When the Bill landed in the House of Lords days later, a precarious agreement between Government and rebels had passed on a vast baton of legislative issues. There was a collective sigh of relief that the upper chamber would be taking on the mantle.
The threat to encryption, or private messaging, didn’t even feature as a concern amongst legislators, let alone the government, despite the Bill introducing measures unprecedented in any western democracy.
Flash forward to September, and encryption features as the most important and urgent issue that needs addressing before the Online Safety Act receives imminent Royal Assent.
The efforts of my colleagues at Index on Censorship, partners across civil society, and the businesses that rely on encryption have all been vital in achieving this.
Confidence in the Government’s ability to grasp the full consequences and details of their legislation has waned thin. Index and others have consistently warned that Section 122 of the Act is a gateway to the unprecedented mass-surveillance of British citizens and a threat to vulnerable people up and down the country.
Section 122 notices install the right to impose technologies that would intercept and scan private communications on a mass scale. The principle that the state can mandate the surveillance of millions of lawful users of private messaging apps should require a higher threshold of justification which has not been established to date.
Ofcom could impose surveillance on all private messaging users with a notice, underpinned by significant financial penalties, with less legal protections than equivalent powers under the Invetsigatory Powers Act.
The proposed interferences with the rights of UK citizens arising from surveillance under the Bill are unlikely to be in accordance with the law and are open to legal challenge.
Journalists will not be properly protected from state surveillance, risking source confidentiality and endangering human rights defenders and vulnerable communities.
From raising awareness of encryption in public debate, demonstrating its real-world effects for policy makers, to highlighting the unintended legal and technological consequences of the Bill, we finally have a Government that is at least not running head first into an attack on encryption that would be unprecedented in any democracy.
But the encryption die remains far from cast. Reports in the FT and elsewhere alluded to a Government ‘u-turn’ ahead of a Ministerial statement on Wednesday (6 September) that delivered nothing of the sort.
While some in the Government are briefing that encryption will be protected, the actions of its ministers do not match up to those words.
A new report by Index on Censorship this week revealed that that Online Safety Bill has alarming consequences when put alongside the controversial Investigatory Powers Act (snooper’s charter). This access, unprecedented in any Western democracy, could provide the Home Office with entry to British citizens’ personal messages as follows:.
Ofcom issues notice mandating the use of Accredited Technology to provide a backdoor to encrypted messages under the Online Safety Bill (section 122)
The Home Office or security services apply for a bulk surveillance warrant on account of a matter of national security (Investigatory Powers Act) granting them access to bulk data
This is extremely concerning, not least because the window in which the Government can legislate its way out of this mess is rapidly closing. The Online Safety Bill will return to the House of Commons for the first time in eight months on Monday (11 September) for a consideration of Lords’ amendments.
This is the last and only chance the Government has to follow up words with actions. They must go beyond Wednesday’s ministerial statement and allay the concerns once and for all by amending the Bill’s Section 122 notices as well excluding use of the IPA in conjunction with the Bill.
Our report sets out how the government can get this right. We’re running out of time. We hope that the government will see sense and put down amendments to fix the backdoor in the Online Safety Bill.
A video explaining the basics behind end-to-end encryption and why Index on Censorship believes that strong encryption is essential for national security and public safety and that this should be reflected in the Online Safety Bill. Hear from Cindy Cohn of the Electronic Frontier Foundation, Dr Phil Zimmermann, creator of Pretty Good Privacy and Ross J Anderson, professor of security engineering at the universities of Edinburgh and Cambridge.
There has been significant commentary on the flaws of the Online Safety Bill, particularly the harmful impact on freedom of expression from the concept of the ‘duty of care’ over adult internet users and the problematic ‘legal but harmful’ category for online speech. Index on Censorship has identified another area of the Bill, far less examined, that now deserves our attention. The provisions in the Online Safety Bill that would enable state-backed surveillance of private communications contain some of the broadest and powerful surveillance powers ever proposed in any Western democracy. It is our opinion that the powers conceived in the Bill would not be lawful under our common law and existing human rights legal framework.
Index on Censorship has commissioned a legal opinion by Matthew Ryder KC, an expert on information law, crime and human rights, and barrister, Aidan Wills of Matrix Chambers. This report (a) summarises the main legal arguments and analysis; (b) provides a more detailed explanation of the powers contained in Section 104 notices; and (c) lays out the legal opinion in full.
The legal opinion shows how the powers conceived go beyond even the controversial powers contained within the Investigatory Powers Act (2016) but critically, without the safeguards that Parliament inserted into the Act in order to ensure it protected the privacy and the fundamental rights of UK citizens. The powers in the Online Safety Bill have no such safeguards as of yet.
