Index relies entirely on the support of donors and readers to do its work.
Help us keep amplifying censored voices today.
Index on Censorship has published a legal opinion from Phillippa Kaufmann KC and Aidan Wills (both of Matrix Chambers) in response to Ofcom’s characterisation of End-to-End Encryption (‘E2EE’) as a risk factor in their Draft Guidance on online harms.
Ofcom has been tasked with implementing the Online Safety Act since 2023 and to explain how technology companies must fulfil their duty of care to users of their online services. The regulations Ofcom has drafted will go before Parliament early next year and require a careful balance between keeping people safe online while respecting individual privacy.
Index on Censorship, as well as a host of civil society organisations who submitted consultation responses on the regulations, have highlighted the regulator’s failure to recognise the benefits of using encrypted communication technologies to users’ privacy and security online.
Ofcom has implied that service providers should weaken encryption on their messaging services to mitigate risks of illegal harms. This is despite the fact that encryption of personal data is a measure that may be taken to comply with the human rights and cybersecurity requirements outlined in the legal opinion. Ofcom should outline the benefits of encryption expressly and clearly in their guidance.
CEO of Index on Censorship, Jemimah Steinfeld said:
“Index has published censored writers across the globe since 1972. Today, we’re using encrypted messaging apps to keep in touch with our network of correspondents around the world, from Iran, to Afghanistan, to Hong Kong.
We are disappointed that Ofcom has failed to properly consider human rights and practical implications in its approach to encryption. This legal opinion confirms there is inadequate consideration of how their draft guidance could undermine the security protections that millions of people rely on every day. Ofcom should revise its guidance before it’s too late, or face a wave of costly and time-consuming legal challenges in the years ahead.
We are calling on Ofcom (and if necessary, the Secretary of State for Science, Innovation and Technology, Peter Kyle) to:
The legal opinion (which can be consulted below) was sought from expert human rights and technology barristers as Index on Censorship feared there is insufficient weight given to privacy and data protection laws in Ofcom’s draft guidance. Without encrypted communication services, journalists, their sources, and political dissidents across the world, for whom security is essential, will be negatively impacted.
Phillippa Kaufmann KC and Aidan Wills have explained the legal railguards of how content moderation regulation can operate next year when the OSA comes into force. Service providers in the scope of regulation are advised:
In August 2021, when the Taliban took over Kabul and home searches became ubiquitous, women started to delete anything they thought could get them in trouble. Books were burned, qualifications were shredded, laptops were smashed. But for 21 members of a women’s creative writing group, a lifeline remained: their WhatsApp group. Over the next year they would use this forum to share news with one another (a story that has since been chronicled in the recently published book My Dear Kabul, which was published by Coronet and is an Untold Narratives project, a development programme for marginalised writers). Doing so through WhatsApp was not incidental. Instead the app’s use of end-to-end-encryption provided a strong level of protection. The only way the Taliban would know what they were saying was if they found their phones, seized them, forced them to hand over passwords and went into their accounts. They could not otherwise read their messages.
End-to-end encryption is not sexy. Nor do those four words sound especially interesting. It’s easy to switch off when a conversation about it starts. But as this anecdote shows it’s vitally important. Another story we recently heard, also from Afghanistan: a man hid from the Taliban in a cave and used WhatsApp to call for help. Through it, safe passage to Pakistan was arranged.
It’s not just in Afghanistan where end-to-end encryption is essential. At Index we wouldn’t be able to do our work without it. We use encrypted apps to message between our UK-based staff and to keep in touch with our network of correspondents around the world, from Iran to Hong Kong. We use it to keep ourselves safe and we use it to keep others safe. Our responsibility for them is made manifest by our commitment to keep our communication and their data secure.
Beyond these safety concerns we know end-to-end encryption is important for other reasons: It’s important because we share many personal details online, from who we are dating and who we vote for to when our passport expires, what our bank details are and even our online passwords. In the wrong hands these details are very damaging. It’s important too because privacy is essential both in its own right and as a guarantor of our other fundamental freedoms. Our online messages shouldn’t be open to all, much as our phone lines shouldn’t be tapped. Human rights defenders, journalists, activists and MPs message via platforms like Signal and WhatsApp for their work, as do people more broadly who are unsettled by the principle of not having privacy.
Fortunately, today accessible, affordable and easy-to-use encryption is everywhere. The problem is its future looks uncertain.
Last October, the Online Safety Act was passed in the UK, a sprawling piece of legislation that puts the onus on social media firms and search engines to protect children from harmful content online. It’s due to come into force in the second half of 2025. In it, Section 121 gives Ofcom powers to require technology companies to “use accredited technology” that could undermine encryption. At the time of the Act’s passage, the government made assurances this would not happen but comments from senior political figures like Sadiq Khan, who believe amendments to the acts are needed, have done little to reassure people.
It’s not just UK politicians who are calling for a “back door”.
“Until recently, traditional phone tapping gave us information about serious crime and terrorism. Today, people use Telegram, WhatsApp, Signal, Facebook, etc. (…) These are encrypted messaging systems (…) We need to be able to negotiate what you call a ‘back door’ with these companies. We need to be able to say, ‘Mr. Whatsapp, Mr. Telegram, I suspect that Mr. X may be about to do something, give me his conversations,’” said French Interior Minister Gérald Darmanin last year.
