In a move to combat child abuse images and online grooming, the UK government has proposed amendments to the Online Safety Bill, granting regulators powers to compel tech firms like Signal, WhatsApp, and Apple to scan encrypted messages. However, tech companies have expressed strong opposition to these measures, citing privacy concerns.
The latest amendments, passed by the House of Lords, require a detailed report to be prepared by a “skilled person” before the regulator, Ofcom, can utilize the powers to force firms to scan messages. Previously, this report was optional. The report will assess the impact of scanning on freedom of expression and privacy and explore the possibility of less intrusive technologies. Additionally, another amendment requires Ofcom to consider the implications of using scanning technology on journalism and the protection of journalistic sources.
The proposed bill would allow Ofcom to mandate tech companies to use “accredited technology” for scanning messages to identify child sexual abuse material. This measure has been deemed necessary by ministers, police, and children’s charities to address the growing problem of child exploitation on online platforms, where encrypted channels allow abusers to operate undetected.
Critics argue that to scan end-to-end encrypted messages, companies would need to conduct client-side scanning before encryption occurs. This process, according to critics, compromises the privacy and security of encrypted messaging systems. Meredith Whittaker, president of Signal, has previously expressed concerns that tech firms would essentially become “government-mandated scanning services.”
The recent amendments were introduced in response to mounting apprehensions about the privacy implications and technical feasibility of the proposed powers. Government minister Lord Parkinson acknowledged these concerns but assured that robust safeguards were in place to protect privacy. Ofcom will consider the report’s findings when determining whether it is necessary and proportionate to enforce message scanning, and it will share a summary of its findings with the concerned tech firms.
Despite the changes, campaigners argue that the measures fall short of adequate privacy protection. Some have labeled the powers a “spy clause,” asserting that a judge should be involved to authorize message scanning at the very least. The Index on Censorship criticized the lack of judicial oversight and emphasized that government-appointed individuals should not oversee decisions affecting free speech and privacy rights.
The Open Rights Group, which advocates for digital rights, also expressed dissatisfaction with the amendment, noting that the designated “skilled person” could be a political appointee, undermining the effectiveness of oversight. Additionally, critics pointed out that the reports generated by the “skilled person” would lack legal authority.
An amendment supported by Labour and Liberal Democrat spokesmen proposed judicial oversight, but it was not moved to a vote. However, Labour’s Lord Stevenson urged further discussion on the matter during later stages of the bill. Conservative peer Lord Moylan suggested an amendment to exempt encrypted services from scanning altogether, deeming the government’s plans a “major assault on privacy.” Nevertheless, he refrained from moving it to a vote, anticipating unfavorable outcomes.
Conversely, the NSPCC, a children’s charity, supports the powers in the bill, believing it strikes a balance in holding companies accountable for mitigating the risks of child sexual abuse while implementing features such as end-to-end encryption.
The Online Safety Bill continues to progress through Parliament, and the debate over balancing privacy and online safety remains a critical and contentious issue.