The Bill as currently drafted gives Ofcom the powers to impose Section 104 notices on the operators of private messaging apps and other online services. These notices give Ofcom the power to impose specific technologies (e.g. algorithmic content detection) that provide for the surveillance of the private correspondence of UK citizens. The powers allow the technology to be imposed with limited legal safeguards. It means the UK would be one of the first democracies to place a de facto ban on end-to-end encryption for private messaging apps. No communications in the UK – whether between MPs, between whistleblowers and journalists, or between a victim and a victims support charity – would be secure or private. In an era where Russia and China continue to work to undermine UK cybersecurity, we believe this could pose a critical threat to UK national security.
The King’s Counsel’s legal opinion includes that:
● Section 104 notices amount to state-mandated surveillance because they install the right to impose technologies that would intercept and scan private communications on a mass scale. The principle that the state can mandate the surveillance of millions of lawful users of private messaging apps should require a much higher threshold of legal justification which has not been established to date. Currently this level of state surveillance would only be possible under the Investigatory Powers Act if there is a threat to national security.
● Ofcom will have a wider remit on mass surveillance powers of UK citizens than the UK’s spy agencies, such as GCHQ (under the Investigatory Powers Act 2016). Ofcom could impose surveillance on all private messaging users with a notice, underpinned by significant financial penalties, with less legal process or protections than GCHQ would need for a far more limited power.
● Questionable legality: The proposed interferences with the rights of UK citizens arising from surveillance under the Bill are unlikely to be in accordance with the law and are open to legal challenge.
● Failure to protect journalists: if enacted, journalists will not be properly protected from state surveillance risking source confidentiality and endangering human rights defenders and vulnerable communities.
The disproportionate interference with people’s privacy identified by the legal analysis paints an altogether different picture of the Online Safety Bill. Far from being a law to establish accountability for online crime, the legislation, as drafted, opens the door for sweeping new powers of surveillance with little public debate over their purpose and proportionality. Unless the government reconsiders or parliament pushes back, these powers are set on a collision course with independent media and journalism as well as marginalised groups.
Rt Hon Michelle Donelan MP
Secretary of State for Digital, Culture, Media and Sport
Department for Digital, Culture, Media and Sport
100 Parliament Street
22 September 2022
Dear Secretary of State,
Congratulations on your new role.
We are a coalition of independent organisations committed to protecting freedom of expression. We are writing to you following your appointment as the new Secretary of State for Digital, Culture, Media and Sport to request a meeting to discuss the Online Safety Bill. We believe that, in order to prevent serious damage being done to our rights and freedoms, the Online Safety Bill must be completely overhauled.
In particular, we would like to set out concerns we have about provisions in the Bill which we believe would be damaging to the rights to freedom of expression and privacy. We believe that the following areas must be addressed as a minimum:
The law should be upheld online as it is offline, but as currently drafted, the Bill would impose a two-tier system for freedom of expression, with extra restrictions for categories of lawful speech, simply because they appear online. During the Conservative leadership contest, the new Prime Minister Liz Truss committed to protecting freedom of speech in the Bill. She also said that her “fundamental principle is the rules should be the same online as they are in real life”. In its current form, the Bill does not live up to this principle,as it specifically seeks to regulate and restrict categories of free expression which the state labels as “harmful”.
We believe that Clause 13 of the Bill regarding so called “legal but harmful” speech must be dropped.
It has been widely observed that the Bill gives the Secretary of State excessive executive powers to define categories of lawful speech to be regulated and influence the limitations of our online expression. We believe that these powers would be vulnerable to politicisation by a future government.
We believe that executive powers granted to the Secretary of State, including those which would give the post-holder undue influence over communications regulator, Ofcom, must be dropped.
The Bill also poses serious threats to the right to privacy in the UK by creating a new power to compel online intermediaries to use “accredited technologies” to conduct mass scanning and surveillance of all citizens on private messaging channels. These measures also put at risk the underlying encryption that protects private messages against being compromised by bad actors. The right to privacy is deeply entwined with the right to freedom of expression and these proposals risk eroding both, with particularly detrimental effects for journalists, LGBTQ+ people, and other communities.
The Bill must not compel online intermediaries to scan the content of our private messages.
We would welcome the opportunity to discuss these points with you in more detail and would be happy to meet with you virtually or in person at a time of your choosing.
We look forward to hearing from you soon.
Mark Johnson – Big Brother Watch
Barbora Bukovská – ARTICLE 19
Daniel Gorman – English PEN
Sam Grant – Liberty
Dr Monica Horten – Open Rights Group
Jacqueline Rowe – Global Partners Digital
Ruth Smeeth – Index on Censorship