Online Safety Bill loophole opens door to unprecedented investigatory powers

A new report from Index on Censorship raises the alarm proposed legislation that could lead to unprecedented and chilling surveillance of British citizens under the Investigatory Powers Act.

Clause 122 of the Online Safety Bill provides Ofcom the means to break encrypted messaging services through ‘technology notices’ served without legal oversight. Once ‘Accredited Technology’ is used to break encryption, the Home Office has the power to use “bulk surveillance warrants” under the Investigatory Powers Act: providing access to encrypted private messages en masse for the first time.

Without urgent clarification in Parliament, there is a risk that security services such as MI5 can compel technology companies who operate encrypted messaging services to interfere with user communications or acquire masses of data in secret. There is no clarity to date on whether Ofcom would be notified under such circumstances nor whether Ofcom themselves could be subjected to a bulk surveillance warrant as a result of the data insights they gain in their role as an independent regulator.

The long-standing campaign against the use of encryption technology has now seemingly culminated in a two-pronged legislative attack against British rights to privacy and freedom of expression. This report outlines the (1) meaning of new enforcement powers under the Online Safety Bill, (2) the Surveillance Gateway that is being opened, (3) proposed reforms to the Investigatory Powers Act and (4) the key questions that Parliament urgently needs answers on.

On Monday, 11 September 2023, the House of Commons will review the Online Safety Bill for the first time in nine months in which they will decide whether they accept the Government’s amendments to introduce mass surveillance on British people and to sign off on a massive curtailment of journalistic freedoms.

Download the report here or read it below.

A new chance to protect freedom of expression online

“Unintended consequences”, “ideologically incoherent”, “won’t change culture or make us safer”.

I have written all these words and many more about the British Government’s Online Safety Bill.  Index on Censorship has spent the last eighteen months campaigning against the worst excesses of the Online Safety Bill and how it would undermine freedom of expression online.

Our lines have been clear:

1. What is legal to say offline should be legal online.

2. End to end encryption should not be undermined.

3. Online anonymity needs to be protected.

The current proposals that were progressing through the British Parliament undermined each of these principles and were going to set a new standard of speech online which would have led to speech codes, heavily censored platforms, no secure online messaging and a threat to online anonymity which would have undermined dissidents living in repressive regimes.

So honestly, I am relieved that the government has, at almost the last minute, paused the legislation.

I am not opposed to regulation, I do not for a second believe that the internet is a nice place to spend time and nor would I advocate that there shouldn’t be many more protections for children and those who are vulnerable online.  We do need regulation to limit children’s exposure to illegal and inappropriate content but we need to do it in such a way that protects all of our rights.

This legislation, in its current iteration, failed to do that, it was a disaster for freedom of expression online.  The proposed “Legal but Harmful’ category of speech would have led to over deletion by online platforms on a scale never seen before.  Algorithms aren’t people and frankly they will struggle to identify nuance, context or satire or even regional colloquialisms.  With fines and the threat of prison sentences, platforms will obviously err on the side of caution and the unintended consequence would be mass deletion.

So today, we welcome the fact that the legislation has been paused and we call on the new prime minister and the next secretary of state to think again in the autumn about what we are actually trying to achieve when we regulate online platforms.  Because honestly, we won’t be able to make the internet nicer by waving a magic wand and removing everything unpleasant – we need to be more imaginative in our approach and consider the wider cultural and educational impact.

So, as I have said in the media overnight, this is a fundamentally broken bill – the next prime minister needs a total rethink.  It would give tech executives like Nick Clegg and Mark Zuckerberg massive amounts of control over what we all can say online, would make the UK the first democracy in the world to break encrypted messaging apps, and it would make people who have experienced abuse online less safe by forcing platforms to delete vital evidence.

Let’s start again.

In trying to protect us online, legislators risk silencing us

I regularly start my weekly blog with the exclamation “there is just too much news!” Too much horror and heartbreak and this week the assertion is all too true.

