Plans by the government in the Online Safety Bill to require tech companies to scan encrypted messages will damage the UK’s reputation for data security, the UK’s professional body for IT has warned.
BCS, The Chartered Institute for IT, which has 70,000 members, said that government proposals in the new laws to compromise end-to-end encryption are not possible without creating systemic security risks and in effect bugging millions of phone users.
The warning, in a study by the BCS Fellows Technical Advisory Group, comes as the controversial bill introducing new powers to monitor encrypted communications for child abuse and other illegal content returns for its third reading in the House of Lords.
The BCS argues in The Online Safety Bill and the role of technology in child protection, produced by a panel of 21 technology experts, that the government is seeking to impose a technical solution on a problem that can only be solved by broader interventions from police, social workers, and educators.
Some 70% of BCS members say they are not confident that it is possible to have both truly secure encryption and the ability to check encrypted messages for criminal material.
The chair of the BCS Fellows Technical Advisory Group, Adam Leon Smith, told Computer Weekly that the government cannot rely on untested technology to meet the objectives of the Online Safety Bill, which aims to protect internet users from illegal or harmful content.
“The government is trying to legislate technology into existence. Rather than looking at broader approaches such as education, training and public awareness, it is looking for technology to solve the problems,” he said.
The Online Safety Bill (OSB) gives the regulator Ofcom powers to require communications services to install “accredited technology” to inspect the contents of messages sent by end-to-end encrypted services for child abuse or terrorism content.
Ofcom will have powers to impose scanning technology without requiring authorisation from a court or an independent judicial commissioner, in effect bypassing the existing safeguards governing surveillance in the UK’s Investigatory Powers Act 2016.
The proposals have led to a backlash from encrypted messaging providers, including WhatsApp, Signal and Element, which have threatened to withdraw their services from the UK if the bill becomes law.
The BCS’s expert group said the proposed legislation is likely to damage the UK’s international reputation on data security and its reputation as an effective regulator of technology.
As well as undermining the market for products developed in the UK, the OSB would make the UK an insecure link in cross-border communications, it said.
“My fear for individuals is they will be forced to use technologies which do not protect privacy but claim that they do. My fear for businesses in the UK is they will become second-class citizens compared to their trading partners in terms of data adequacy,” said Smith.
In Australia, a 2021 study by the Internet Society found that the Australian Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, better known as TOLA – which gave the state powers to require communications company to assist in providing access to encrypted data – had the potential to cost the Australian economy multiple billions of dollars and to undermine trust in digital services and the internet.
Ofcom is expected to mandate technology known as client-side scanning to inspect the contents of communications sent by secure messaging services and mobile phones before they are encrypted.
This would require communications service providers to install software capable of analysing messages and to send reports back either to a government agency or a technology provider.
The BCS argues that client-side scanning would introduce a systemic vulnerability that could be exploited by criminals or hostile nation states that is likely to outweigh any benefit to law enforcement.
Another scanning technology under consideration, homomorphic encryption, which makes it possible to perform calculations on encrypted data to identify its content, would also weaken encryption.
BCS experts are divided over how long it will take to develop a useable version of homomorphic encryption, with estimates ranging from a few years to 20 years, said Smith.
“But it wouldn’t be end-to-end encryption. It would be a weakened version of it,” he added.
Privacy trade-off should be proportionate
The trade-off proposed by the Online Safety Bill, which will weaken the privacy of all citizens, including children, according to the BCS report, should be evidence based and proportionate to the problem.
Although end-to-end encryption has grown significantly since 2015, it has not lead to a decrease in UK prosecutions for images of abuse.
And in Germany a study by the Max Planck Institute showed that increased digital surveillance did not lead to an increase in criminal convictions.
At the same time police have shown that they have been able to penetrate fully encrypted communications systems following a series of cross-border operations to harvest messages from the EncroChat and Sky ECC phone networks and other encrypted services.
Risks of client-side scanning not well understood
Research published by Imperial College London in May found that the risks of using client-side scanning are not yet well enough understood to justify its deployment on hundreds of millions of devices.
The university researchers warned that government agencies, including intelligence and law enforcement, could embed hidden features such as facial recognition or other surveillance capabilities in client-side scanning technology.
The UK’s National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online (REPHRAIN) has called on politicians to consider an independent scientific evaluation of scanning technology before voting through the bill.
And in July some 70 UK information security and cryptography researchers warned in an open letter that the proposals for mandating technology to monitor encrypted messaging services in the OSB could be exploited by hostile governments or hackers for malicious purposes if they were introduced.
Their Open Letter from Security and Privacy Researchers in relation to the Online Safety Bill, also argued that reliable solutions for detecting child sexual abuse images do not yet exist and risked generating false positives.
That could lead to private, intimate or sensitive messages being wrongly passed on to reviewers in technology companies or law enforcement, the letter stated.
It could also inundate police and intelligence services with large quantities of data, including false positives, that would be difficult to process.
House of Lords rejected amendments
The House of Lords introduced an amendment to the Online Safety Bill in July, which will require the regulator to commission a report by a “skilled person” before giving tech companies technical notices to require them to install technology to scan encrypted messages.
It is not clear what qualifications the person would need or what assessment would be required before permitting scanning.
However politicians have been wary of criticising provisions in the Online Safety Bill that would damage privacy as it is being presented as a bill to combat child abuse and terrorism, causes that it is difficult to argue against.
“It can be incredibly difficult for politicians to speak out about it, and it is unfortunate that there does not seem to be a political appetite to block this bill,” Smith said.
Labour dropped a proposed amendment that would have required an independent judicial commissioner to review whether the measures were proportionate and that appropriate regard had been given to freedom of expression and privacy rights.
The Lords also dropped a proposed amendment by conservative peer Lord Moylan, which would prohibit Ofcom from imposing any requirement on technology companies that would weaken or remove end-to-end encryption.
Vulnerabilities will be exploited by rouge states
Matthew Hodgson, CEO of the encrypted messaging and collaboration platform Element, and technical co-founder at Matrix.org told Computer Weekly that scanning technology would create vulnerabilities that could be exploited by hackers and rouge states.
He said that the UK was in danger of setting a precedent for less democratic nations to introduce similar surveillance on communications.
“Detecting illegal content means all content must be scanned in the first place. By adding the ability to use scanning technology at all, you open the floodgates to those who would exploit and abuse it. You put the mechanism in place for mass surveillance on UK citizens by the ‘good guys’ and the bad,” he said.
“Bad actors don’t play by the rules. Rogue nation states, terrorists and criminals will target that access with every resource they have. OSB is outright dangerous,” he added.
Commenting on the BCS report, Robin Wilton, director of internet trust at the Internet Society, said the government should increase its support for policies with less dangerous consequences, including public awareness campaigns, professional training, and conventional police work.
“The trust that the government places in emerging technologies to solve societal problems is unproven. Technologies that compromise encryption through circumvention or backdoor access would expose UK residents to a new array of online harms, including blackmail and scams”
BCS chief executive Rashik Parmar said that those responsible for creating the technology mandated by the Online Safety Bill must ensure it meets the highest standards of competence, inclusivity, ethics and accountability.