The Online Safety Act became law in Britain in 2023 and has seen security concerns minimized in favour of prioritizing child safety online. This decision has seen criticism from tech companies who have strongly argued in favour of privacy concerns around the future of end-to-end encryption. End-to-end encryption is a process by which messages sent from one device are encrypted and only decrypted when they arrive at their destination meaning that third parties are incapable of accessing the message. Despite fearmongering from some tech companies, end-to-end encryption is not being banned in Britain. However new expectations are being placed on companies to regulate end-to-end encryption which would defeat its privacy purpose.

Tension between governments and technology companies regarding privacy is not new. In 2016 a legal battle between the FBI and Apple made headlines after the FBI sought access to the iPhone of the perpetrator of a mass shooting which Apple rejected. Tech companies have increasingly focused on privacy. Apple have made privacy central to their brand, while for other services such as WhatsApp, privacy and the commitment to end-to-end encryption has been their entire selling point to consumers. The Online Safety Act is a continuation in the trend of states and companies coming into conflict over the state prioritising its responsibility to protect citizens over privacy, and tech companies prioritising and marketing its obligation to protect user privacy.

Governments have historically justified violating user privacy by focusing on counter terrorism, however the Online Safety Act has shifted the focus to addressing child exploitation. The Home Office guidance on end-to-end encryption and child safety sets out the government’s primary case for doing this. Currently 85% of all referrals for illegal activity come from Facebook and Instagram scanning their content. This yields a positive outcome of 800 individuals arrested and 1,200 children kept safe each month. Yet Meta, the parent company to Facebook and Instagram has committed to rolling out end-to-end encryption across its primary messaging platform before 2024 which would make this sort of scanning no longer possible for user-to-user messages.

Because of the new challenge to child safety this presents, the Online Safety Act seeks to place new requirements on companies. One of the most important is the new requirement to use accredited technology, or otherwise for companies to make their best effort to create their own technology that is capable of scanning content across all aspects of their platforms. This includes end-to-end encrypted messages. Ofcom, the newly assigned regulator for social media has been given the power to enforce this with a fine of £18 Million or 10% of Global turnover – whichever is the higher number. Yet this approach is flawed because it is neither feasible, nor is it ethical, and the severity of the fine decreases the likelihood of it being used except in extreme circumstances.

The Government claims that it seeks to protect end-to-end encryption, but the technology to scan end-to-end encrypted messages has been admitted to not exist. That leaves the second requirement for companies which use end-to-end encryption to seek to develop the technology. Yet forcing companies to try to develop the technology to scan end-to-end encrypted messages ignores experts who have suggested that it is not possible. This makes the policy flawed because it is unworkable and will not yield an achievable outcome. There are alternative methods to scanning messages which are more feasible. A client-side approach would see devices themselves scan messages on their screens. But the British government has been warned that this approach would be problematic because it could become similar to wiretapping messages and has the potential to be repurposed to scan in a limitless way for any content across any application.

The potential alternative uses for scanning private message demonstrate why privacy must take priority. In the same way that two people visiting a café to have a conversation over coffee would be upset to learn their private conversation was being bugged by a microphone under the table, so too should people take issue with private messages being scanned. It’s one thing to target individuals under suspicion, but enforcing companies to trawl through every message with technology is problematic in its potential to be abused. The notion of trust in private messaging begins to disappear with the potential for companies to continue to yield more and more data about individuals and their conversations considered to be in the private sphere.

The erosion of the private life by listening into the whole population, rather than targeting those under suspicion, can be compared to East Germany and the Stasi. The East German surveillance state extensively used informants who listened in and reported in on the private lives of millions. The creation and rollout of technology which can serve the same purpose of spying on everyone’s lives to find a few bad cases would go further than the Stasi ever could. People could never again have trust in using digital devices to communicate, which in an increasingly online world could have devastating effects.

Liberal democracies such as Britain should stand up for individual privacy by opposing, rather than trying to enforce, technology which spies on people. By not supporting individual privacy, it gives authoritarian states more tools and legitimacy to control their citizens. And of course, there is always the potential for tech companies themselves to abuse what they can learn through standardizing this technology. For this reason, the UK government’s move to enforce incredibly harsh fines and force technology companies to address the gap in surveillance related to end-to-end encrypted messages is a serious step in the wrong direction. Once our privacy has been violated to such a strong degree that even our private messages are being trawled, will there be any private spaces left online?

Related Blogs

• 

  Shamelessly trying to coin a new term: Filter Politics

• 

  Engaging with the other side: What are we meant to do about the violence attached to online hate groups?

• 

  Why we need to regulate Online Platforms and what states are missing

Disclaimer

The opinions expressed by our bloggers and those providing comments are personal, and may not necessarily reflect the opinions of Lancaster University. Responsibility for the accuracy of any of the information contained within blog posts belongs to the blogger.