Russia has invaded a sovereign country and daily we are seeing evidence of war crimes on the continent of Europe; China is arresting yet more democracy activists on the flimsiest of excuses; there have been bombings targeting schools in Afghanistan; a neo-fascist is, yet again, in the final run-off in the French Presidential elections; there are riots in Sweden against the far-right with dozens hurt; people are starving in Shanghai under Covid-19 restrictions; there is active conflict again in Jerusalem, with over 150 Palestinians hurt in clashes after a series of terror attacks targeting Israelis in recent weeks; another video of a black man being fatally shot by the police has emerged in the US – Patrick Lyoya was killed, while being held on the ground, defenceless, on 14 April and riots have followed in Michigan.

Our team at Index is working on every one of these news stories. We work with people on the ground, and we commission dissidents and writers, in country, to give us a first-hand account. In the twenty-first century we can speak to people in every corner of the globe, as events are happening, because of the internet and the social media platforms which afford us all a level of protection because of end-to-end encryption. We work with people on the ground who would be arrested, tortured, or even killed because they want to share their experiences with the world. They want the world to know what is happening to them and to their communities. They are on the frontline in the perpetual fight for our democratic right to freedom of expression. They are vulnerable because of who they are and what they want to share with us, whether that’s their writings, their opinions or their art.

They are brave and inspirational and determined to stand up for what is right. For as long as they want to tell their stories there is a moral onus for us to listen to them.

Which brings me to the current proposals to regulate our online lives currently being progressed in the European Union and in the United Kingdom. In Europe, today (Friday) the final negotiations on the substance of the Digital Services Act are underway and, in the UK, the Online Safety Bill began its parliamentary journey on Tuesday.  Index is working actively with partners to try and mitigate the worst aspects of both pieces of legislation and we were in Brussels this week to make the case for additional protections for freedom of speech. Our overriding goal is to make sure that our access to those brave dissidents is protected and that our rights to discuss the detail of these horrors are protected. To make sure that while legislators are trying to ‘protect’ us online they don’t end up inadvertently silencing us.

Index advocates for free expression within the protections afforded to us by the European Convention on Human Rights. There is no right not be offended. There is no right not to see things online, or in real life, that will upset you. Of course, we all want to protect each other from seeing the worst aspects of human life – that’s an admirable aspiration but it isn’t the grounds for making new law. In fact, it’s the exact opposite – legally we have protected freedom of expression, it’s a fundamental right. I have written before about our concerns regarding online regulation and in the coming months I’ll be writing extensively on it – but we start with the basic principle – what is legal to say should be legal to type. And that should be the case whatever any new legislation seeks to amend.

Index calls on governments to ensure encrypted tools are available to public

Index joined 52 other civil society organisations as well as private companies and security researchers in calling on governments to allow technology companies to offer strong encryption tools such as Signal or WhatsApp to the public.

The statement highlights the dangers to the security and privacy of billions of internet users around the world, should governments enforce the removal of end-to-end encryption protection on consumer messaging services, which are often used by journalists on assignments. It also points out that building “back doors” just for “good actors” is not possible.

According to the letter sent to US, British and Australian ministers: “Technology companies could not give governments back door access to encrypted communications without also weakening the security of critical infrastructure, and the devices and services upon which the national security and intelligence communities themselves rely.”

The letter goes on to describe the numerous problems critical national infrastructure, industry, businesses and private individuals would face if such ‘backdoor access’ was granted.

The appeal comes as a response to a joint letter by UK Home Secretary Priti Patel, and her US and Australian counterparts in October, and following a United States Department of Justice event describing encrypted communications tools as ‘lawless spaces’.

The full sourced statement, and list of signatories can be found here: https://newamericadotorg.s3.amazonaws.com/documents/Coalition_Response_Letter_-_Encryption_DOJ_event_and_letter_to_Facebook.pdf