“As independent information security and cryptography researchers, we build technologies that keep people safe online. It is in this capacity that we see the need to stress that the safety provided by these essential technologies is now under threat in the Online Safety Bill.”
That’s the conclusion of an open letter signed by 68 of the UK’s leading researchers into security and privacy issues. The intervention comes as the Bill is discussed in the House of Lords, the UK’s second chamber of government, before returning to the House of Commons.
The focus of concern is the threat to end-to-end encryption and other technologies that are commonly used to keep digital communications safe. Clause 111 in the current version of the Bill states service providers will be required to “use accredited technology to identify child sexual exploitation or abuse (CSEA) content, whether communicated publicly or privately”.
“Such monitoring is categorically incompatible with maintaining today’s online communication protocols.”Open letter from UK academics
The open letter says that while the signatories “cannot speak to the relative merit of this step in preventing harm to children in our professional capacities” they can say with certainty that “such monitoring is categorically incompatible with maintaining today’s (and internationally adopted) online communication protocols that offer privacy guarantees similar to face-to-face conversations”.
And they add: “Attempts to sidestep this contradiction are doomed to fail on the technological and likely societal level”.
The letter addresses possible ways information could be accessed and concludes: “There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties.”
It goes on: “Giving the State the technological means to access every private message and image implies that any actor with access to the relevant monitoring facilities the same access” and states “the history of ‘no one but us’ cryptographic solutions is a history of failures”.
Concerns beyond cryptography
Concerns are not only centered on cryptography, but also on client-side scanning, which the experts say comes in two variants.
The first is to “detect known images of abuse held in a database maintained by an authority”. The signatories reference research showing that client-side scanning “does not robustly achieve its primary objective”, and also raise concerns that the algorithms deployed “can be repurposed to add hidden secondary capabilities”.
The second approach would be to “mass-deploy AI models to scan messages for previously unseen but prohibited content”. The concern here is a that a false positive could lead to private material being shared with anyone who has access to the monitoring infrastructure, something that “may in itself constitute exploitation and abuse of those whose messages are being disclosed”.
Bill may compromise solutions
UK residents could also be put in a vulnerable position if, as a result of the Online Safety Bill passing in its current form, some comms providers pull out of the UK market in order to protect the security and privacy of their customers. “This,” the experts say, “would leave UK residents in a vulnerable situation, having to adopt compromised and weak solutions for online interactions”.
The letter echoes objections raised by the Electronic Frontier Foundation, which says the Bill in its present state will lead to “universal scanning of all user content, all the time” and that it suffers from “the incorrect belief that a backdoor or other workaround to read encrypted messages can be designed for use only in benevolent ways”.