LONDON—Public attention on the circumstances surrounding the deaths of Molly Russell and Olly Stephens has added pressure for the UK government to swiftly pass legislation to increase public safety on the Internet. But without amendments to protect end-to-end encryption, the Online Safety Bill currently under consideration would undermine UK users’ security and privacy protections, leaving them more vulnerable online, according to a new report from the Center for Data Innovation.
“The Online Safety Bill has noble goals but profound flaws. The Online Safety Bill incentivizes online services to undermine end-to-end encryption, jeopardizing Internet users’ privacy, security, and free expression in the process,” said Kir Nuthi, a senior policy analyst with the Center for Data Innovation, who authored the report. “There is currently no way for online services to provide end-to-end encryption and monitor the content of encrypted communications. If the Online Safety Bill passes as is, we can expect online services to either leave the UK or weaken the security protections users have come to expect. Either outcome would undermine UK Internet users’ overall online safety and stifle free expression.”
The current draft of the Online Safety Bill imposes a monitoring obligation for all user-to-user and search content providers to moderate illegal content on their platforms, as well as certain types of legal but harmful content. User-to-user services are exempt if their only user-created content comes in the form of emails, SMS messages, MMS messages, aural communication, reviews, or some combination of these types and if these services do not contain bill-regulated pornographic content, do not have a “significant number of United Kingdom users,” and do not consider the United Kingdom a “target market.” The report notes that popular user-to-user services like Signal and WhatsApp fall under the scope of the Online Safety Bill.
The UK isn’t alone in advancing legislative proposals that aim to increase user safety online by requiring online services to monitor encrypted communications at the expense of privacy and security. The report also analyzes an EU scanning proposal to prevent child abuse online and the US EARN IT Act, which is likely to be reintroduced in the new Congress next year. Both would impose monitoring obligations for online services that would amount to de facto prohibitions on end-to-end encryption, according to the Center.
“The European Union, the United Kingdom, and the United States significantly influence Internet policy around the world, so it does not bode well for the future of privacy, security, and free expression that proposals like these are advancing on both sides of the Atlantic,” said Nuthi. “If enacted, these content moderation proposals will create a new foundation for online content regulation globally that tips intermediary liability on its head for the worse. These proposals could even give cover to regimes in undemocratic nations that want to circumvent end-to-end encryption purportedly for national security purposes but at the expense of human rights and freedoms.”
The Center’s report recommends excluding encrypted services from monitoring obligations and instead pursuing alternative proposals to increase public safety on the Internet, including:
- Increase resources for national law enforcement agencies to find and prosecute criminal activity online.
- Improve reporting from and coordination with online services to better enable national law enforcement agencies to track, remove, and prosecute illegal activity in a timelier fashion.