Shut the Back Door: Protecting Encryption From the Online Safety Bill

The Adam Smith Institute’s latest paper, written by John Macdonald, argues that the Online Safety Bill will, in its current form, undermine encryption to the detriment of privacy, security and the economy.

  • End-to-end encryption is foundational to the proper functioning of our online experience;

  • The Online Safety Bill would—in its current form—undermine end-to-end encryption by empowering Ofcom to demand service providers use ‘accredited technology’ to give them access to encrypted content in certain circumstances, under threat of large fines;

    • The Bill also grants the Secretary of State sweeping discretionary powers to determine the scope of services included in such provisions;

  • Undermining end-to-end encryption poses a grave threat to privacy, security and the wider UK economy;

    • There is no sense in which encryption could be maintained while another party not participating in the information exchange has access to the contents;

    • Creating an encryption ‘backdoor’ for law enforcement would effectively be a blackmailer’s charter, allowing criminals and hostile foreign actors to exploit security flaws;

    • Such measures would undermine the growth and competitiveness of the UK technology sector, potentially resulting in large companies withdrawing from the market entirely;

  • Weakening encryption undermines the credibility of the UK on the international stage, providing tacit justification for oppressive regimes like Russia and China to violate civil rights;

  • Despite Government protestations to the contrary, the use of ‘client-side scanning’ would not address privacy concerns, as demonstrated in the school safety sector;

  • The Government should redraft the Online Safety Bill to ensure end-to-end encryption is properly protected;

  • Certain elements of the Bill should be removed entirely, including:

    • Clause 104(2) which allows Ofcom to issue a notice requiring service providers to use ‘accredited technology’ to identify and ‘deal with’ content deemed harmful;

    • Clause 92(4) which makes it an offence for the provider to give ‘information which is encrypted such that it is not possible for Ofcom to understand it, or produces a document which is encrypted such that it is not possible for Ofcom to understand the information it contains’;

    • Schedule 12 which further stipulates that failure to comply can lead to fines of up to £18 million or 10% of global revenue;

  • The Government should also undertake a review of client-side scanning technologies, to better understand the tradeoffs between privacy and security that their implementation brings.