UK’s Online Safety Bill Will Actually Just Harm Everyone, Encrypted Service Provider Warns
from the now-that-it's-kind-of-fixed,-let's-break-it dept
Over the past couple of years, we’ve covered the UK’s “Online Safety Bill” extensively. And for good reason, seeing as it has the potential to effectively outlaw end-to-end encryption, and create an unworkable mess for any service (and it’s pretty much all of them) engaging in content moderation.
The bill was originally called the “Online Harms Bill,” but underwent rebranding, possibly due to legislators and regulators realizing this might signal their true intent: to harm online communications and services. Now it’s all about “safety,” and that means often claiming this is all being proposed to save the children of the UK from online harms — a claim that continues to be made even though a UK government commission pointed out banning or undermining encryption would actually harm kids.
The ever-expanding legislative proposal has received significant pushback. WhatsApp said it would not break its encryption to appease the UK government. Signal said the same thing, telling legislators it would simply refuse to offer its services in the UK if it was required to undermine or break its encryption.
Proton (of Proton Mail fame) has now weighed in on the harmful “safety” bill in a post on its site, pointing out what some might have missed in this discussion. It’s not just about regulating social media services. It’s about regulating pretty much everything anyone does online.
Proton offers encrypted services, including cloud storage. It also offers a VPN. These may seem to be outside the parameters of the law (not including the encryption-targeting parts of it) since the bill aims to reduce the amount of “harmful” content people encounter on widely used social media services. But the bill’s language is all encompassing, which means Proton is likely not exempt from the proposed legislation.
At this stage, the bill is so broad that it’s not entirely clear who would be subject to it. While primarily targeting social media companies, the bill defines “content” as anything that is “communicated publicly or privately”. In practice, as tech companies (like Proton) often offer single accounts encompassing a number of different services, it’s likely that services that are not meant to be subject to the law (like email) will inadvertently become subject to it by extension.
That essentially means that almost any online service that has users in the UK could be affected. It also means that messages you send your mom could be treated the same as something you post on social media for everyone to see, which comes dangerously close to violating UK citizens’ explicit right to a private life.
This means Proton’s executive may be just as liable for user-generated content as companies like Facebook and Twitter. And that could mean jail time if the UK government decides Proton isn’t doing enough to enforce its terms of service and/or proactively monitoring content for anything the government decides is objectionable. That’s a problem when you offer end-to-end encryption: you can’t monitor content because you simply cannot see it.
If the bill passes in its current form, Proton (and services like it) would have only four options, none of them good.
- Remove its end-to-end encryption
- Weaken its end-to-end encryption
- Install client-side scanning
- Cease providing service in the UK
Supporters of the bill simply don’t see the problem. If encryption prevents companies from complying with the law, either the encryption goes or they do. The collateral damage is someone else’s problem.
Proton doesn’t want to leave the UK. But if it can’t protect the privacy of its users and still comply with the law, it looks like that will be the only option it has.
If this bill becomes law, the UK will become a third-world nation in terms of internet services. Its residents will have a dearth of options, none of which will be particularly palatable. The companies that remain will have demonstrated by their compliance they have little interest in the security and privacy of their users. And who in their right mind would choose to put their trust in that?
Filed Under: encryption, online safety bill, safety, uk
Companies: proton
Comments on “UK’s Online Safety Bill Will Actually Just Harm Everyone, Encrypted Service Provider Warns”
Said this before but the whole bill is a unworkable mess that it is likely to collapse under its own weight just look at the last UK age verification law that was delayed over and over again until it was quietly scraped.
There also the fact that Ofcom is likely to be super underfunded and unable to enforce 90% of the bill.
There also no way this bill is going to hold up to a court challenge.
Re:
The Internet becomes unworkable if every time you follow a link you have to go through age verification.
Re: Re:
If they can ever even get age verification up and running and that unlikely and it just won’t work.
This comment has been flagged by the community. Click here to show it.
Re: Italin Technologies
Italin Technologies is an international consulting company based in four different countries with dedicated consultants and valuable customers. The group has established itself as a leader in engineering and IT services. We believe in delivering solutions with innovative ideas.
Think of the children!
But how does this bill prevent the worst form of child abuse: Abuse by family members?
I have the feeling this law makes discussion by abuse victims even harder!
Re:
It will! That’s one of the main points brought up by people talking about it. By compromising encryption it’ll be much harder if not impossible for those who rely on encryption to safely discuss these issues thereby hurting the very people the bill claims to want to protect.
Banning total encryption?
I wonder how online banking will work without end-to-end encryption. Do those rich member of parliament want to have their financial details open to the public? And how about online shopping? How will people enter their credit card securely into any shopping sites? Any sites that requires a password uses end-to-end encryption.
On the other hand, it will make governance a bit more transparent as ministers and their staff won’t be able to use signal and what’sapp to hide their communications from the archive.
Well that's one way to tank your tech industry...
Ensuring that any tech company that offers service in the country can’t offer secure service sounds like a great way to gut your economy by driving any user or company who values security and/or privacy into looking for alternatives outside your country’s jurisdiction.
And of course that’s not even getting into the huge targets painted on the backs of any companies that stay and in so doing make clear that their service/product is no longer secure and just begging for someone to find the security holes that are either already embedded in or soon will be.
Re:
They’ve already gutted their economy with Brexit, this is just another nail in the coffin which was the British economy. ARM for example, moved their IPO from the London Exchange to NYSE I think.
This comment has been flagged by the community. Click here to show it.
Italin Technologies
Italin Technologies is an international consulting company based in four different countries with dedicated consultants and valuable customers. The group has established itself as a leader in engineering and IT services. We believe in delivering solutions with innovative ideas.
as stated, it will harm not just kids but everyone but whoever wants this bill introduced has something at the heart of it to personally protect. even though it will soon prove the harm it does the bill will still go through. anything and everything that can be done, will be done to keep ordinary people restricted and the fuckers who are always up to no good from being discovered. it’s nothing less than forcing the UK to become even more of a dictatorship, whereby the rich, the famous and all friends are protected!
If it was genuinely about protecting children, the law would simply be parental controls on devices set a flag in TCP/UDP packets that must be observed. If the flag is set, and the site requires age 18+, the packet must be dropped.
There’s really no need for a long waffling law, unless its really about censorship of adults and a new income stream for government in the form of fines for large tech companies that don’t make the right political contributions