UK Demands Messaging Apps Disable Encryption for Children

A Potential Digital Dystopia: UK Government Guidance on Encryption

Recent guidance released by the Department of Digital, Media, Culture and Sport (DCMS) offers a concerning preview of the UK government’s vision for a heavily regulated ‘British Internet’. The guidance, directed at social media platforms and private messaging services, suggests that the latter should “prevent” the utilization of end-to-end encryption on accounts belonging to children.

The Proposal and Underlying Legislation

Essentially, the UK government is indicating a preference for the removal of end-to-end encryption for young users. While currently only guidance, this stance is particularly chilling given that relevant legislation is already under consideration.

The UK’s Online Safety Bill, published in May, outlines a broad plan to compel platforms to regulate user-generated content. This involves imposing a legal obligation to protect users from both illegal and potentially “harmful” content.

A Broad and Controversial Bill

The bill controversially combines the requirement to report illegal content, such as child sexual exploitation material, with less clearly defined mandates to address a spectrum of ‘harms’ – encompassing issues like cyberbullying and romance scams.

Critics argue that the bill represents an overreach, potentially jeopardizing the digital security and privacy of UK Internet users. This is especially true for UK startups and digital businesses that may struggle to comply with the proposed mass-surveillance approach.

Safety Versus Surveillance

The core concern is that the government’s approach equates ‘safety’ with the replacement of security by comprehensive surveillance, all in the name of protecting children. This raises significant questions about the future of online freedom and data protection.

A previous attempt to mandate age verification for adult content providers was abandoned in 2019 due to widespread criticism regarding its practicality, privacy implications, and security risks.

The Rise of Age Verification and Content Monitoring

However, the government subsequently stated its intention to pursue a “more comprehensive approach” to child protection, leading to the current Online Safety Bill and its push for the removal of robust encryption.

Consequently, age verification technologies and various content monitoring solutions – likely surveillance technologies marketed as ‘safety’ tools – are expected to become more prevalent.

Implications for Freedom of Expression

Requiring platforms to proactively police speech and monitor usage to prevent a vaguely defined range of ‘harms’ creates a concerning scenario for online freedom of expression.

This could lead to a situation where users are cautioned to carefully consider their online communications, even within private messaging apps, due to the potential for monitoring or blocking by UK ‘Internet safety thought police’.

Privacy Concerns for Minors

The privacy rights of UK minors appear to be the first casualty, as highlighted in DCMS guidance regarding “practical steps to manage the risk of online harm” on platforms that facilitate interaction and content sharing.

The government’s desire to brand the UK as ‘the safest place to go online’ seems to clash with the idea of providing children with safe spaces for self-expression.

A Questionable Trade-off

The question remains: how can the UK achieve online safety if the government compels service providers to dismantle robust security measures – thereby compromising data protection and privacy for all British citizens?

This is a question the UK government does not appear to have adequately addressed.

Expert Concerns and Historical Context

Heather Burns, a policy manager at the digital rights organization Open Rights Group (ORG), stated that the government has long sought to restrict or even criminalize the use of end-to-end encryption. She also noted the deliberate association of encryption with child abuse in recent government and media messaging.

Burns believes the DCMS guidance is a precursor to a legal requirement to remove encryption from children’s accounts, driven by lobbying from the age verification industry.

A Pattern of Wonky Tech Policies

This isn’t the first instance of questionable tech policy from the UK. Previous governments have also expressed concerns about end-to-end encryption, initially citing counter-terrorism concerns.

More recently, under Theresa May and Boris Johnson, child protection rhetoric has intensified, leading to active encouragement for messaging channels to abandon end-to-end encryption altogether.

The Path to Mass Surveillance

The potential outcome is state-sanctioned commercial mass surveillance, posing significant risks to all UK Internet users under this anti-security, anti-privacy ‘safety’ regime.

Burns warned that restricting or criminalizing encryption would make the UK an unsafe place for businesses, potentially leading to reliance on VPNs and foreign services, similar to the situation in China.

DCMS Guidance and the Definition of Risk

The DCMS guidance explicitly suggests that “private channels” should “prevent end-to-end encryption for child accounts”. Given the challenges of accurately age-identifying online users, services may opt to disable end-to-end encryption entirely to mitigate legal risks.

The guidance further emphasizes that end-to-end encryption itself is a “risk” to users, and therefore, potentially to compliance with the forthcoming Online Safety legislation.

The Future of the Bill

Whether this policy trajectory can be halted remains uncertain. Johnson’s substantial parliamentary majority and the timeline before the next general election present significant obstacles.

The only potential for derailment lies in increased public awareness of the dangers posed to security and privacy, and subsequent pressure on MPs to propose amendments.

Calls for Action

The ORG, along with 30 other digital and human rights groups, has urged MPs to protect end-to-end encryption from legislative threats, warning that this “basic and essential” security protocol is at risk from clauses requiring companies to scan private messages for criminal activity.

They fear that end-to-end encryption could be legally defined as a violation, potentially leading to partial shutdowns, blocking from the UK, or even personal arrests for companies defending user privacy.

Government Response

DCMS has been contacted for comment on the logic behind its policy toward end-to-end encryption.

Digital minister Caroline Dinenage stated that the government is assisting businesses in meeting safety standards before the new online harms laws are introduced, and ensuring the protection of children and users.

She emphasized the desire for businesses to adopt a “gold standard of safety online” and stated that the guidance will help them achieve this.

Clarification from a Government Spokesperson

A government spokesperson clarified that the guidance is voluntary and intended to help SMEs and startups enhance platform safety. They reiterated that it recommends considering the risks posed by end-to-end encryption, particularly to children.

The spokesperson affirmed that the government believes it is possible to implement end-to-end encryption in a manner consistent with public safety, and that companies using it should have appropriate safeguards in place to protect children.

DCMS also stated its support for strong encryption and denied any contradiction between its stance on public safety and its ambition to grow the UK’s tech ecosystem, emphasizing the importance of user confidence in the safety and security of digital technologies for national growth.