Report

Shut the back door

Think tank: Adam Smith Institute

Author(s): John Macdonald

September 29, 2022

This report from UK think tank the Adam Smith Institute looks at protecting encryption from the Online Safety Bill.

End-to-end encryption is foundational to the proper functioning of our online experience; The Online Safety Bill would—in its current form—undermine end-to-end encryption by empowering Ofcom to demand service providers use ‘accredited technology’ to give them access to encrypted content in certain circumstances, under threat of large fines; The Bill also grants the Secretary of State sweeping discretionary powers to determine the scope of services included in such provisions; Undermining end-to-end encryption poses a grave threat to privacy, security and the wider UK economy; There is no sense in which encryption could be maintained while another party not participating in the information exchange has access to the contents; Creating an encryption ‘backdoor’ for law enforcement would effectively be a blackmailer’s charter, allowing criminals and hostile foreign actors to exploit security flaws; Such measures would undermine the growth and competitiveness of the UK technology sector, potentially resulting in large companies withdrawing from the market entirely; Weakening encryption undermines the credibility of the UK on the international stage, providing tacit justification for oppressive regimes like Russia and China to violate civil rights; Despite Government protestations to the contrary, the use of ‘client-side scanning’ would not address privacy concerns, as demonstrated in the school safety sector; The Government should redraft the Online Safety Bill to ensure end-to-end encryption is properly protected; Certain elements of the Bill should be removed entirely, including: Clause 104(2) which allows Ofcom to issue a notice requiring service providers to use ‘accredited technology’ to identify and ‘deal with’ content deemed harmful; Clause 92(4) which makes it an offence for the provider to give ‘information which is encrypted such that it is not possible for Ofcom to understand it, or produces a document which is encrypted such that it is not possible for Ofcom to understand the information it contains’; Schedule 12 which further stipulates that failure to comply can lead to fines of up to £18 million or 10% of global revenue; The Government should also undertake a review of client-side scanning technologies, to better understand the tradeoffs between privacy and security that their implementation brings.