A group of esteemed security and cryptography researchers have raised a flag of caution over the proposed UK Online Safety Bill, voicing concerns about its potential to infringe upon the security and privacy of online communications. Amid ongoing discussions in the House of Lords this summer, the researchers have vocalized their apprehensions through an open letter.
These professionals dedicate their careers to devising and maintaining secure technologies designed to protect online data and communications from a spectrum of adversaries – ranging from teenage hackers to powerful nation states and criminal enterprises. They argue that, although the surveillance technologies put forth in the Online Safety Bill aim to enhance online safety, they may inadvertently erode the critical privacy guarantees that form the bedrock of secure online interactions.
The researchers have been avid supporters of end-to-end encryption over the past decade, a development that was partially triggered by the exposure of widespread digital surveillance by nation-state entities. However, they believe that this privacy protocol, which has become a cornerstone of secure communication, is under threat due to the proposed bill.
The researchers’ letter specifically addresses the proposal to implement routine monitoring of personal, business, and civil society online communications. This monitoring is designed to prevent the dissemination of child sexual exploitation and abuse (CSEA) content. However, they underscore that such surveillance practices would conflict with existing privacy-centric online communication protocols.
An inherent contradiction in this approach lies in the attempt to maintain confidentiality while simultaneously sharing information with third parties. The researchers highlight the potential risks of granting the State access to every private message and image, noting that any actor with access to these monitoring facilities would have similar access, potentially creating a significant security risk.
They drew parallels to historic cybersecurity failures, such as the Clipper chip and DualEC, arguing that these compromises aren’t mere hypotheticals but eventualities that need to be considered, particularly in light of high-profile breaches at the national security level in countries like the US and the UK.
The open letter also criticizes the concept of client-side scanning, which they wittily describe as a “police officer in your pocket.” They point out two primary flaws in this approach. Firstly, the technology does not effectively achieve its primary objective of detecting known prohibited content. Secondly, recent research has revealed that these algorithms can be repurposed for secondary objectives like facial recognition, covertly enabling surveillance.
They also warn about proposals to deploy AI models to scan messages for previously unseen but prohibited CSEA content. According to the researchers, there are no sufficiently reliable solutions for detecting such content, and the risk of false positives could lead to undue harm and, potentially, exploitation and abuse.
The researchers express concern that if the Online Safety Bill passes and an Ofcom order is issued, several international communication providers may refuse to comply, which could result in them leaving the UK market. This would put UK residents at risk, forcing them to adopt potentially weaker solutions for their online interactions.
The security and cryptography researchers concluded their open letter by reiterating their mission: to build technologies that keep people safe online. They stress that the Online Safety Bill, as it currently stands, poses a significant threat to the safety that these technologies provide. The letter serves as a wake-up call for legislators to carefully consider the potentially adverse consequences the Bill may have on online privacy and security.
