Apple Store on street showing opposition to UK online safety bill on encrypted messaging

Apple Joins Formal Opposition to UK Online Safety Bill; Encrypted Messaging a “Critical Capability” for Privacy Protection

Apple has joined a collection of about 80 organizations and industry experts that have submitted statements criticizing the proposed UK Online Safety Bill, which would essentially put an end to truly secure encrypted messaging by mandating the ability of platforms to view communications upon government demand.

Apple issued a statement referring to encrypted messaging as being critical to privacy and online safety, particularly for groups that could be targeted by repressive governments. The position is part of an ongoing about-face for Apple, which had independently proposed adding a very similar capability to iPhones (also under the justification of scanning for child sexual abuse material) in 2021 before public backlash prompted it to change plans.

Encrypted messaging backdoor requirement working its way through parliament

The UK government has been pushing the divisive and unpopular Online Safety Bill as being vital to the protection of children. If passed, the bill would empower telecoms regulator The Office of Communications (Ofcom) to direct encrypted messaging platforms to scan the private messages of persons under investigation, subjecting those that do not comply to fines of up to 10% of their annual turnover.

The government claims that this is no threat to regular encrypted messaging, and that Ofcom would only make these requests in cases of “last resort” and with “stringent privacy safeguards.” But the only viable technical implementation would be a client-side scanning method, forced onto every phone and device along with installation of any of these apps. Users would then never be certain if someone at the company was intercepting their private messages, and it would also create a juicy potential security vulnerability for hackers to try to exploit.

Apple proposed just such a client-side scanning program on their own less than two years ago, in August 2021, though it had a more limited scope. Apple wanted to scan all photos uploaded to iCloud for markers of child sexual abuse. After several weeks of heavy criticism of the idea, Apple announced it was on indefinite pause, before formally rescinding it in December 2022. Apple’s new program to take on abusive material of this nature is the “Communication Safety” features, which it also launched in December. These controls are available in family iCloud accounts and will warn users if child abuse materials are detected on the local devices or searched for by someone using them. The system can also detect if minors are sending or receiving images that contain nudity.

The Communication Safety functions were accompanied by Apple doubling down on its end-to-end encrypted messaging offerings, announcing that messages and photos stored in the cloud would soon also be protected in this way. The lack of ability to encrypt iCloud materials stored online has long been a favored backdoor for law enforcement agencies to get at the encrypted messages of investigation subjects; as numerous hacks of celebrity phones have revealed over the years, many casual phone users are not aware that sensitive material they upload to iCloud is not particularly safe in this way.

Some critics believe that the invocation of danger to children to promote the UK Online Safety Bill is being used as an emotional battering ram, as it has many times before, to reduce inconvenient freedoms and make the jobs of both law enforcement and espionage easier in all facets.

Apple used strong language in its statement, but did not commit to pulling any of its business from the UK or refusing to obey the new law should the Online Safety Bill pass (as encrypted messaging apps Signal and Whataspp have). A somewhat similar situation has developed recently in India, with the government there outlawing any VPN service that does not allow for inspection of traffic upon demand; the response thus far by the major players in the market has been to simply pull their operations from the country entirely, and offer those customers a VPN based in another country with an Indian IP address assigned to it.

UK Online Safety Bill close to passing, but likely to be further amended first

The Online Safety Bill has been approved by the House of Commons and is expected to soon be approved in the House of Lords, but would be subject to a return to the House of Commons to approve any amendments before passing. Observers do expect that there will be further amendments before this process is complete, though it will likely pass sometime this year in some form.

The fate of encrypted messaging is one of the primary items expected to be addressed by amendment proposals, though the fate of the client-side scanning mandate is still up in the air. The Open Rights Group, an opponent of the Online Safety Bill as it is presently constructed, suggests that it could be fixed to preserve the privacy and security of encrypted messaging by excepting private messaging apps, those with end-to-end encryption on by default, in the bill’s language.

Critics also note that online child abuse rings are regularly broken up with standard police investigative work that doesn’t involve penetrating encrypted messaging apps, even when they are based on the dark web and use additional security layers such as Tor and cryptocurrency payments. Apple’s statement also noted that human rights activists, journalists and whistleblowers are extremely reliant on known safe end-to-end encrypted communications.

Ryan Lasmaili, CEO and co-founder of Vaultree, points out that the bill lacks critical balance and is likely to ire the public when awareness of it spreads: “As the Online Safety Bill progresses, it is crucial to recognize the vital role of encryption in protecting against surveillance, identity theft, fraud, and data breaches. As the Online Safety Bill navigates its path towards becoming law, we urge policymakers to consider the long-term implications of compromising encryption. It is crucial to strike a balance that upholds online safety while respecting the privacy and security needs of individuals and businesses. Together, we can build a future where data remains encrypted, privacy is preserved, and innovation thrives.”