Thursday, July 06, 2023

Lib Dems on the Online Safety Bill

 I have had a response from my MP, Layla Moran of the Liberal Democrats to my email expressing concerns about the Online Safety Bill. She says:

Dear Ray,

Thank you for contacting me about the Online Safety Bill – I absolutely share your concerns. Regulation of online services must respect the rights to privacy and free expression of those who use it legally and responsibly.

Jamie Stone, Liberal Democrat DCMS spokesperson tabled an amendment to the Online Safety Bill when it was in the House of Commons. New Clause 38 sought to ensure that nothing in the Act shall prevent providers of user-to-user services protecting their users’ privacy through end-to-end encryption.

During the debate Jamie Stone said:

“My second amendment is on end-to-end encryption. I do not want anything in this Bill to prevent providers of online services from protecting their users’ privacy through end-to-end encryption. It does provide protection to individuals and if it is circumvented or broken criminals and hostile foreign states can breach security. Privacy means security”.

You can read the whole debate here.

It is good that the Government is recognising the dangers that exist online and the inadequacy of current protections. However, regulation and enforcement must be based on clear evidence of well-defined harm and must respect the rights to privacy and free expression of those who use social media legally and responsibly.

Encryption provides protection to individuals and if it is circumvented or broken, criminals and hostile foreign states can also breach security.

This view is backed by the Information Commissioner’s Office. Stephen Bonner, the ICO’s executive director for innovation and technology said end-to-end encryption helped keep children safe online by not allowing "criminals and abusers to send them harmful content or access their pictures or location".

The ICO argues that end-to-end encryption serves an important role in safeguarding privacy and online safety. (A Framework for Analysing End to End Encryption in an Online Safety Context (ico.org.uk))

When it comes to encryption, for the vast majority of users – privacy means security. Liberal Democrats will oppose any attempts to systematically undermine encryption.

Thanks again for writing to me about this incredibly important issue.
 

Best wishes,
Layla

Layla Moran
Liberal Democrat Member of Parliament for Oxford West & Abingdon

Wednesday, July 05, 2023

Note to Baroness Benjamin on the spy clause in the Online Safety Bill

Through the Open Rights Group, I have emailed a member of the House of Lords, Baroness Benjamin, about the spy clause in the proposed Online Safety Bill. And typically I have just now spotted two typos in the first line...

I am writing to you as ta (sic) member of the House of Lords to express my concern that clause 111 (sic - should have read clause 110 🤦) - the spy clause - of the Online Safety Bill introduces scanning of our private messages. It gives Ofcom the power to ask private companies to scan everyone’s private messages on behalf of the government. It is state-mandated mass private surveillance.

This is an outrageous violation of the privacy and security of UK residents, that puts everyone's personal images and messages at risk.

Providers of messaging services such as WhatsApp and Signal have said they will pull out of the UK rather than break the security of their products.

68 independent information security and cryptography researchers have written an open letter condemning the proposal which I would urge you to read at:

https://haddadi.github.io/UKOSBOpenletter.pdf

In short, they are "alarmed by the proposal to technologically enable the routine monitoring of personal, business and civil society online communications".

On the breaking or undermining of cryptographic protections, they emphasise: "There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties." In other words, there is no way of building a backdoor into encryption that only the good guys have access to.

On the circumvention of cryptography via so-called 'client-side scanning', "This would amount to placing a mandatory, always-on automatic wiretap in every device... research has shown that client-side scanning does not robustly achieve its primary objective, i.e. detect known prohibited content... sufficiently reliable solutions for detecting CSEA content do not exist. This lack of reliability here can have grave consequences as a false positive hit means potentially sharing private,

intimate or sensitive messages or images with third parties".

I have worked as a technology academic at the Open University for 28 years. I have watched, written and taught about the growth and entrenchment of mass surveillance as the core business model of the internet; and states' co-opting of the internet's infrastructure of mass surveillance and the economic actors involved in its construction and operation, in pursuit of counter-terrorism, security and other legitimate aims.

In the wake of the Edward Snowden revelations, in 2013, of unlawful UK and US government mass surveillance programmes, a partial response, in addition to a collection of successful legal challenges going to the Court of Justice of the European Union and the European Court of Human Rights, has been the deployment of secure end to end encryption in messaging apps such as Signal and WhatsApp. 

The spy clause represents a direct threat to the privacy and security facilitated by such apps. As the security researchers say in their open letter: "we build technologies that keep people safe online. It is in this capacity that we see the need to stress that the safety provided by these essential technologies is now under threat in the Online Safety Bill."

Child sexual exploitation and abuse (CSEA) is an appalling crime. Governments, commerce and wider society have an obligation to pursue effective means to prevent and respond to it. The Online Safety Bill spy clause is not an effective approach. It assumes the availability of efficacious scanning technologies which do not currently exist. Those that do and are foreseeable are deeply, deeply flawed. There is no magic technological solution here.

So not only will the Online Safety Bill undermine the safety, security and privacy of everyone, including children, it will simply not work to address the blight on our society that is child sexual exploitation and abuse.

I should have included a request asking the baroness to support Lord Clement Jones' proposed amendments to Clause 110 of the Bill. 

 

 

 

And his proposed amendments to clause 112 "intended to introduce safeguards around the issuance of Technology Notices by ensuring privacy is considered before a notice is given, and strengthening the review and appeals process".