Government Softens Stance on UK End to End Encryption Ban
The UK Government appears to have softened its controversial stance on end-to-end encryption (E2EE) in the looming Online Safety Bill (OSB), which threatened to undermine the security of internet messaging and communication platforms by allowing private messages to be filtered and moderated.
The confusing and ugly mess of legislation that is the OSB, which began life as an otherwise noble and desirable policy to help tackle “harmful” internet content (i.e. via fines, website blocks by broadband ISPs and other sanctions), has in recent years become somewhat of a Frankenstein’s monster.
One aspect of that was the threat it posed to private communications between people, across all sorts of different platforms – particularly in respect to E2EE, which is a method that any developer can add to help keep everything from financial transactions, to website visits and messaging services secure.
Advertisement
Unlike regular encryption, which can be broken by hackers and hostile states if the decryption keys are uncovered, E2EE goes further by ensuring those keys are kept hidden, even from the platform provider. The new bill threatened to break this by handing Ofcom the power to require that fully encrypted-messaging and other such communication services adopt “accredited technology” for content moderation, such as to identify and remove illegal content.
The problem for E2EE based services is that this approach is incompatible with how the technology works and raised significant security concerns (i.e. you can’t break it and not expect hostile states or hackers not to take advantage), which were enough for major messaging providers (e.g. WhatsApp, Apple and Signal) to warn that they’d sooner exit the UK than be forced to breach user privacy (here).
Similarly, the proposed workaround for this, which would be to adopt client-side scanning on the device itself (mobile, laptop etc.) – this could check messages BEFORE they are sent – ended up being just as unattractive. It turns out that a lot of people don’t like having the content of their private messages scanned by governments and big companies. Big surprise there.
What’s Changed in the OSB
At this point the government haven’t so much chosen to cut this aspect out of the bill, but rather push the can down the road a bit more. According to the FT and other sources, the government will now make it so that Ofcom can only require such providers to introduce back-door access when a technology is developed that is capable of scanning networks in such a manner, and even then only as a “last resort“.
Advertisement
The government is expected to say that such a “notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content.” But there’s likely to be frustration that the government has left the option open in the law, even if it won’t be strictly enforced.
James Baker, Campaigns Manager for the Open Rights Group, said:
“ORG welcomes news that the government is rowing back on its plans to scan private messages for harmful content. As ORG along with other privacy activists, tech companies, security experts have warned from the start, it is not possible to scan messages that use end-to-end encryption without undermining all users’ privacy and security. We are glad that at the eleventh hour, it would appear that the government has conceded this.
While this is welcome news, these powers do remain on the statute books and could in the future allow for state-mandated surveillance of our private messages. It would be better if these powers had been completely removed from the Billl.”
Speaking personally, I also use secure message platforms, such as when communicating with important sources for some of the articles we write. Suffice to say, I would not want either the messaging provider’s staff or government to have any access to those conversations, in any way shape or form. Like many other people, if such methods were to be introduced, then we’d swap to using different platforms that exist outside the UK’s control.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Trenches Law Seeks Code Powers from Ofcom to Help UK FTTP Builds
Openreach Complete Build Phase of Wales Full Fibre Contract »
Banning something in demand doesn’t eradicate it, we’ve learnt that much in the UK already, I agree this will just push people to use other methods. E2EE is going nowhere.
So basically nothing has changed except words used to express the same crap.
“…the government will now make it so that Ofcom can only require such providers to introduce back-door access when a technology is developed that is capable of scanning networks in such a manner, and even then only as a “last resort“…”
So who is going to state that particular technology meets the requirements and what if Apple, Signal, WhatsApp disagree and refuse to implement it?
We’ll see this creep in quietly via the backdoor.. or attempt to.
Let’s all remember the RIPA, meant for combating organised crime and anti-terrorism etc, and ended up being used by local councils and others for petty things..
We won’t, because it’s literally impossible.
Don’t be so sure, the U.K government could become like China and have a great firewall of the Uk
How does a firewall overcome encryption? Be specific now.
Given the censorship we experience for even having perfectly legal views, and organisations such as banks shutting down accounts of people because their legal views don’t align with their marketing, then I would say giving governments access to our private messages is definitely bad news.
