The UK's long-debated online safety bill (OSB) has been approved by the House of Lords, clearing the way for it to become law. But it has pitted the government, which proposed the bill, against tech companies that provide secure messaging services. Critics say it will allow authorities in the UK to compel service providers to break users' encryption.

In July, 68 cybersecurity academics published an open letter outlining their concerns about the OSB. In it, they argue that the bill undermines the safety and privacy of users online.

The OSB has met with significant opposition from industry as well. Apple released a statement explaining that encryption "helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The OSB poses a serious threat to this protection."

In April, several secure messaging providers, such as Whatsapp, Element, Session and Signal, signed another open letter urging the UK government to rethink the bill.

Yet the bill is now set to become law. On a high level, the OSB imposes duties of care on to providers of so-called "user-to-user" internet services, those that allow users to upload or share content that can be seen by other users. This covers activities such as uploading photos onto Instagram or sending messages via WhatsApp.

This distinguishes social media and online messaging services from internet services such as online banking, in which only the provider sees the content uploaded by the end user. These duties of care are aimed at preventing users from communicating illegal content such as child sexual abuse material.

Why is encryption important?

Since the OSB addresses messaging applications, cybersecurity experts have expressed alarm at the potential of the bill to undermine so-called end-to-end encryption. For messaging applications such as WhatsApp and Signal, end-to-end encryption ensures that only the sender of a given message and their intended recipients can read the content of the message. Even the service provider is prevented from reading the message.

This has been a point of contention for governments and intelligence agencies worldwide, since it means they can no longer persuade tech companies to let them access a user's messages.

Proponents of end-to-end encryption, such as the Electronic Frontier Foundation digital rights activist group, argue that privacy of communication is a fundamental right that protects vulnerable groups, such as dissidents in authoritarian regimes. Encryption, they argue, helps ensure this privacy.

However, critics such as intelligence and law enforcement agencies argue that the widespread use of this form of encryption hinders their ability to detect criminal activity such as terrorism or child sexual exploitation.

Is the OSB the only legislation to do this?

The OSB is not the first piece of legislation that has come under fire over its potential to undermine the safety and privacy of end-to-end encryption. In 2018, the Australian government passed the Tola Act, which also contained measures to compel tech companies to work with the authorities. Politicians argued that it was necessary to address terrorism. But there was a strong backlash from critics who said it could undermine encryption.

A recent proposal by the European Commission suggests similar requirements for service providers of user-generated content in EU countries and has sparked its own open letter from security and privacy researchers concerned for the potential harm to secure digital societies.

Can the OSB help undermine encryption?

The bill specifically requires the UK communications regulator, Ofcom, to issue "codes of practice" to providers of user-to-user services. The codes provide a basis for Ofcom to obtain information from these providers and fine them for non-compliance.

These codes also require that all providers of user-to-user services "must take or use proportional measures to prevent individuals from encountering illegal content by means of the service".

COnservative MP Damian Collins, who - as minister for tech and the digital economy from July to October 2022 - helped develop the OSB, said in a recent debate that companies should "use their best endeavours to detect, proactively detect, content related to child sexual exploitation". But he also added: "We are not going to ask companies to break encryption."

The open letter from the 68 academics points out the fundamental flaw in this argument: "There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties."

The president of messaging app Signal, Meredith Whittaker, says the bill contains no protections against breaking encryption.

Indeed, the OSB's language allows Ofcom to issue "notices" that could be used to compel messaging applications to undermine encryption. These would require the provider of the service to "use accredited technology to identify illegal content communicated publicly or privately by means of the service, and to swiftly take down that content".

Since end-to-end encryption fundamentally prevents the service provider from reading user-sent content, this necessitates breaking encryption to identify that content.

What outcome are we likely to see?

Looking at the language of the OSB, the concerns of cybersecurity experts would appear to have some foundation, despite the denials of Damian Collins and the Home Office. The OSB provides mechanisms for the government to compel messaging applications to undermine their own security measures to achieve its goals.

Removing these provisions would be straightforward. Deleting the phrasing "or privately" from the bill would allow the OSB to stand mostly untouched while addressing the concerns of providers that use end-to-end encryption.

It is painfully ironic then, that since both Signal and WhatsApp have indicated that they would leave the UK rather than undermine encryption, that the current wording of the UK's online safety bill would potentially leave UK users of end-to-end encryption less safe online.

Author: Benjamin Dowling - Lecturer of Cybersecurity, University of Sheffield