre for the bill to even suggest it.
Ignoring the decentralised era
It’s hardly surprising, but the OSB also completely fails to account for the emerging era of decentralisation; a matter close to our hearts. The bill is drafted with Big Tech’s traditional centralised platforms in mind, with their top-down command and control structure.
Element - and the Matrix open standard on which it is based - enables users to host their own data; it’s a completely different model.
Indeed our government customers - including the French government, Germany’s Armed Forces, Försäkringskassan in Sweden, the US Navy, US Marine Corps, US Space Force and the UK’s own Ministry of Defence all host their own data. They do this because it is more secure than having Salesforce, Microsoft, Google or whoever else hosting their data.
So if enacted, the OSB could theoretically criminalise individuals and organisations who operate their own server to run their own secure communication deployment. The UK government could end up jailing its own Secretary of State for DCMS (as the responsible “senior executive”) due to some junior DCMS employee accessing abusive content on any on-premise system, including email.
Rip it up, and start again
The OSB is a poorly thought-out piece of legislation that's been drafted through considerable political turbulence and suffered from a bunch of hasty amendments.
When you think of how many different government customers we have, it’s striking that no one we talk to thinks the OSB is a good idea or that end-to-end encryption (E2EE) should be compromised. Everyone agrees that big tech companies should be discouraged from addicting their users to abusive content - but blanket surveillance is categorically not the right way to do it.
Meanwhile, illegal activity on the internet should be addressed in the same way as illegal activity in real life: via investigation and due process (proportionately assisted by technology as needed) - rather than Orwellian surveillance, just because it’s technically possible.
It’s really very difficult to believe that the OSB, in its current form, would pass into law. And that’s largely why the tech industry hasn’t taken it too seriously up to now.
So before the bill progresses any further, we’ll state it loud and clear; we believe the best way to create a safer internet is to scrap the bill and start from scratch with input from a broad range of tech experts.
It's time for the UK government to reconsider the impact of the OSB on national security and the UK tech industry, and restart from square one.