By Zoe Kleinman, Tom Gerken and Chris Vallance
Technology team
The government has denied it is changing plans to force messaging apps to access users’ private messages if requested by the regulator Ofcom.
There has been a stand-off between the UK government and tech firms over a clause in the Online Safety Bill relating to encrypted messages.
These are messages that can only be seen by the sender and recipient.
The Bill states that if there are concerns about child abuse content, tech companies might have to access it.
But platforms like WhatsApp, Signal and iMessage say they cannot access or view anybody’s messages without destroying existing privacy protections for all users, and have threatened to leave the UK rather than compromise message security.
The debate had raged for several months and for some had turned into an argument about privacy versus the protection of children. The government insists it is possible to have both.
The Online Safety Bill is due to be passed in autumn and is back in the House of Lords for its final reading on Wednesday before returning to the commons.
A new statement concedes that the tech to access messaging without breaking security protocols does not exist. The government announced it in the House of Lords this afternoon, but it denied its position had changed.
Indeed, earlier versions of the Bill do state that the regulator Ofcom would only ask tech firms to access messages once “feasible technology” had been developed which would specifically only target child abuse content and not break encryption.
It has tasked tech firms with inventing these tools.
“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the Bill] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content – which we know can be developed,” said a government spokesperson.
Some security experts suggest such tech may never exist, and the tech firms themselves say it is not possible.
Prof Ciaran Martin, former head of the National Cyber Security Centre said in reaction, that in practical terms this meant powers would not be used: “The government is still technically taking the power but is placing so many conditions on its use it cannot to my mind ever be used.”
“Hope this brings pause to the global wave of proposals premised on similar magical thinking,” posted Amber Kak, who sits on the board of the secure messaging app Signal.
But Matthew Hodgson, who runs the British-based messaging platform Element, said the latest version of the bill was “kicking the can down the road”.
“All ‘until it’s technically feasible’ means is opening the door to scanning in future rather than scanning today,” he said.
The Internet Watch Foundation – which finds, flags, and removes images and videos of child sexual abuse from the web – felt that little had changed. It maintained it was already technically feasible to scan encrypted messaging systems while preserving privacy.
“As far as we can see, the Government’s position on this has not changed”, it said.
“We know technologies exist, now, which can do this – with no more invasion of privacy than a virus guard or spam filter”.
Another view is that this is an attempt at a last-minute diplomatic resolution in which neither the tech firms nor the government lose face: the government says it knew all along that the tech did not exist and removes immediate pressure from the tech firms to invent it, and the tech firms claim a victory for privacy.
Currently, the two most viable tech solutions are to either break the encryption – which would leave a backdoor open to any bad actors who found it – or introduce software which scans content on a device. It is called client-side scanning and has been dubbed “the spy in your pocket” by critics.
Children’s charities like the NSPCC have described encrypted messaging as the “front line” of child abuse because of privacy settings.
But privacy campaigners say everybody has a right to privacy protection.
Additional reporting by Liv McMahon and Philippa Wain