Tech companies and privacy activists are claiming victory after an eleventh-hour concession by the British government in a long-running battle over end-to-end encryption.
The so-called “spy clause” in the UK’s Online Safety Bill, which experts argued would have made end-to-end encryption all but impossible in the country, will no longer be enforced after the government admitted the technology to securely scan encrypted messages for signs of child sexual abuse material, or CSAM, without compromising users’ privacy, doesn’t yet exist. Secure messaging services, including WhatsApp and Signal, had threatened to pull out of the UK if the bill was passed.
“It’s absolutely a victory,” says Meredith Whittaker, president of the Signal Foundation, which operates the Signal messaging service. Whittaker has been a staunch opponent of the bill, and has been meeting with activists and lobbying for the legislation to be changed. “It commits to not using broken tech or broken techniques to undermine end-to-end encryption.”
The UK’s Department for Digital, Culture, Media and Sport did not respond to a request for comment.
The UK government hadn’t specified the technology that platforms should use to identify CSAM being sent on encrypted services, but the most commonly-cited solution was something called client-side scanning. On services that use end-to-end encryption, only the sender and recipient of a message can see its content; even the service provider can’t access the unencrypted data.
Client-side scanning would mean examining the content of the message before it was sent—that is, on the user’s device—and comparing it to a database of CSAM held on a server somewhere else. That, according to Alan Woodward, a visiting professor in cybersecurity at the University of Surrey, amounts to “government-sanctioned spyware scanning your images and possibly your [texts].”
In December, Apple shelved its plans to build client-side scanning technology for iCloud, later saying that it couldn’t make the system work without infringing on its users’ privacy.
Opponents of the bill say that putting backdoors into people’s devices to search for CSAM images would almost certainly pave the way for wider surveillance by governments. “You make mass surveillance become almost an inevitability by putting [these tools] in their hands,” Woodward says. “There will always be some ‘exceptional circumstances’ that [security forces] think of that warrants them searching for something else.”
Although the UK government has said that it now won’t force unproven technology on tech companies, and that it essentially won’t use the powers under the bill, the controversial clauses remain within the legislation, which is still likely to pass into law. “It’s not gone away, but it’s a step in the right direction,” Woodward says.
James Baker, campaign manager for the Open Rights Group, a nonprofit that has campaigned against the law’s passage, says that the continued existence of the powers within the law means encryption-breaking surveillance could still be introduced in the future. “It would be better if these powers were completely removed from the bill,” he adds.
But some are less positive about the apparent volte-face. “Nothing has changed,” says Matthew Hodgson, CEO of UK-based Element, which supplies end-to-end encrypted messaging to militaries and governments. “It’s only what’s actually written in the bill that matters. Scanning is fundamentally incompatible with end-to-end encrypted messaging apps. Scanning bypasses the encryption in order to scan, exposing your messages to attackers. So all ‘until it’s technically feasible’ means is opening the door to scanning in future rather than scanning today. It’s not a change, it’s kicking the can down the road.”
Whittaker acknowledges that “it’s not enough” that the law simply won’t be aggressively enforced. “But it’s major. We can recognize a win without claiming that this is the final victory,” she says.
The implications of the British government backing down, even partially, will reverberate far beyond the UK, Whittaker says. Security services around the world have been pushing for measures to weaken end-to-end encryption, and there is a similar battle going on in Europe over CSAM, where the European Union commissioner in charge of home affairs, Ylva Johannson, has been pushing similar, unproven technologies.
“It’s huge in terms of arresting the type of permissive international precedent that this would set,” Whittaker says. “The UK was the first jurisdiction to be pushing this kind of mass surveillance. It stops that momentum. And that’s huge for the world.”