The article was modified on September 8, 2023, as we received a comment from the UK government clarifying its position on the matter.
As the long-debated Online Safety Bill entered its final stage in the House of Lords on September 6, 2023, the UK government announced an unexpected pushback on its most controversial provision—for now, at least.
Ministers decided to postpone what was deemed by critics as the "spy clause" until it is "technically feasible" to do so, the Financial Times reported. Article 122 introduces, in fact, a requirement for tech companies to client-side-scanning private and encrypted messages for harmful and illegal content. Experts have long said this cannot happen without violating people's privacy.
The decision comes as popular messaging apps like WhatsApp and Signal threatened to leave the UK if such a law was finally implemented. Countless privacy advocates, cryptographers, and academics have been long calling on how the Bill could undermine citizens' privacy and freedom of speech, in fact, while setting a global worrying precedent.
It falls short of fixing privacy issues
"Clause 122, known as the 'spy clause', could see the private sector being mandated to carry out mass surveillance of private digital communications. It would leave everybody in the UK vulnerable to malicious hacking attacks and targeted surveillance campaigns. It also sets a dangerous precedent. It is not possible to create a technological system that can scan the contents of private electronic communication while preserving the right to privacy."
These were the words that Rasha Abdul Rahim, Director of Amnesty Tech, used to describe the unattended consequences of letting secure messaging apps break encryption. "A police officer (or spy) in your pocket" is what this provision is also called.
Born as a way to "make the UK the safer place to be online," it has increasingly become clear that the almost 300-page long Bill was slowly achieving the opposite results: making people more vulnerable online.
As the Financial Times reported, the tech regulator Ofcom still has the power to require tech companies to develop side scanning software. However, these would be required to scan their networks only when "a technology is developed that is capable of doing so." According to experts, it could pass years before such software is developed.
This announcement doesn't mean the UK government's position on this matter has changed, though. "As has always been the case, as a last resort, on a case by case basis and only when stringent privacy safeguards have been met, it will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content—which we know can be developed," a government spokesperson told TechRadar
Security and privacy experts were saying for ages that "accredited technology" didn't describe anything that exists today. I don't think this should be of much reassurance to @signalapp and @WhatsApp. https://t.co/IHqdLRh6UySeptember 6, 2023
Nonetheless, controversies with the Bill don't end with Article 122. Critics warn that new age verification requirements, for which sites will have to verify the age of visitors by scanning government-issued documents or biometric data, also pose a serious threat to the privacy of UK internet users.
More data collected means greater possibilities for these details to be abused and leaked. Considering the bad track record of recent national data breaches like the ransomware attack on the NHS in June, these are not "not merely an abstract possibility but eventualities to prepare for," wrote a group of academics working in information security and cryptography in an open letter.
Overall, it feels that more of a victory for privacy, this is the latest clumsy compromise for ensuring that big players like WhatsApp, Signal and other widely used secure email services like ProtonMail and Tutanota won't exit the UK market for good. What a place to start for such an important regulation.
Commenting on this point, Proton's Founder and CEO Andy Yen said: "A statement delaying or watering down the dangerous and infeasible parts of the Online Safety Bill is not unwelcome, but it falls well short of providing the legal assurances that businesses need to continue operating and investing in the UK.
"As it stands, the bill still permits the imposition of a legally binding obligation to ban end-to-end encryption in the UK, undermining citizens' fundamental rights to privacy, and leaves the government defining what is 'technically feasible.' For all the good intentions of today’s statement, without additional safeguards in the Online Safety Bill, all it takes is for a future government to change its mind and we’re right back where we started."
