UK amends encrypted message scanning plans

The UK government has amended powers that could be used to force tech firms to scan encrypted messages for child abuse images.

Tech firms such as Signal, WhatsApp and Apple have opposed the powers due to privacy concerns.

In amendments passed by the Lords on Wednesday, the government now expects a report to be written before the powers are used by the regulator.

But campaigners say this extra safeguard fails to protect privacy.

The government amendment comes after concerns have been raised by major messaging apps, other companies and technical experts.

The amendments to the Online Safety Bill say that a “skilled person” must write a report for communications regulator Ofcom before it uses the new powers to compel a firm to scan messages.

In previous versions of the bill this was optional.

The report could cover the impact of scanning on freedom of expression or privacy, and whether there are less intrusive technologies that could be used instead.

Another government amendment passed by peers means the regulator needs to consider the impact of the use of technology on journalism and the protection of journalistic sources.

The bill would let Ofcom force tech companies to use “accredited technology” to scan messages for child sexual abuse material.

The Online Safety Bill is currently in the later stages of its journey through Parliament,

Ministers, police and children’s charities say the powers are necessary to tackle “record levels” of child abuse such as imagery and grooming on online platforms, and to prevent encrypted platforms allowing child abusers to “operate with impunity”.

As end-to-end encrypted messages can only be read by the sender or recipient, critics suggest this means companies would need to scan messages before they are encrypted – so called client-side scanning.

This, they say, fundamentally undermines the privacy and security of encrypted messaging.

Meredith Whittaker president of Signal, an encrypted messaging app, previously told the BBC the powers would mean tech firms would have to “run government-mandated scanning services on their devices”.

The BBC understands that the new amendment is in response to concerns about the privacy implications and technical feasibility of the powers in the bill.

Government minister Lord Parkinson told peers he acknowledged “the concerns which have been aired about how these powers work with encrypted services” but he said strong safeguards had been built in to protect privacy.

Ofcom must take the report into account when deciding if it is necessary and proportionate to force a firm to scan messages and share a summary of its findings with the tech firms.

But campaigners, who have dubbed the powers a “spy clause”, said that as a minimum a judge should have to authorise the scanning of user messages.

Index on Censorship said of the new plans: “This is not the legal oversight that these important new powers require, and give short shrift to users’ rights.

“Judicial oversight is a bare minimum for a government appointed body to be able to break encryption and access private messages” the free-speech campaigners said.

The Open Rights Group which campaigns for digital rights has also criticised the government amendment:

“Given that this ‘skilled person’ could be a political appointee, and they would be overseeing decisions about free speech and privacy rights, this would not be effective oversight”, the group wrote.

Other campaigners noted that noted that the reports weren’t binding and lacked legal authority.

An amendment supported by Labour and Liberal Democrat spokesmen proposes oversight by judges. But Labour’s Lord Stevenson did not move the amendment to a vote, though he urged further discussion about the issue at a later stage of the bill.

And Conservative peer Lord Moylan had proposed an amendment that would exempt encrypted services from scanning altogether. He argued the governments plans “opened a hole” in encryption and said the powers were a “major assault on privacy”. But he did not move it to a vote anticipating that the house would vote against it.

But Children’s charity the NSPCC backed the powers in the bill, telling the BBC it set out “a balanced settlement that should encourage companies to mitigate the risks of child sexual abuse when designing and rolling out features like end-to-end encryption”.