Light trails on the Westminster bridge showing UK Online Safety Bill and encrypted messaging

Privacy Advocates Celebrate Death of UK Online Safety Bill Clause as Government Admits Encrypted Messaging Can’t Be Scanned Without Breaking It

The most controversial portion of the United Kingdom’s Online Safety Bill appears to be dead in the water, as Ofcom has publicly admitted that the technology to create backdoors into encrypted messaging without breaking it does not exist and that the “spy clause” will not be enforced when the bill becomes law.

The Online Safety Bill remains otherwise intact, however, and the ministers involved with the issue appear to have not given up on the idea entirely. Minister Paul Scully said that companies will be directed to make their best efforts to develop technology to comply with the bill’s requirements for the monitoring and removal of child sexual abuse material from encrypted messaging platforms. The bill has not yet become law but is widely expected to before 2023 is out, with enforcement going into effect in mid-2024.

Most unpopular clause of Online Safety Bill remains intact, but ineffective

First drafted in early 2021, the Online Safety Bill is a wide-ranging piece of legislation meant to regulate a variety of both types of internet content and cybercrimes. The “spy clause” has been by far the most contentious portion of the bill. In the name of removing child pornography from the internet, the bill mandates that tech platforms be able to proactively scan user messages and activity for signs of child sexual abuse material being uploaded and traded. This creates an obvious issue for platforms with encrypted messaging, which cannot effectively scry into user communications without installing some sort of a backdoor and thus defeating the core purpose of the service.

Several services, such as WhatsApp and Signal, threatened to pull their business entirely from the UK if the bill was passed. Other titans of the tech industry, such as Apple, did not go that far but did register formal opposition and encourage the UK government to rethink its terms. One way or another, the message seemed to get through in the final hour. The UK has made development of its tech sector into a “superpower” a core economic goal for this decade, and it appears to have dawned on ministers that the “spy clause” would be extremely damaging to those plans.

Though the UK government seems to be reserving the right to take the issue back up at a future date, privacy advocates see the development as a major victory. The only viable option for complying with the Online Safety Bill’s terms would have been a client-side scanning method, requiring end users to essentially install spyware on their computers and devices as a term of using these platforms.

The government said that this would only be used for extreme cases and with prior court approval, but privacy advocates insist that the mere presence of such a backdoor route to encrypted messages would be far too tempting and would inevitably lead to “scope creep.” There is also the security element; if hackers could hit upon access to the scanning system, they would have a frightening level of access to user communications.

Though the language remains in the Online Safety Bill at present, the government appears to be indefinitely suspending any plans to force client-side scanning on tech firms, at least until some “proven” technology emerges that is capable of doing what it envisions.

Encrypted messaging safe for the foreseeable future

Privacy advocacy groups, such as the EFF, caution that the “spy clause” is only truly defeated if the relevant language is removed from the Online Safety Bill or the bill somehow fails to pass. But, at least for the near future, encrypted messaging appears to be safe. The government has retreated from the issue until it is “technically feasible,” but there is simply no way to add a back door to encryption without crippling it and driving off its userbase.

The final form of the Online Safety Bill is still up in the air. It could be amended before passage, but after passage Ofcom would be tasked with writing the actual regulations that pertain to the clause. These are both opportunities to make clear that there is presently no technological solution that makes client-side scanning possible while also respecting user privacy and security. If the language remains the same, the issue may once again rear its head in the encrypted messaging world.

Apple, now officially an opponent of the clause, had its own brush with client-side scanning (and public reception to the idea) in 2021. After proposing to implement it for all photos that are uploaded to iCloud, the company not only backed down but eventually chose to expand beyond encrypted messaging to secure backups, photos, chat histories and other items stored on its platform.