Online Privacy at Risk from Awful U.K. Internet Regulation Bill

When last we visited the UK's long-stewing Online Safety Bill, the issue was the legislation's threat to free speech—a common theme of contemporary European lawmaking. But the massive internet regulation bill, which is expected to become law soon, also targets encryption. This has prompted tech companies to warn that Britain's government threatens the privacy of its citizens—and the world beyond.

A De Facto Ban on Encryption

"The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force backdoors into messaging services, which will destroy end-to-end encryption," the Electronic Frontier Foundation (EFF) warned last week. "If it passes, the Online Safety Bill will be a huge step backwards for global privacy, and democracy itself. Requiring government-approved software in peoples' messaging services is an awful precedent. If the Online Safety Bill becomes British law, the damage it causes won't stop at the borders of the U.K."

Through continuing debate, the Online Safety Bill has undergone changes, though none of them have much improved the legislation. In its current form, the Online Safety Bill allows OFCOM, Britain's communications regulator, to compel service providers and search engines to "provide information about the use of a service by a named individual" and to compel providers "to take steps so that OFCOM are able to remotely access" services and equipment. Under the bill, it is "an offence" to provide "information which is encrypted such that it is not possible for OFCOM to understand it."

"The Bill as currently drafted gives…Ofcom the power to impose specific technologies (e.g. algorithmic content detection) that provide for the surveillance of the private correspondence of UK citizens," according to a legal analysis of the legislation for Index on Censorship. "The powers allow the technology to be imposed with limited legal safeguards. It means the UK would be one of the first democracies to place a de facto ban on end-to-end encryption for private messaging apps."

To such objections, says EFF, the U.K. government responded: "We expect the industry to use its extensive expertise and resources to innovate and build robust solutions for individual platforms/services that ensure both privacy and child safety by preventing child abuse content from being freely shared on public and private channels."

This constitutes an instruction to the tech industry to "nerd harder" to develop schemes for magically securing privacy while allowing government access to everybody's communications, points out EFF.

Pushback—and Defiance

Tech companies and communications services that appeal to customers with assurances of privacy protected by end-to-end encryption aren't thrilled by legislative developments in the UK. Firms including Signal, Threema, and WhatsApp wrote an open letter warning that "global providers of end-to-end encrypted products and services cannot weaken the security of their products and services to suit individual governments. There cannot be a 'British internet,' or a version of end-to-end encryption that is specific to the UK."

"The UK Government must urgently rethink the Bill, revising it to encourage companies to offer more privacy and security to its residents, not less," they added.

Some providers have gone further.

Meredith Whittaker, president of U.S.-based Signal, said the service "would absolutely, 100% walk" away from Britain if the UK proceeds with its encryption ban.

Germany-based Tutanota responded, "We will not 'walk out' of UK. We will also not comply with any requests to backdoor the encryption."

"When the Iranian government blocked Signal, we recognized that the people in Iran who needed privacy were not represented by the authoritarian state, and we worked with our community to set up proxies and other means to ensure that Iranians could access Signal," clarified the encrypted messaging service. "As in Iran, we will continue to do everything in our power to ensure that people in the UK have access to Signal and to private communications. But we will not undermine or compromise the privacy and safety promises we make to people in the UK, and everywhere else in the world."

There's actually something of a contest among online services to tell the British government to go to Hell. In April, the Wikimedia Foundation, which publishes Wikipedia, said the online encyclopedia would not comply with the Online Safety Bill's requirements for age checks.

Free Speech is Also at Risk

As Wikimedia's resistance to age check requirements suggest, there's rottenness in the Online Safety Bill beyond its attacks on privacy.

"The Online Safety Bill…establishes 'duty of care' responsibilities for tech platforms to keep what the government deems 'online harms' (which is broader than just violent or pornographic content) out of the view of children," Reason's Scott Shackford cautioned earlier this year. At that time the bill had just been "made significantly harsher with threats of imprisonment for tech platform managers who run afoul of the complicated regulations."

As I recently noted, attacks on free speech are a cottage industry in the old world. The European Union's Digital Services Act goes into effect this month despite warnings that its restrictions on "hateful content" are nothing more than cover for censorship of online material that government officials dislike.

On the Internet, Even Bad Legislation is Global

Comments by European officials threatening to wield the law as a bludgeon against opponents "could reinforce the weaponisation of internet shutdowns, which includes arbitrary blocking of online platforms by governments around the world," 67 organizations protested in a July 26 letter.

The danger in authoritarian legislation passed by nominally liberal democratic countries is that it can be interpreted as a permission slip to restrict civil liberties. That has certainly been the case with Germany's NetzDG law against hate speech, which was rapidly replicated after its passage in 2017.

"NetzDG's reproduction in various hybrid and authoritarian regimes is doubly problematic—it is both an indication of authoritarian creep into democratic regimes and an instance of authoritarian learning from democratic regimes," Columbia Law School's Isabelle Canaan argued in a 2021 paper.

Authoritarian laws also create a quandary for companies forced to decide between creating walled gardens for different jurisdictions at great expense, or to default to restrictive rules for everybody.

If Britain enacts the Online Safety Bill, as seems likely, it may prove to be yet another assault on liberty around the world—unless online services stick to their guns and treat the U.K. (and other restrictive regimes) as pariahs whose laws should be defied.