It all starts in 2019. The Online Harms whitepaper marked the first step into the government's mission of making the UK "the safest place to be online," building the premises for the debut of the Online Safety Bill two years later.
Now, after surviving three prime ministers, two government crises, and doubling up its pages on the way, the Bill is in its final stages in Parliament and likely to become law very soon. Yet, internet experts and privacy advocates are still concerned the new provisions will jeopardize citizens' security instead.
To make things worse, UK lawmakers are also pushing for an update to another controversial bill: the 2016 Investigatory Powers Act, also known as the "Snooper Chart" for its wide-ranging surveillance powers.
That's why many commentators, including digital rights groups, cryptographers, academics, VPN services, and encrypted messaging app providers are now calling for new assurances the two proposals won't be used together for greater control over public communications.
A two-sided issue
"Both of these proposals have seriously negative implications on privacy and fundamental rights. When viewed together, they paint the picture of a UK government willing to compromise its citizens’ rights and its companies’ security in the name of surveillance at all costs," Jurgita Miseviciute, Head of Public Policy & Government Affairs at Proton (security firm behind ProtonVPN and ProtonMail), told TechRadar.
The Online Safety Bill has long been criticized for threatening encryption, ruling vague provisions—around legal but harmful content, for example—and granting intrusive powers to Ofcom, the UK regulator in charge of making sure tech companies enforce new regulations. The latter will have a legal duty, in fact, to protect their users from illegal content and activities. A sort of "private police on online speech," Director of Big Brother Watch Silkie Carlo commented to The Spectator.
Last week's news brought some relief, though, as ministers announced the decision to postpone a contentious provision: Article 122. Side-scanning private and encrypted communications on halt until it is "technically feasible." Yet, despite being a welcome move, "it fell short of providing any legal guarantees, something we still believe is vital and we hope will be rectified in the near future," said Miseviciute.
She isn't alone feeling in this way. Similar worries are shared by Conservative MP David Davis, for example, who described the decision as "just kicking the problem down the road." Conservative Peer and former DCMS minister Lord Kamall also believes that "these powers should not exist" at all.
Lord Moylan hits the fundamental flaw that still exists in the #onlinesafetybill when he says "Everybody knows that you cannot do what Ofcom is empowered, by this Bill, to do without breaching end-to-end encryption."https://t.co/wBUu3sEnrySeptember 7, 2023
At the same time, the Home Office silently launched an eight-week consultation to revise the Investigatory Powers Act. In its current form, the law already enables access to targeted private communications on criminal suspects as well as the storage of internet browsing records for 12 months, among other things.
The government claims an update is needed nonetheless to bring the legislation up to speed with technological advancements that occurred in the seven years since it came into force.
Specifically, lawmakers want encrypted tech firms offering messaging services (like Apple and Meta) to ask for government approval before releasing new security features. These firms will be also required to block or disable security features upon Home Office requests, without telling users about it.
Apple firmly opposes such a proposal that, once approved, would have immediate effect. The Big Tech company is already said to be ready to pull its iMessage and FaceTime from the UK in the event the revision is enforced.
The United Kingdom is considering updating their Investigatory Powers Act, which would require messaging services to disable their security on the request of authorities, reports GSM Arena.Apple's response? To threaten to withdraw iMessage and FaceTime from the UK. pic.twitter.com/gh3MLsVINaJuly 21, 2023
Miseviciute sees the proposed updates to the Investigatory Powers Act as a further attack to encryption, "as the Home Office could potentially block any security-related feature or update rolled-out by a provider," she said. She believes that this will ultimately make the bill even more problematic. Again, she isn't alone on this.
Matthew Hodgson, CEO at UK-based encrypted messaging software provider Element, said: "The obfuscator mix of two bills designed to meet each other's ends grants the Home Office a totally unacceptable level of oversight over the communications of citizens."
Jessica Ni Mhainin, Head of Policy and Campaigns at Index on Censorship, also believes that plans for client side-scanning and the link to the Investigatory Powers Act will have "enormously concerning implications," especially for journalism and freedom of expression more widely.
That's why the free speech advocacy group has recently filed a report detailing the unattended consequences of the two laws combined and calling for further amends on Article 122.
Commenting on this point, CEO of Signal Meredith Whittaker, said: "Parliament must amend Section 122 of the Online Safety Bill in addition to clearly stating that it would not—under any circumstances—submit notices under the Investigatory Powers Act in this manner."
