Wednesday, July 05, 2023

Note to Baroness Benjamin on the spy clause in the Online Safety Bill

Through the Open Rights Group, I have emailed a member of the House of Lords, Baroness Benjamin, about the spy clause in the proposed Online Safety Bill. And typically I have just now spotted two typos in the first line...

I am writing to you as ta (sic) member of the House of Lords to express my concern that clause 111 (sic - should have read clause 110 🤦) - the spy clause - of the Online Safety Bill introduces scanning of our private messages. It gives Ofcom the power to ask private companies to scan everyone’s private messages on behalf of the government. It is state-mandated mass private surveillance.

This is an outrageous violation of the privacy and security of UK residents, that puts everyone's personal images and messages at risk.

Providers of messaging services such as WhatsApp and Signal have said they will pull out of the UK rather than break the security of their products.

68 independent information security and cryptography researchers have written an open letter condemning the proposal which I would urge you to read at:

https://haddadi.github.io/UKOSBOpenletter.pdf

In short, they are "alarmed by the proposal to technologically enable the routine monitoring of personal, business and civil society online communications".

On the breaking or undermining of cryptographic protections, they emphasise: "There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties." In other words, there is no way of building a backdoor into encryption that only the good guys have access to.

On the circumvention of cryptography via so-called 'client-side scanning', "This would amount to placing a mandatory, always-on automatic wiretap in every device... research has shown that client-side scanning does not robustly achieve its primary objective, i.e. detect known prohibited content... sufficiently reliable solutions for detecting CSEA content do not exist. This lack of reliability here can have grave consequences as a false positive hit means potentially sharing private,

intimate or sensitive messages or images with third parties".

I have worked as a technology academic at the Open University for 28 years. I have watched, written and taught about the growth and entrenchment of mass surveillance as the core business model of the internet; and states' co-opting of the internet's infrastructure of mass surveillance and the economic actors involved in its construction and operation, in pursuit of counter-terrorism, security and other legitimate aims.

In the wake of the Edward Snowden revelations, in 2013, of unlawful UK and US government mass surveillance programmes, a partial response, in addition to a collection of successful legal challenges going to the Court of Justice of the European Union and the European Court of Human Rights, has been the deployment of secure end to end encryption in messaging apps such as Signal and WhatsApp. 

The spy clause represents a direct threat to the privacy and security facilitated by such apps. As the security researchers say in their open letter: "we build technologies that keep people safe online. It is in this capacity that we see the need to stress that the safety provided by these essential technologies is now under threat in the Online Safety Bill."

Child sexual exploitation and abuse (CSEA) is an appalling crime. Governments, commerce and wider society have an obligation to pursue effective means to prevent and respond to it. The Online Safety Bill spy clause is not an effective approach. It assumes the availability of efficacious scanning technologies which do not currently exist. Those that do and are foreseeable are deeply, deeply flawed. There is no magic technological solution here.

So not only will the Online Safety Bill undermine the safety, security and privacy of everyone, including children, it will simply not work to address the blight on our society that is child sexual exploitation and abuse.

I should have included a request asking the baroness to support Lord Clement Jones' proposed amendments to Clause 110 of the Bill. 

 

 

 

And his proposed amendments to clause 112 "intended to introduce safeguards around the issuance of Technology Notices by ensuring privacy is considered before a notice is given, and strengthening the review and appeals process".

No comments: