Returning from their summer recess, United Kingdom politicians are poised to enact a deeply misguided and flawed law that will make the internet less safe for everyone on Earth—and the United States and European Union aren’t far behind.
The House of Lords this summer squandered a key opportunity to amend the Online Safety Bill —truly a misnomer for the ages—so that it won’t erode vital protections for all digital communications. Amendments could still be offered until Sept. 1, but this seems less likely with each passing hour.
U.K. government officials, for years, have voiced concerns that online services don’t do enough to tackle illegal content, particularly child sexual abuse material. The “solution” was the Online Safety Bill, ostensibly seeking to make the U.K. the world’s safest place to use the internet.
But the bill in its current form would achieve the opposite—by requiring websites and apps to proactively prevent harmful content from appearing on messaging services. That necessarily must lead to universal scanning of all user content: All users’ text messages, images, and videos would be checked and monitored before being posted.
It’s a 21st-century form of prior restraint, violating the very essence of free speech. It’s a death knell for end-to-end encryption, and with it, every internet user’s right to privacy.
Private communication is a fundamental human right, and in the online world, the best tool we have to defend this right is end-to-end encryption. It ensures that governments, tech companies, social media platforms, and other groups cannot view or access our private messages, the pictures we share with family and friends, or our bank account details. This is a particularly vital protection for the most vulnerable in society, such as children seeking relief from abuse or human rights defenders working in hostile environments.
“Yes, indeed, let’s think of the children: This bill badly erodes their rights to privacy, agency, and safety.”
Civil society organizations, security experts, and tech companies have clearly and unequivocally asked for this bill’s anti-encryption sections to be withdrawn; Apple in June joined the chorus of voices warning that the bill “could put U.K. citizens at greater risk.” Secure communications providers, including Signal and WhatsApp, have said they will halt all U.K. service if the law is passed as written.
The consensus is that there’s no backdoor to encryption that won’t be exploited by bad actors such as cyber criminals, rogue employees, domestic abusers, and authoritarian governments.
“But think of the children!” the bill’s supporters might exclaim.
Yes, indeed, let’s think of the children: This bill badly erodes their rights to privacy, agency, and safety.
Children, like adults, rely on encrypted communication apps like WhatsApp or Signal, and have legitimate expectations to not be subjected to mandatory identity verification, arbitrary filtering, and surveillance. More specifically, abused children need private and secure channels to report what is happening to them. Yet the bill, while intending to protect children, fails to respect their privacy and disregards internationally recognized principles on children’s rights.
Make no mistake, this awful bill won’t just affect the U.K.—it will be a blueprint for repression around the world. The bill’s defenders are quick to highlight the worst content that exists online, like pro-terrorism posts and child abuse material, but the surveillance clearly won’t end there. Companies will be pushed to monitor wider categories of content, and to share information about users between jurisdictions. Journalists and human rights workers inevitably will become targets. And users will never be certain of whether their private messages are being read and intercepted by private companies.
Yet Parliament has taken no heed. Worse yet, the U.K. is not alone in this effort: Unable to build public support for the idea of police scanning every digital message, lawmakers in other liberal democracies also have turned to work-arounds, claiming encryption backdoors are needed to inspect files for the worst crimes. They’ve claimed falsely that certain methods of inspecting user files and messages, like client-side scanning, don’t break encryption at all.
In the United States, it’s the EARN IT Act; in the European Union, it’s the draft Regulation to Prevent and Combat Child Sex Abuse. Government agencies also tried—and, thank goodness, failed—to pressure Apple into adopting a system of software scanners on every device, constantly checking for child abuse images and reporting back to authorities.
Signal president Meredith Whittaker put it succinctly: “Encryption is either protecting everyone or it is broken for everyone.”
There is no middle ground, no “safe backdoor” if the internet is to remain free and private. It may now be too late to stop the Online Safety Bill—to which the only solution now might be litigation—but its still-nascent American and European counterparts must be either substantially reworked or abandoned entirely.
Paige Collings is Senior Speech and Privacy Activist at the Electronic Frontier Foundation, a nonprofit digital civil liberties organization headquartered in San Francisco.