When it comes to policing the internet there are a few notable examples in development. In the US, the EARN IT bill (Eliminating Abusive and Rampant Neglect of Interactive Technologies) is back on the table, a debate that has dragged on for a few years now. Proponents of the bill argue that its introduction will serve to curb child sexual abuse material (CSAM) online more easily, whilst others argue that the bill will undermine end-to-end encryption.
In Europe currently, the EU Commission is considering a draft law regarding mandatory chat control. The Commission’s detailed proposals are in direct response to what has been described as a massive increase in (CSAM) online. Effectively, the Commission’s plan is to oblige all providers of email, chat, and messaging services to search for suspicious messages and share anything dubious with the police - basically, monitoring and scanning all everyone’s communications, even if users are using encryption technology - a VPN for example.
The Online Safety Bill
And so, to recent events in the UK as regards The Online Safety Bill. This Bill seeks to establish a new regulatory regime to address illegal and harmful content online and impose legal requirements on search engines and internet service providers, including those providing pornographic content. The bill seeks to confer new powers on the Office of Communications (Ofcom), enabling them to act as the online safety regulator. As things currently stand, the Online Safety Bill is being discussed in the House of Lords before being returned to the Commons this summer.
Why is any of this a problem? Surely child protection online is in everybody’s interest. Well, it’s a little more complicated than that. In relation to the UK’s Online Safety Bill some are going as far to say that it will wreck the overall internet experience for users and that it could potentially park the UK away from the internet experienced by others around the world.
Surely this must be some kind of scaremongering tactic dreamt up by the big technology companies, worried about any potential impact on their bottom line. Not really. In fact, there is very strong sentiment from those who are charged with protecting us from harm on the internet, the security experts who understand better than anyone how to build safety into our online experience, that the Online Safety Bill could end up doing a lot more harm than good.
Sebastian Schaub is CEO and founder of hide.me VPN.
Open letter
Testament to this is a recent open letter, signed by more than 70 UK information security and cryptography researchers that robustly opposes the UK Online Safety Bill. The signatories to this letter are concerned about how the proposed legislation will interact with existing security and privacy technologies. Indeed, the letter is highly critical with regards to how the bill aims to use technology to enable the everyday monitoring of personal and business online communications with a view to curbing the spread of CASM content online.
The open letter attempts to explain in layman's terms what many already understand about the dichotomy of keeping end-to-end encryption, well ‘encrypted’. If you are trying to keep information confidential from third parties but then also sharing that same information with third parties then you have a massive contradiction in terms. To be clear, if you give those in power the technological means to access every private message and image (which is what the bill sets out to do) signifies that any interested party (bad actors possibly) with access to the relevant monitoring facilities will enjoy the same access.
Even if you discount bad actors for the sake of argument, actors with access to relevant monitoring facilities could include civil servants, members of the police force or foreign state adversaries. Using cryptographic backdoors is ultimately doomed to failure and anyone who thinks that giving the ‘keys’ to encrypted online communications to supposedly safe hands such as national security services, hasn’t been keeping up with current affairs - how many high-profile breaches at the national security level (US and UK) do we need to point to?
The letter also illustrates the flaws inherent in the notion to scan content on everybody’s devices before it is encrypted in transit. Effectively, this means placing a mandatory, always-on automatic wiretap in every device to scan for prohibited content. The obvious technological problem here is that it needs to accurately detect and reveal the targeted content whilst at the same time does not detect and reveal content that is not targeted. Are there not massive privacy issues here? Could, for example, this led to millions of citizens having their faces scanned for no apparent reason. If such technology can be repurposed to add hidden indirect capabilities such as facial recognition that covertly enables surveillance, is this the dawn of Big Brother?
Also, we already have an idea regarding some of the companies that have said they may no longer service the UK market if the proposed Online Safety Bill is introduced. We are talking about technology giants such as WhatsApp, Wikipedia, Signal and even Apple - all of whom oppose the core values enshrined by the bill.
The UK is rightly considered a world leader in promoting human rights and the rule of law. However, trying to police the internet and tampering with technology that champions internet freedom (end-to-end encryption) then you set a dangerous precedent. What comes next? The UK risks becoming an outsider to the normal internet if big tech decides that enough is enough.