Okay, people can argue it would only be used for good, i.e. finding criminal activity or used to decrypt messages to get nasty people put away, but we all know those criminals would just switch to some other form of transmitting messages and even more secure, so essentially this is only a way for governments to keep a track on its citizens and their “views”.
Anyone that disagrees with the narrative being pushed by governments and daring to challenge that would just be found and spied upon, and we already know this from the recent pandemic this happens and good people including top scientists and Doctors, were silenced and cancelled for daring to ask questions, and this was done by our governments. Governments already have too many powers to spy on its citizens.
It will not be used for good, it will be used to “gather evidence” to arrest people in their private conversations like some dystopian Minority Report but not for theft, they don’t care about theft anymore, it will be used to target political opposition
In Germany they are already pondering banning opposition, here in the UK they are just debanking some people here and there but watch it escalate soon
Meanwhile we still do not have Boris Johnsons corona Whatsapp conversations where they talk about where it proves they knew it was safe to host parties while locking the country down for “safety”
Banks are private businesses, even NatWest is majority private sector now, and may close accounts for any reason they see fit bar specific exclusions. Free market and all that. Folks are entitled to a basic private bank account, they aren’t entitled to any bank account they want with any bank they want.
Entertaining how free market nut jobs are up in arms because of Nigel Farage throwing a tantrum over having to bank with the commoners rather than being with Coutts. Best send him some more money for his campaign, marks.
XGS with the bad takes. “mUh fReE mArKeT” does not apply to a vital service that you need to in order to participate in society, exactly like electricity, broadband, water.. etc
Banning a paying customer on the grounds of just not liking the opinion of said customer, sets a very dangerous precedent that has no place in a free society. This is social credit score dystopia like in China where you will not be able to withdraw your money if you posted a Winnie the Pooh meme
You are just seal clapping because you do not like Nigel. It won’t be as fun for you when you get caught for the “wrong opinion”
There is no real competition in the banking sector due to over regulation.
This doesn’t change anything. The threshold of “technically feasible” has already been passed, since Apple has already done it and demonstrated it (but rolled it back).
The issue is more like this: if I buy a device, it’s mine. The government is now mandating that anything stored on my device is to be scanned, without my knowledge or permission, and the device must report back what it finds to the authorities.
Today, and here in the UK, the scanning might be for CSM only. Almost certainly it will then be extended to “material helpful to terrorists”, and then to lower levels of crime (copyright infringement perhaps?)
But more worryingly, what happens when I travel to another country? Will my device be scanned for political content, LGBTQ material, etc etc? The big operators like Apple and Google are transnational, and have to do what each country’s government dictates. If the device has this feature, it certainly will be used.
Hey Mark
Can you fix the site? It keeps giving me trouble. The only website to keep requiring safari to kill itself and restart the page.
I think we might have found the cause of that bug. Can you just check and see if it’s still occurring on news pages?
Yet another reason to switch to Open-Source based OSes like OpenWrt
You can tell by the wording of the OSB that the government has all the best people on this one…..honestly, they couldn’t organise a pee-up in a brewery.
These sorts of laws comes from the civil service, not parliamentarians, it’s all about expanding the size and power of the deep state.
Its all about CONTROL, they want to CONTROL you, there will be no “soften” they is all controlled by the WEF, that you will own nothing and be happy. Klaus Schwab said “Cyberattack Worse than COVID-19 Crisis”
The article is misleading at best and wrong at worst.
E to E encryption doesn’t provide any additional protection from hackers or nation states, it limits the scope for legal MITM interception and forces the hackers/NS to compromise the users (endpoints) rather than some agreeable (or legally bound) entity in the middle. What it definitely doesn’t do is protect your keys any more (arguably it makes your keys LESS safe as you’re now relying on the security of a users endpoint instead of a corporately secured and monitored server that may have HSM’s and be hardened appropriately).
It’s certainly limits indescriminate snooping on mass either legally or illegaly as instead of a compromised server exposing lots of users you need to target individuals. It also limits simple legal interception if you don’t want the user to know. But ultimately it doesn’t really protect you – if a skilled hacker or nation state wants to get to you on your personally owned laptop or mobile that probably hasn’t been patched in a year, they will and end to end encryption isn’t going to save you. It CERTAINLY doesn’t hide your keys to any greater extent.