Online Safety Bill undermines privacy online, say UK’s top cyber security experts

Scientists from the UK’s National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online (REPHRAIN) have called on Parliament to consider independent scientific evaluation before voting through the online safety bill, which could inadvertently enable surveillance technologies and erode online protection.

The Online Safety Bill provision on scanning messages shared through apps such as WhatsApp and Signal is the focus of intense debate due to its potential for large-scale impact on human rights. The researchers have called on government and parliament to study the independent scientific evaluation of the tools proposed to undertake such scanning as part of the Government’s Safety Tech Challenge Fund.

With end-to-end encryption (E2EE), no third parties including service providers such as WhatsApp and Signal, can read messages as they travel between the sender and the receiver.

The independent evaluation concluded that although none of the tools propose to weaken or break the E2EE protocol, the confidentiality of the E2EE service users’ communications cannot be guaranteed when all content intended to be sent privately within the E2EE service is monitored pre-encryption.

The Home Secretary, Suella Braverman, writing in The Telegraph last week, noted that the programme had “demonstrated that it would be technically feasible to detect child sexual abuse in environments which utilise encryption.”

Awais Rashid, Professor of Cyber Security at the University of Bristol and Director of the REPHRAIN Centre, said: “The issue is that the technology being discussed is not fit as a solution.” Professor Rashid has worked on development of automated tools to detect child abuse material online as well as engineering privacy into software systems for 15 years.

“Our evaluation shows that the solutions under consideration will compromise privacy at large and have no built-in safeguards to stop repurposing of such technologies for monitoring any personal communications,” he said.

“Nor are there any mechanisms for ensuring transparency and accountability of who will receive this data and for what purposes will it be utilised.

“Parliament must take into account the independent scientific evidence in this regard. Otherwise the Online Safety Bill risks providing carte blanche for monitoring personal communications and potential for unfettered surveillance on a societal scale.”

The evaluation also highlighted the challenges that stem from the absence of documented, ethically responsible benchmark datasets for developing and evaluating such tools and the lack of detailed experimental information due to the proprietary nature of such tools.

Professor Steven Murdoch (UCL Computer Science), a member of REPHRAIN’s leadership team, said: “The detailed expert analysis performed by the REPHRAIN team identified serious limitations in all the tools proposed by the Safety Tech Challenge Fund. Furthermore, the report supports the scientific consensus that client-side scanning fundamentally damages the end-to-end security essential to protect individuals' safety when using messaging applications.”

The open letter can be read here.

Links 

• Professor Steven Murdoch's academic profile
• UCL Computer Science
• UCL Faculty of Engineering
• Safety Tech Challenge Fund report
• REPHRAIN

Image

Credit: iStock / Urupong

Media contact 

Dr Matt Midgley

E: m.midgley [at] ucl.ac.uk