UK tells messaging apps not to use e2e encryption for children’s accounts

To get a glimpse of the security and privacy dystopia the UK government has in store for its highly regulated ‘UK Internet’, look no further than the guidelines released yesterday by the Department for Digital Media and Culture. and Sports (DCMS) – aimed at social media platforms and private messaging services – which includes the suggestion that the latter should “prevent” the use of end-to-end encryption on “child accounts”.

That’s right, the UK government says ‘No end to end encryption for our kids please they are UK’.

And although this is only a guideline for now, the cold is real, as the legislation is already on the table.

The UK’s Online Safety Bill was released in May, with Boris Johnson’s government spelling out a sweeping plan to force platforms to regulate user-generated content by imposing a legal obligation to protect users against illegal (or simply “harmful”) content.

The bill controversially bundles requirements to report illegal content such as child sexually exploitative content to law enforcement with much looser mandates that platforms take action against a range of “wrongdoing”. »Much harder to define (from cyberbullying to romance scams).

The end result looks like a hammer to crack a nut. Except that the “nut” that could shatter into pieces in this ministerial vice is digital security and the privacy of British Internet users. (Not to mention UK startups and digital companies that don’t participate in mass surveillance as a service.)

This is the danger if the government follows through on its far-fetched idea that – on the Internet – “safety” means that safety must be replaced by general surveillance in order to “keep children safe”.

The Online Safety Bill is not the UK’s first flawed tech policy plan. An earlier offer to force adult content providers to verify the age of users was scrapped in 2019, after it was widely criticized as unworkable as well as a massive invasion of privacy and a security risk.

The story continues

However, at the time, the government said it was only abandoning the “porn blocks” measure because it planned to offer “the most comprehensive approach possible to protecting children.” Hence the online safety bill which is now advancing to push platforms to remove strong encryption in the name of “protecting children”.

Age verification technologies – and all sorts of content monitoring solutions (surveillance technology, no doubt referred to as “security tech”) – also seem likely to proliferate due to this approach.

Push platforms to proactively monitor speech and monitor usage in the hopes of avoiding an ill-defined bag of ‘mischief’ – or, from a platform’s perspective, avoiding risk of exorbitant fines from the regulator if it so decides they have failed in this “duty of care” – this obviously also evokes a nightmarish scenario for freedom of expression online.

Aka: “Watch what you type, even in the privacy of your private messaging app, because UK internet security thinks the police are watching / might block you …”

UK minors ‘privacy rights seem to be the first on the chopping block, via what DCMS guidelines call’ practical steps to managing the risk of harm online if your online platform allows people to interact. and share text and other content ”.

So pretty much if your online platform has a communication layer, then.

Letting children have their own safe spaces to express themselves is apparently incompatible with ministers’ populist desire to label the UK as “the safest place in the world to go online” because they love to run it.

How exactly will the UK achieve online security if government fanatics force service providers to remove strong security (e2e encryption) – torching the standard of data protection and privacy enveloping information personalities of the British – is a burning question.

Although this is not an issue the UK government seems to have considered for even a fraction of a second.

“We have long known that one of the government’s goals for the Online Safety Bill is to restrict, if not outright criminalize, the use of end-to-end encryption,” said Heather Burns , policy officer for the digital rights organization Open Rights Group (ORG), one of many outspoken critics of the government’s approach – discussing the broader implications of the political push with TechCrunch.

“Recent government and media-promoted messaging strategies have openly sought to associate end-to-end encryption with child abuse, and to suggest that the companies that use it are helping and encouraging the exploitation of children. Thus, the recently released guidelines from DCMS advise the voluntary removal of encryption from children’s accounts is a precursor for it to become a likely legal requirement.

“It is also part of the government’s desire, again as part of the Online Safety Bill, to require all services to implement mandatory age verification on all users, for all users. content or applications, in order to identify child users, in order to refuse them encryption. , thanks to aggressive lobbying from the age verification industry. “

This ministerial rhetoric around the online safety bill is fraught with hard-hitting emotional calls (to “protect our children from bad guys online”) and weak in sequential logic or technological consistency is no surprise: governments Successive conservatives have, after all, had a massive bee up their sleeves about e2e encryption – dating back to the years of David Cameron.

At the time, ministers generally aimed for strong encryption for counterterrorism reasons, arguing that the technology is bad because it prevents law enforcement from catching terrorists. (And they then passed tough surveillance laws that also include powers to limit the use of strong encryption.)

However, under the more recent Prime Ministers Theresa May and Boris Johnson, the rhetoric of child protection has also intensified – to the point where messaging channels are now actively encouraged not to fully use e2e encryption.

Next step: state-sanctioned mass commercial surveillance. And enormous risks for all British Internet users subject to this anti-security and anti-privacy “security” regime.

“Despite the government’s claim that the bill will make the UK ‘the safest place in the world to be online’, restricting or criminalizing encryption will in fact make the UK a dangerous place for anyone to visit. company to do business, ”Burns warned. “We will all need to use VPNs and foreign services, as happens in places like China, in order to protect our data. It is likely that many essential services will block UK customers or leave the UK entirely. , rather than being forced to act like a privatized nanny state over unsecured data streams. “

In a section of the DCMS guidelines titled “Protecting Children by Limiting Functionality,” the ministry literally suggests that “private channels” (that is, services such as messaging apps) “prevent encryption of end-to-end of child accounts ”. And since the precise age identification of online users remains a challenge, it follows that the departments concerned may simply decide that it is less legally risky if they do not use e2e at all.

The DCMS guidelines also follow an all-bold paragraph – in which the government then makes a point of highlighting e2e encryption as a “risk” for users, usually – and, therefore, implicitly, future compliance with future online security legislation …

“End-to-end encryption makes it harder to identify illegal and harmful content occurring on private channels. You must take into account the risks this could present to your users, writes the British government, stressing its.

Whether anything can stop this self-destructive political train now that it has left Downing Street station is unclear. Johnson has a huge majority in parliament – and he has years to go before he has to call a general election.

The only thing that could derail the most harmful elements of the Online Safety Bill is for the UK public to realize the dangers this poses to everyone’s safety and privacy – and if enough MPs are in it. take note and ask for amendments.

Earlier this month, the ORG, along with around 30 other digital and human rights groups, called on MPs to do just that and “help protect voter data. by protecting e2e encryption from legislative threats ”- warning that this “basic and essential” security protocol is threatened by articles of the bill which introduce the obligation for companies to analyze private and personal messages for evidence of criminal acts.

Zero access encryption is viewed by the UK government as a barrier to such analysis.

“To do this, the use of end-to-end encryption is likely to be defined as a violation of the law,” the ORG also warned. “And companies operating in the UK that wish to continue to defend user privacy through end-to-end encryption could, under the bill, be threatened with partial shutdowns, blocked from within the UK or even personal arrests. “

“We call on Parliament to ensure that end-to-end encryption is not threatened or compromised by the Online Security Bill, and that services using strong encryption are not subject to oversight requirements and filtering the content of the bill, “he added in the online statement. to appeal.

DMCS has been contacted with questions about the logic of the government’s policy towards e2e encryption.

In a statement released yesterday, Minister of Digital Caroline Dinenage said: “We are helping companies update their safety standards ahead of the introduction of our new online harm laws and we are also working to protect children and users now.

“We want businesses of all sizes to align with the online security standard and this advice will help them do that. “