ProtonBlog(new window)
Stop the Online Safety Bill

The Online Safety Act doesn’t protect encryption, but Ofcom can

Share this page

As we feared, the UK Parliament has passed the Online Safety Bill without making the necessary changes to safeguard privacy. 

The Online Safety Act, as it’s now called, includes a clause that gives the British government the power to access, collect, and read anyone’s private conversations any time they want. A worst-case surveillance scenario is now possible in the UK and has been left in the legal text despite the UK Government itself admitting that it’s “technically unfeasible” to break encryption while protecting privacy. 

Having received Royal Assent on October 26, it’s too late to fix the legislation. There’s only one question left: Will the government use its new power?

In the coming weeks and months, Ofcom, the regulator responsible for implementing the law, will draft and publish compliance guidelines in three phases. Now is the time for Ofcom to work with the technology industry on solutions that advance the important objectives of the law without entering the dangerous territory of mass surveillance and an internet without encryption.

However, this debate is not only limited to the UK. European lawmakers are working on their own proposal, commonly referred to as “Chat Control”. The European Commission’s current draft is even broader than the UK’s, compelling even more services to potentially break encryption. But there is growing support for encryption in the EU and we would encourage them to take note of the UK Government’s statement that breaking encryption while preserving privacy is not technically possible. 

The Online Safety Act and surveillance powers

From the outset, advocates of the Online Safety Act have been well-intentioned, pushing for strong measures to prevent the worst kinds of online abuses, including harms against children. We completely support this end but not the means.

The new law could be used to compel companies to monitor their users’ data for illegal material. But many companies, including Proton and the messaging app Signal, use end-to-end encryption, which is designed to prevent anyone but the user from accessing their data. This technology is a core component of the modern internet, enabling everything from online banking to investigative journalism. End-to-end encryption by definition means that no one, not even the companies whose services are in use, can see or access people’s data.

The Online Safety Act empowers Ofcom to order encrypted services to use “accredited technology” to look for and take down illegal content. Unfortunately, no such technology currently exists that also protects people’s privacy through encryption. Companies would therefore have to break their own encryption, destroying the security of their own services. 

The criminals would seek out alternative methods to share illegal materials, while the vast majority of law-abiding citizens would suffer the consequences of an internet without privacy and personal data vulnerable to hackers.

Signs of good news

To its credit, the UK government has admitted there isn’t technology that allows companies to scan certain messages without breaking all encryption. This admission is vitally important and should be kept front of mind by Ofcom during the implementation process.

Ofcom has also given encouraging signals. Nothing in its initial outline mentions encryption as part of its enforcement plan. On the contrary, Ofcom stated(new window): “We will need to strike an appropriate balance, intervening to protect users from harm where necessary, while ensuring that regulation appropriately protects privacy and freedom of expression, and promotes innovation.”

This is the path we would encourage at Proton. As we have said before(new window), undermining encryption would endanger not only UK citizens but also those living under authoritarian regimes that may copy the British playbook. London’s reputation as a European tech hub is also at stake, as the Online Safety Act sends a chilling message to companies considering investing in the UK.

What we can still do to protect privacy in the UK

Proton and others have worked hard to educate members of Parliament about the risks of the Online Safety Act. We remain ready to work with Ofcom to advance online safety while protecting end-to-end encryption. In the future, we will support legislation aimed at strengthening encryption in the UK – in the meantime, we will continue to call for safeguards wherever possible.

As for Proton, we have a clear mission: to make privacy accessible to all. We are reasonably confident that the Online Safety Act will not be applied to Proton thanks to the government admission and the exemption for email. While certain elements of our services do come within the scope of the law, the clause requiring content scanning will not be enforced until ‘feasible’ technology becomes available, if this is even possible.

As a Swiss company, Proton has no intention of undermining our community’s privacy and would not comply with any attempts to impose obligations to break encryption for UK users. Should there be broad enforcement attempts, Proton will support legal actions to block implementations of the law that violate citizens’ fundamental rights.

It’s essential that Ofcom heeds the warnings from across the tech community and commits to not undermining encryption with the powers granted to them. The future of the internet depends on it.

Protect your privacy with Proton
Create a free account

Share this page

Andy Yen(new window)

Andy is the founder and CEO of Proton. He is a long-time advocate for privacy rights and has spoken at TED, Web Summit, and the United Nations about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in particle physics from Harvard University.

Related articles

Your passwords are some of your most sensitive personal information. They’re the keys that allow you to access your online accounts, be it your cloud storage, email inbox, or banking accounts. Proton Pass helps millions of people safeguard their pass
In recent months, we’ve brought a lot of big additions to the Proton ecosystem, such as Proton VPN for Business, Proton Sentinel, Password Sharing in Proton Pass, and Proton Drive photo backups in beta. By comparison, we haven’t said a lot about Prot
Most email addresses use the default domain provided by their email service. For Proton Mail accounts, it’s proton.me. For Gmail, it’s gmail.com. These are usually free and work just fine for most people. But there are situations where it makes sens
Proton Drive MacOS launch
Cloud storage is a critical piece of our mission to build an internet that protects your privacy and secures your data. It’s where you keep your most sensitive files, from personal photos to identity documents. Unfortunately, the leading cloud storag
How to password protect a folder
Putting a password on your folders is a great way to protect sensitive files while they’re on your system. It’s pretty easy to do regardless of your operating system, and this article will take you through each step. Note though, that password prote
What is encryption?
Encryption is a way to hide information so private data is kept that way. Without encryption, anybody could access your communications. In this article, we go over how it works and some of the different types of encryption there are. The short expla