As published on Conservative Home
Encryption is the most powerful tool we have to protect everyone’s personal data from criminals and hackers.
This is why encryption is the industry standard used when we carry out activities such as online banking or online shopping; it’s the layer of security used by many private messaging services to protect our conversations with friends and family; it’s used by the Government as best practice to ensure the secure delivery of online public services.
However the Online Safety Bill, before Parliament today, seeks to undermine encryption, weakening online security for the entire digital economy, because of a misguided belief that you need to choose between privacy and safety. You do not.
The most recent set of Government amendments demonstrate a worryingly cavalier attitude to online security.
For example, they propose companies must find ways to stop anyone encountering some forms of harmful content in private messaging – the only obvious way for a company to do that is to take preventative action and pre-scan all of our text messages.
I have tabled amendments to the Bill to remove this power. They are due to be debated later today. If the powers are not removed, it creates a huge invasion of our privacy and is bad for everyone.
For encrypted services such as Signal and WhatsApp it would represent a fundamental break in their business model; they will have to abandon current levels of user privacy and either remove or significantly weaken the encryption which currently protects our messages.
Not only is this a threat to encryption and data security in the UK, but we will be following a path toward forcing companies into proactive monitoring of all our online activity. This is a clear divergence from the established principle, which has allowed the internet to flourish, that intermediaries like platforms are not to generally monitor content.
By tabling these provisions the Government risks putting the UK at odds with much of the rest of the world, and mirroring similarly problematic scanning proposals coming out of the European Commission.
The UK must take a better approach than the Europeans or we risk both making the British digital economy profoundly unattractive for digital businesses both large and small and problematic for individuals, putting Brits online at risk of higher exposure to online harms such as fraud and hackers.
Another of the Government’s amendments would see Ofcom force companies to adopt “accredited technology” to scan all of our messages. While the amendments do not give OFCOM the express power to break encryption, most of the current accredited technologies put forward by the Home Office Challenge Fund are considered by many cyber security experts to be incompatible with encryption.
The intended impact of the Online Safety Bill are therefore very clear. These proposals are a shadowy attempt to weaken encryption and encourage mass surveillance of private messaging, under the guise that this is about online safety.
The two fundamental flaws in the way the Government is approaching this issue is to firstly fail to recognise that encryption does not mean less safety (it means more), and secondly that privacy and cybersecurity go hand in hand.
Good cybersecurity is essential to protect consumers, businesses, and our national security. And yet, the legislation will make it easier for these kinds of attacks to take place, by restricting the best technology we have in response to cyber threats.
The Government’s approach also entirely overlooks all the safety features which are possible, even in an encrypted messaging service.
When I’ve written about the Online Safety Bill before, I’ve raised the alarm over the Bill’s misguided aims sleepwalking the UK into widespread censorship, undermining the freedom of speech that is so vital to our society and democracy.
Much of this has been corrected in revising the ‘legal but harmful’ measures. However the encryption issues are still problematic.
Encryption protects our data but also our most fundamental of rights in a liberal democracy: the right to have a private conversation, without fear of the state listening in.
We all want to see the Government crack down on heinous crimes like child abuse, but there are better ways to achieve this that avoid surveilling everyone’s private messages, such as encouraging companies to develop safety features which are compatible with encryption – as many already do.
Weakening encryption for the purposes of detecting crimes would make everyone less safe, not more.
For these reasons, and many more, this is a risk we cannot afford to take. The Government needs to rethink its approach to the Bill, starting with a clear commitment to protect encryption and accepting my amendments to the Online Safety Bill later today.
Parliament has already called for more clarity on this point so that companies can be confident compliance with this law will not mean weakening encryption and lowering safety and security for their users. Only then can the bill truly protect security, privacy, and freedom of speech.