UK's Encryption Law: Why Tech Giants May Exit
15-08-2023 | By Robin Mitchell
As a controversial law behind encryption is soon to come into power, tech companies around the world are petitioning the UK government to withdraw the requirement for backdoor access, essentially breaking encryption. What exactly is the UK looking to do, why is it devastating for encryption, and how will engineers cope without P2P encryption?
UK’s Online Safety Bill – What exactly is being proposed?
For as long as man has been able to incite fear into others, many conflicts, reduction of freedoms, and even genocides have been done in the name of national security or protecting children. In the case of the UKs upcoming Online Safety Bill, these two factors are exactly what the government is claiming to protect, and while there are plenty of supporters, there are those that only see the bill as being a step backwards in the fight for privacy, security, and freedom.
The primary purpose of the Online Safety Bill is to protect children against harmful online content and predators that lurk in the shady corners of the internet. For example, it is expected that the bill will require tech companies to integrate mechanisms that can automatically scan content for Child Sex Abuse Material (CSAM), and messages that result in a hit will then be passed to authorities for further investigation.
The bill will also introduce numerous penalties for tech firms that fail to follow the new rules, but what has really caught the attention of engineers and the media alike is the requirement for encrypted messages to be fully accessible by firms and law enforcement. Simply put, the bill would see an end to messaging systems that utilise peer-to-peer encryption (such as those offered by WhatsApp, Telegram, and Signal) and instead require a centralised system whereby data can be seen in its entirety from authorised personnel and law enforcement.
According to a BBC report, the government has made amendments to the bill, stating that a "skilled person" must write a report for communications regulator Ofcom before it uses the new powers to compel a firm to scan messages. This report could cover the impact of scanning on freedom of expression or privacy.
Why This Bill Will Break Encryption
When the new bill comes into effect, encryption itself will be perfectly legal and work as if nothing changed. Credit card data sent over the internet will still work fine, messages sent to others will still be encrypted en route, and man-in-the-middle attacks won’t be able to decode data.
However, the primary cause of concern with the new bill is that by moving away from P2P encryption in favour of a centralised encryption system will undoubtedly create an extremely weak point in private communications. If all messages are stored on a centralised server and completely open for internal access, it won’t be difficult for a rouge employee or government authorities to simply waltz up and take the data. Whether it is embarrassing messages, personal files, or connections, anything and everything sent over such messaging systems will instantly lose their privacy to the service provider and, by extension, any authority that has power over that service provider.
But the problems only get worse; any encryption system that can be “undone” on a platform that has access to the internet will undoubtedly become the target of hackers all over the planet. It is highly likely that cybercriminals will do whatever they can to gain access to these services, scrape as much content as possible, and then use that data to either perform widespread ransomware attacks or just cause grief.
To make matters even more dire, governments have a long history of being entirely incompetent with technology. As such, any access system that a government has will likely be attacked by cybercriminals worldwide. But it is also equally likely that encryption keys and access codes will simply be left on a train through sheer stupidity and a small apology made with no real consequences.
Thus, the moment this bill takes effect, messages sent using UK-approved apps will no longer be truly private.
Apple, a major tech company, has expressed concerns over the bill, stating that they would rather remove services like FaceTime and iMessage from the UK than weaken their security. This highlights the potential global implications of the bill.
How will engineers cope without P2P messaging?
How will engineers cope with P2P messaging? The short answer is that they won’t, and unless UK citizens use unauthorised apps, there is very little that can be done.
It may be possible to disguise the nature of an app or service to try and declassify it as a messaging service. For example, an IoT app and associated devices could all utilise a P2P network for communication with other devices, and inside that network, a messaging system could be deployed, but this is an extreme solution.
Another option for users may be to deploy VPN networks that work with a select group of contacts. Once inside a VPN network, there is no need for additional encryption, so basic messaging services can indeed be used, but only those that don’t require a centralised service to share messages. For example, it is possible for machines in the same network to send messages over TCP (something which can be whipped up in a matter of minutes in Python), and ten friends connected to this VPN could message freely regardless of where they are.
Considering that messaging apps are fundamentally trivial to develop and deploy, it is likely that smaller businesses and solutions will be developed. Furthermore, it would be hard for the UK to outright outlaw an app to its citizens, as simply using a P2P app would not be proof enough of malicious use.
DeepMind's co-founder, Mustafa Suleyman, suggests that the UK needs to encourage more risk-taking and be more supportive of large-scale investments in the tech sector if it aims to become an AI superpower. This sentiment reflects the broader challenges the UK faces in the tech industry, as highlighted in a BBC article.
Overall, what the UK government is doing with its Online Safety Bill is nothing more than utter stupidity. If the UK is serious about protecting children and national security, it should be exploring other avenues of protection, such as increasing parental involvement in children’s life, child-safe apps, and better education.
Remember, the most terrifying words in the English language are “I’m from the government and I’m here to help”.