Over the last few years police across Europe, led by French, Belgium and Dutch forces, have breached the encryption of users on Sky ECC and EncroChat too. Many criminals were arrested on the back of these hacking operations, which were hailed a success by law enforcement. That may be the case. It’s just that people who were not involved in any criminal activity would also have had their messages intercepted. While on those occasions public outcry was muted, it won’t be if more commonly used tools such as WhatsApp or Signal are made vulnerable.
Back to the UK, if encryption is broken it would be a disaster. Not only would companies like Signal leave our shores, other nations would likely follow suit.
For this reason we’re pleased to announce the launch of a new Index campaign highlighting why encryption is crucial. WhatsApp, the messaging app, have kindly given us a grant to support the work. As with any grant, the grantee has no influence over our policy positions or our work (and we will continue to report critically on Meta, WhatsApp’s parent company, as we would any other entity).
We’re excited to get stuck into the work. We’ll be talking to MPs, lawyers, people at Ofcom and others both inside and outside the UK. With a new raft of MPs here and with conversations about social media very much in the spotlight everywhere it’s a crucial moment to make the case for encryption loud and clear, both publicly and, if we so chose, in a private, encrypted forum.
Cast your mind back to January 2023, and the “world-leading, world-first Online Safety Bill” (Rishi Sunak responding to Labour’s Alex Davies-Jones) faced a significant backbench rebellion over an executive liability clause.
When the Bill landed in the House of Lords days later, a precarious agreement between Government and rebels had passed on a vast baton of legislative issues. There was a collective sigh of relief that the upper chamber would be taking on the mantle.
The threat to encryption, or private messaging, didn’t even feature as a concern amongst legislators, let alone the government, despite the Bill introducing measures unprecedented in any western democracy.
Flash forward to September, and encryption features as the most important and urgent issue that needs addressing before the Online Safety Act receives imminent Royal Assent.
The efforts of my colleagues at Index on Censorship, partners across civil society, and the businesses that rely on encryption have all been vital in achieving this.
Confidence in the Government’s ability to grasp the full consequences and details of their legislation has waned thin. Index and others have consistently warned that Section 122 of the Act is a gateway to the unprecedented mass-surveillance of British citizens and a threat to vulnerable people up and down the country.
As Index on Censorship’s report with Matthew Ryder KC set out:
Section 122 notices install the right to impose technologies that would intercept and scan private communications on a mass scale. The principle that the state can mandate the surveillance of millions of lawful users of private messaging apps should require a higher threshold of justification which has not been established to date.
Ofcom could impose surveillance on all private messaging users with a notice, underpinned by significant financial penalties, with less legal protections than equivalent powers under the Invetsigatory Powers Act.
The proposed interferences with the rights of UK citizens arising from surveillance under the Bill are unlikely to be in accordance with the law and are open to legal challenge.
Journalists will not be properly protected from state surveillance, risking source confidentiality and endangering human rights defenders and vulnerable communities.
From raising awareness of encryption in public debate, demonstrating its real-world effects for policy makers, to highlighting the unintended legal and technological consequences of the Bill, we finally have a Government that is at least not running head first into an attack on encryption that would be unprecedented in any democracy.
But the encryption die remains far from cast. Reports in the FT and elsewhere alluded to a Government ‘u-turn’ ahead of a Ministerial statement on Wednesday (6 September) that delivered nothing of the sort.
While some in the Government are briefing that encryption will be protected, the actions of its ministers do not match up to those words.
A new report by Index on Censorship this week revealed that that Online Safety Bill has alarming consequences when put alongside the controversial Investigatory Powers Act (snooper’s charter). This access, unprecedented in any Western democracy, could provide the Home Office with entry to British citizens’ personal messages as follows:.
Ofcom issues notice mandating the use of Accredited Technology to provide a backdoor to encrypted messages under the Online Safety Bill (section 122)
The Home Office or security services apply for a bulk surveillance warrant on account of a matter of national security (Investigatory Powers Act) granting them access to bulk data
This is extremely concerning, not least because the window in which the Government can legislate its way out of this mess is rapidly closing. The Online Safety Bill will return to the House of Commons for the first time in eight months on Monday (11 September) for a consideration of Lords’ amendments.
This is the last and only chance the Government has to follow up words with actions. They must go beyond Wednesday’s ministerial statement and allay the concerns once and for all by amending the Bill’s Section 122 notices as well excluding use of the IPA in conjunction with the Bill.
Our report sets out how the government can get this right. We’re running out of time. We hope that the government will see sense and put down amendments to fix the backdoor in the Online Safety Bill.
A video explaining the basics behind end-to-end encryption and why Index on Censorship believes that strong encryption is essential for national security and public safety and that this should be reflected in the Online Safety Bill. Hear from Cindy Cohn of the Electronic Frontier Foundation, Dr Phil Zimmermann, creator of Pretty Good Privacy and Ross J Anderson, professor of security engineering at the universities of Edinburgh and Cambridge.