Robin Wilton, director for Internet Trust at Internet Society, discusses why governments and the private sector pose threats to encrypted communications
The Online Safety Bill was originally titled the Online Harms Bill; that was almost certainly a more accurate name for it. Although we don’t yet know how much of it will survive the parliamentary process, in its present form it is unsafe and would almost certainly do more harm than good. When it comes to encryption “back doors”, the UK Government has lost the argument. Despite having access to the best cryptographic expertise, it has not been able to propose a “safe back door” that stands up to scrutiny. Instead, we are now seeing legislative proposals which may not mention end-to-end encryption, but have the effect of banning it from the market.
The Online Safety Bill is expected to make service providers criminally liable for the acts of their users if law enforcement authorities are unable to get access to users’ encrypted data. To put this into perspective, it would be similar to making a supermarket liable for knife crimes committed with kitchen knives purchased from their stores. The effect would be that supermarkets would withdraw kitchen knives from sale rather than face the potential liability. If the same happens with encryption, people will be less safe as a result, not more.
“Through the Looking-Glass” on public safety
According to the Bill’s proponents, encryption will hide millions of reports of child abuse from law enforcement’s sight. Framing the encryption issue as one of child abuse, backed up by apparently huge numbers of instances, is not a reliable basis for a policy with such serious side effects. Governments and anti-encryption advocates, therefore, need to be more thorough and transparent about the claims they are making.
As a society, we have the right to the full picture of reported incidents. How many of those reports are unsubstantiated, duplicates, or simply wrong? What proportion are followed up with effective investigation and of those, how many result in prosecution or conviction? We have already seen law enforcement agencies make grossly exaggerated claims about encryption as an obstacle1, while also admitting that the real obstacle is often simple technical capability2, and nothing to do with encryption.
We should be asking why the policies cannot be backed up by reliable data. A policy based on figures that do not bear inspection is an unsafe policy, especially where its potential to do harm is so serious and far-reaching.
In a bizarre twist, technology companies are actually being accused of failing in a “duty of care” to users by providing them with secure services3. Too many current legislative proposals make technology the villain and expect a crackdown on technology to fix problems whose roots are societal, not technological. The problems of child abuse, terrorism, people trafficking, and drug smuggling existed before encryption and the Internet, and banning encryption technology is neither a necessary nor a sufficient solution to them.
The Online Safety Bill relies on scapegoating of technology to make up for the failure to take the long-term, systemic, structural steps that genuinely and sustainably counter societal problems like child safety4: that is neither safe nor rational. Too many current anti-encryption policies are based on the idea that the online threat to public safety is all about criminal use of encrypted messaging services. This leads to the dangerous conclusion that public safety is best protected by undermining encryption. However, encryption is about much more than confidential messaging. It protects the physical safety of individuals, families, and children, by securing their homes, vehicles, and connected objects. For decades, encryption has helped prevent financial fraud by securing financial transactions and online commerce. It is safe to say that it does far more to keep us safe than it does to help criminals5.
Policymakers must already show that their legislative proposals are necessary and proportionate and that they are set out clearly enough to make their effects predictable. Proposals such as the Online Safety Bill fail on these counts, not least because they rely so heavily on subjective ideas of what is objectionable, or even “legal but harmful”. Nor will such policies achieve their stated goals of hampering criminals and protecting the public: criminals will simply find other sources of reliable encryption, including from states in which strong encryption is not legally undermined.
Technology stakeholders have a role to play in providing relevant advice and guidance about technical options, risk assessments, and governance requirements; civil society stakeholders have a similar role based on their expertise in societal, ethical, and rights-based considerations. Their advice has been clear and consistent: weakening the security of online services compromises the privacy and safety of law-abiding citizens, including the most vulnerable, putting them at risk of physical and financial harm from criminals, hostile governments, and other malicious actors. The onus is on policymakers to demonstrate that they can achieve what they claim while still keeping citizens safe: we must keep challenging them to make sure they do.