U.K. Government Finally Admits It Can't Scan for Child Porn Without Violating Everybody's Privacy
A surveillance authority in the country’s troubling Online Safety Bill won’t be enforced, officials say. But for how long?
The U.K. government finally acknowledges that a component of the Online Safety Bill that would force tech companies to scan data and messages for child porn images can't be implemented without violating the privacy rights of all internet users and undermining the data encryption tools that keep our information safe.
And so the government is backing down—for now—on what's been called the "spy clause." Using the justification of fighting the spread of child sexual abuse material (CSAM), part of the Online Safety Bill would have required online platforms to create "backdoors" that the British government could use to scan messages between social media users. The law also would've allowed the government to punish platforms or sites that implement end-to-end encryption and prevent the government from accessing messages and data.
While British officials have insisted that this intrusive surveillance power would be used only to track down CSAM, tech and privacy experts have warned repeatedly that there's no way to implement a surveillance system that could be used only for this particular purpose. Encryption backdoors allow criminals and oppressive governments to snoop on people for dangerous and predatory purposes. Firms like Signal and WhatsApp threatened to pull their services from the U.K. entirely if this bill component moved forward.
Today, The Financial Times broke the news that the House of Lords will announce that tech companies do not have to implement these backdoors until a technology exists that can scan messages only for child porn.
According to Wired, Signal Foundation President Meredith Whittaker sees this announcement as a win for them: "It commits to not using broken tech or broken techniques to undermine end-to-end encryption."
But unfortunately, it's not as much of a win as Whittaker wishes it were. Wired notes that the problematic "spy clause" actually remains in the legislation. The government is just promising not to enforce it right now. In reality, all the powers will remain intact. Wired reports:
"Nothing has changed," says Matthew Hodgson, CEO of UK-based Element, which supplies end-to-end encrypted messaging to militaries and governments. "It's only what's actually written in the bill that matters. Scanning is fundamentally incompatible with end-to-end encrypted messaging apps. Scanning bypasses the encryption in order to scan, exposing your messages to attackers. So all 'until it's technically feasible' means is opening the door to scanning in future rather than scanning today. It's not a change, it's kicking the can down the road."
Ultimately, this is a victory only in the sense that the U.K. government is now finally publicly admitting that encryption backdoors inevitably violate the privacy rights of innocent people and compromise their safety. The government had, up until now, been focusing on a campaign that stoked fears of child sex-trafficking as a way of deflecting criticism and attempting to steamroll over those who warned about the dangers of this surveillance.
The acknowledgment is a cheap consolation prize given that U.K. lawmakers are about to pass a privacy-violating, speech-suppressing, authoritarian bill. Yes, they are promising not to enforce the broken parts of the law, but only after vehemently insisting that the law was perfectly good and necessary. Social media users trust them at their peril.