Stop the Online Safety Bill

The Online Safety Act doesn’t protect encryption, but Ofcom can

As we feared, the UK Parliament has passed the Online Safety Bill without making the necessary changes to safeguard privacy. 

The Online Safety Act, as it’s now called, includes a clause that gives the British government the power to access, collect, and read anyone’s private conversations any time they want. A worst-case surveillance scenario is now possible in the UK and has been left in the legal text despite the UK Government itself admitting that it’s “technically unfeasible” to break encryption while protecting privacy. 

Having received Royal Assent on October 26, it’s too late to fix the legislation. There’s only one question left: Will the government use its new power?

In the coming weeks and months, Ofcom, the regulator responsible for implementing the law, will draft and publish compliance guidelines in three phases. Now is the time for Ofcom to work with the technology industry on solutions that advance the important objectives of the law without entering the dangerous territory of mass surveillance and an internet without encryption.

However, this debate is not only limited to the UK. European lawmakers are working on their own proposal, commonly referred to as “Chat Control”. The European Commission’s current draft is even broader than the UK’s, compelling even more services to potentially break encryption. But there is growing support for encryption in the EU and we would encourage them to take note of the UK Government’s statement that breaking encryption while preserving privacy is not technically possible. 

The Online Safety Act and surveillance powers

From the outset, advocates of the Online Safety Act have been well-intentioned, pushing for strong measures to prevent the worst kinds of online abuses, including harms against children. We completely support this end but not the means.

The new law could be used to compel companies to monitor their users’ data for illegal material. But many companies, including Proton and the messaging app Signal, use end-to-end encryption, which is designed to prevent anyone but the user from accessing their data. This technology is a core component of the modern internet, enabling everything from online banking to investigative journalism. End-to-end encryption by definition means that no one, not even the companies whose services are in use, can see or access people’s data.

The Online Safety Act empowers Ofcom to order encrypted services to use “accredited technology” to look for and take down illegal content. Unfortunately, no such technology currently exists that also protects people’s privacy through encryption. Companies would therefore have to break their own encryption, destroying the security of their own services. 

The criminals would seek out alternative methods to share illegal materials, while the vast majority of law-abiding citizens would suffer the consequences of an internet without privacy and personal data vulnerable to hackers.

Signs of good news

To its credit, the UK government has admitted there isn’t technology that allows companies to scan certain messages without breaking all encryption. This admission is vitally important and should be kept front of mind by Ofcom during the implementation process.

Ofcom has also given encouraging signals. Nothing in its initial outline mentions encryption as part of its enforcement plan. On the contrary, Ofcom stated(new window): “We will need to strike an appropriate balance, intervening to protect users from harm where necessary, while ensuring that regulation appropriately protects privacy and freedom of expression, and promotes innovation.”

This is the path we would encourage at Proton. As we have said before, undermining encryption would endanger not only UK citizens but also those living under authoritarian regimes that may copy the British playbook. London’s reputation as a European tech hub is also at stake, as the Online Safety Act sends a chilling message to companies considering investing in the UK.

What we can still do to protect privacy in the UK

Proton and others have worked hard to educate members of Parliament about the risks of the Online Safety Act. We remain ready to work with Ofcom to advance online safety while protecting end-to-end encryption. In the future, we will support legislation aimed at strengthening encryption in the UK – in the meantime, we will continue to call for safeguards wherever possible.

As for Proton, we have a clear mission: to make privacy accessible to all. We are reasonably confident that the Online Safety Act will not be applied to Proton thanks to the government admission and the exemption for email. While certain elements of our services do come within the scope of the law, the clause requiring content scanning will not be enforced until ‘feasible’ technology becomes available, if this is even possible.

As a Swiss company, Proton has no intention of undermining our community’s privacy and would not comply with any attempts to impose obligations to break encryption for UK users. Should there be broad enforcement attempts, Proton will support legal actions to block implementations of the law that violate citizens’ fundamental rights.

It’s essential that Ofcom heeds the warnings from across the tech community and commits to not undermining encryption with the powers granted to them. The future of the internet depends on it.

Protect your privacy with Proton
Create a free account

Related articles

Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you
What to do if someone steals your Social Security number
If you’re a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic
compromised passwords
Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa
Is WeTransfer safe?
  • Privacy basics
WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it’s safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su
what is a dictionary attack
Dictionary attacks are a common method hackers use to try to crack passwords and break into online accounts.  While these attacks may be effective against people with poor account security, it’s extremely easy to protect yourself against them by usi
Data breaches are increasingly common. Whenever you sign up for an online service, you provide it with personal information that’s valuable to hackers, such as email addresses, passwords, phone numbers, and more. Unfortunately, many online services f