News
The encryption myhs versus realities of online Safety Bill
October 2021 by
In the Queen’s Speech on 11 May 2021, the UK Government said it wants to “harness the benefits of a free, open and secure Internet”. It also asserted its commitment to online safety for all, especially for children. If it is serious about these goals, it must also realise they cannot be achieved without strong, reliable encryption.
With its draft Online Safety Bill now up for debate, the UK government is trying to legislate the impossible – a safe Internet without strong encryption – in the face of clear and consistent technical analysis saying that it cannot be done. Here are some of the myths being propagated to help the Online Safety Bill get through Parliament:
Myth number one: “This is just about encrypted messaging”
No. Today, encryption is an essential component of digitally connected objects like cars, doorbells, home security cameras and even children’s toys, otherwise known as the “Internet of Things” (IoT). It’s also essential for national security by protecting highly sensitive systems like the power grid, citizen databases, and financial institutions such as the stock market. These products and systems need end-to-end encrypted security.
Weakening encryption doesn’t just imperil our online lives – it will place us and the country at risk by allowing day-to-day objects and vital infrastructure to fall into the hands of criminals and terrorists.
Myth number two: "The Online Safety Bill does not weaken encryption"
What in fact, the Online Safety Bill proposes is to make service providers criminally liable for the acts of their users, which will lead them to withdraw encryption capabilities from their products entirely. Imagine if supermarkets became liable for knife crime leading them to withdraw all sharp objects from their shelves? Removing secure products and services from the market will leave everyone more vulnerable to crime, data breaches, or the actions of hostile governments.
Myth number three: "The Online Safety Bill creates a safe back door for law enforcement to access encrypted communications"
But research shows there is no feasible back door to end-to-end encryption that can’t also be used by malicious actors. Despite having access to the world’s leading cryptographic expertise, the government has been unable to suggest a credible, safe back door that meets their requirements because it does not exist. Instead, the government is trying to make companies design insecurity by default. That is not the way to "harness the benefits of a free, open and secure Internet", it’s a recipe for fraud and online harm.
Myth number four: "Encryption stops law enforcement from doings its job”
Several governments make this claim, but their evidence for it is unreliable. For instance, law enforcement agencies have had to admit they exaggerated claims about encryption as an obstacle, and that the biggest hindrance to addressing online safety has been technical capability, not encryption. Building law enforcement’s technical skills and capacity may not sound as exciting but it’s more effective, and – unlike breaking encryption for everyone – it passes the tests of necessity and proportionality.
On September 8th 2021, UK officials claimed that encryption prevents police from taking any pre-emptive action against child abuse. This is simply untrue: a study from the Stanford Internet Observatory showed that claims of encryption hindering anti-abuse efforts are reliant on the faulty premise that techniques such as content-scanning are the only available method for preventing online abuse. In fact, the study showed online services providers are fully capable of preventing, detecting, and mitigating abuse without relying on the ability to access user content at will.
We should be asking why governments have to rely on bogus claims to back up their proposals. A policy based on claims that don’t bear inspection is an unsafe policy, especially when its potential side-effects are so serious and far-reaching.
Myth number five: "Technical experts aren’t doing enough to help."
In a bizarre twist, technologists are now being accused by the Home Secretary of failing in a "duty of care" to users by providing them with secure services. But the problems of child abuse, terrorism, and people trafficking existed long before encryption and the Internet, and a technology fix like this one cannot solve societal problems.
Technology stakeholders have contributed evidence-based proposals to the policy debate, including information on content moderation in encrypted systems, and mitigating terrorists’ use of encryption - but their findings aren’t what policymakers want to hear. The recommendations, unsurprisingly, support the conclusion that strong online security is the solution, not the problem. Even the former head of GCHQ says that weakening encryption is short-sighted.
The Reality: end-to-end encryption keeps all of us safe online - individuals, children, and families.
Encryption technology ensures that sensitive, confidential information transmitted by billions of people online everyday remains confidential. It prevents spies, terrorists and hostile governments from accessing and exploiting confidential communications of government officials and protects highly sensitive systems intrinsically tied to national security, including the power grid, databases, and financial institutions, from being hacked.
There is no ‘pick and choose’ when it comes to encryption; when it’s broken, there’s no turning back.
