Online Safety Act slammed by rights groups as bill gains royal assent

A blue CGI padlock in the shape of a shield, surrounded by blue lines representing encrypted data and blank user profile icons.
(Image credit: Getty Images)

The UK’s Online Safety Act has been the subject of scathing criticism by privacy rights groups in the wake of receiving royal assent, with opponents arguing the bill compels the creation of backdoors into encrypted messaging.

Across its two-and-a-half year journey to becoming law, the Online Safety Act has come under heavy scrutiny and criticism from many in the tech industry. 

Its stated goal is to protect children from harm online and to prevent the spread of illegal content, but experts have criticized the extent of the legal requirements the act places on social media firms to implement these changes.

Section 122 of the Online Safety Bill provides Ofcom with the power to compel any tech firm to scan its content or child sexual abuse or terrorism content, or else face fines of up to £18 million or 10% of annual turnover.

This has profound implications for end-to-end encryption (E2EE) in the UK, as social media firms contend they cannot scan encrypted messages without breaching their commitments to uphold user privacy.

The Open Rights Group has criticized the bill for its powers to break encryption and provide government agencies with a ‘backdoor’ on popular messaging apps such as Signal, WhatsApp, or Telegram.

In a post on X (formerly Twitter) to mark the passing of the bill, the group once again registered its protestations against the bill’s powers.

“This grab bag of half-baked fantasy solutions to misunderstood (or misrepresented) problems has received Royal Assent, including powers to break encryption in messaging apps and censor content before it's even posted,” it stated.

Signal’s Meredith Whittaker, who took over as the firm’s first president in September 2022, also reiterated Signal’s threat to leave the UK if Ofcom asked it to build a backdoor to user messages.

Officials from other companies such as WhatsApp have threatened to remove their apps from the UK based on the same concerns.

“The fact remains that scanning everyone’s messages would destroy privacy as we know it.  That was as true last year as it is today,” said Will Cathcart, head of WhatsApp at Meta in a post on X in September. 

“WhatsApp will never break our encryption and remains vigilant against threats to do so.”

On its passage through the Lords, the government attempted to quell the concerns of tech firms by stating that Ofcom can only impose “technically feasible” requirements.

But the text of the bill and government communications surrounding it continue to state that firms will be required to use “best efforts” to develop technologies to allow for the scanning of content on public and private channels, which would see firms forced to compromise E2EE to meet legal requirements.

RELATED RESOURCE

A Cisco’s guide to log management for cybersecurity

(Image credit: Graylog)

Collect, aggregate, and correlate data more effectively

DOWNLOAD NOW

The UK government has run campaigns against E2EE for years, arguing that the technology allows criminals to operate without fear of government oversight. 

Tech companies have not faced official restrictions on the use of E2EE to date, and the government has argued that the Online Safety Act does not infringe on the freedom of users to choose E2EE apps.

The Online Safety Bill had been put ‘on ice’ in July 2022, and remained relatively unchanged and inactive until December 2022. In this time, many experts called for a rethink on core elements of the bill including its approach to E2EE but when it returned for readings in parliament the content remained largely unchanged.

Martin Albrecht, professor of cyber security and chair of cryptography in the Department of Informatics at King's College London, told BBC News in September that there is no “magical technology” that allows messages to remain private while being scanned.

Others in the industry have praised the act’s various protections for users of online platforms, and argued that businesses and Ofcom alike have a responsibility to ensure good controls and practices are followed as a matter of urgency.

“The Online Safety Bill receiving Royal Assent is a moment that has been years in the making and should be welcomed by all who value internet safety,” said Chris Dimitradis, chief global strategy officer at ISACA, the association of IT professionals.

“If implemented effectively, this legislation will provide appropriate protection for UK citizens to be protected online. But to achieve this mission, Ofcom has a crucial role to play. It will be essential for the regulator to set robust data quality controls, clear technology standards and auditing codes of practice right from the onset. 

“Only then can we ensure affected firms have a comprehensive integrated risk management framework in place to guide their implementation of the UK’s new laws.”

Dimitradis added that businesses have a responsibility to put checks and training in place in order to ensure they are compliant with the act, if they haven’t already.

“As a priority, they must equip their staff with the IT training and skills that they need to use, manage and understand data to avoid being caught breaking the law. This includes having the right processes in place to inform, correct and compensate stakeholders in the event of a breach of the legislation.” 

Many of the act’s powers will come into force by the end of the year, but Ofcom has been given specific powers early so that it may establish plans by the time it is expected to begin enforcing controls.

In line with this, the regulator will run a consultation beginning on 9 November.

TOPICS
Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.