As we feared, the UK Parliament has passed the Online Safety Bill without making the necessary changes to safeguard privacy.
The Online Safety Act, as it’s now called, includes a clause that gives the British government the power to access, collect, and read anyone’s private conversations any time they want. A worst-case surveillance scenario is now possible in the UK and has been left in the legal text despite the UK Government itself admitting that it’s “technically unfeasible” to break encryption while protecting privacy.
Having received Royal Assent on October 26, it’s too late to fix the legislation. There’s only one question left: Will the government use its new power?
In the coming weeks and months, Ofcom, the regulator responsible for implementing the law, will draft and publish compliance guidelines in three phases. Now is the time for Ofcom to work with the technology industry on solutions that advance the important objectives of the law without entering the dangerous territory of mass surveillance and an internet without encryption.
However, this debate is not only limited to the UK. European lawmakers are working on their own proposal, commonly referred to as “Chat Control”. The European Commission’s current draft is even broader than the UK’s, compelling even more services to potentially break encryption. But there is growing support for encryption in the EU and we would encourage them to take note of the UK Government’s statement that breaking encryption while preserving privacy is not technically possible.
The Online Safety Act and surveillance powers
From the outset, advocates of the Online Safety Act have been well-intentioned, pushing for strong measures to prevent the worst kinds of online abuses, including harms against children. We completely support this end but not the means.
The new law could be used to compel companies to monitor their users’ data for illegal material. But many companies, including Proton and the messaging app Signal, use end-to-end encryption, which is designed to prevent anyone but the user from accessing their data. This technology is a core component of the modern internet, enabling everything from online banking to investigative journalism. End-to-end encryption by definition means that no one, not even the companies whose services are in use, can see or access people’s data.
The Online Safety Act empowers Ofcom to order encrypted services to use “accredited technology” to look for and take down illegal content. Unfortunately, no such technology currently exists that also protects people’s privacy through encryption. Companies would therefore have to break their own encryption, destroying the security of their own services.
The criminals would seek out alternative methods to share illegal materials, while the vast majority of law-abiding citizens would suffer the consequences of an internet without privacy and personal data vulnerable to hackers.
Signs of good news
To its credit, the UK government has admitted there isn’t technology that allows companies to scan certain messages without breaking all encryption. This admission is vitally important and should be kept front of mind by Ofcom during the implementation process.
Ofcom has also given encouraging signals. Nothing in its initial outline mentions encryption as part of its enforcement plan. On the contrary, Ofcom stated(new window): “We will need to strike an appropriate balance, intervening to protect users from harm where necessary, while ensuring that regulation appropriately protects privacy and freedom of expression, and promotes innovation.”
This is the path we would encourage at Proton. As we have said before(new window), undermining encryption would endanger not only UK citizens but also those living under authoritarian regimes that may copy the British playbook. London’s reputation as a European tech hub is also at stake, as the Online Safety Act sends a chilling message to companies considering investing in the UK.
What we can still do to protect privacy in the UK
Proton and others have worked hard to educate members of Parliament about the risks of the Online Safety Act. We remain ready to work with Ofcom to advance online safety while protecting end-to-end encryption. In the future, we will support legislation aimed at strengthening encryption in the UK – in the meantime, we will continue to call for safeguards wherever possible.
As for Proton, we have a clear mission: to make privacy accessible to all. We are reasonably confident that the Online Safety Act will not be applied to Proton thanks to the government admission and the exemption for email. While certain elements of our services do come within the scope of the law, the clause requiring content scanning will not be enforced until ‘feasible’ technology becomes available, if this is even possible.
As a Swiss company, Proton has no intention of undermining our community’s privacy and would not comply with any attempts to impose obligations to break encryption for UK users. Should there be broad enforcement attempts, Proton will support legal actions to block implementations of the law that violate citizens’ fundamental rights.
It’s essential that Ofcom heeds the warnings from across the tech community and commits to not undermining encryption with the powers granted to them. The future of the internet depends on it.