Internet Fragmentation > UK Online Safety Act

Safety Should Not Cost People Their Privacy

Region: Europe
Threat type: Blocking Security Technologies
Last updated: 1 December 2023

The UK has institutionalized a pervasive model of government surveillance in the name of online safety.

The UK Online Safety Act is a law that requires platforms to scan content for material that’s deemed harmful or exploitative. It also requires them to take action against it. The lawmakers behind the bill say that their aim is to make the UK the safest place in the world to be online, and the best place to run a digital business. They argue that this act will address a wide range of harms that stand in the way of that, including child sexual abuse material, violence against women and girls, underage access to pornography, and misinformation.

Companies that offer user-to-user communication, allow user-generated content, recommended algorithms, search functions, or services that might be accessed by children would be held liable for content on their platforms.

The Act does not specifically mention encryption in relation to content sent between individual users, but the demands in it would undermine this by default. The providers have to guarantee that, even if the communications are encrypted, either they or law enforcement will be able to get access to it. It also demands that providers are able to reliably verify or estimate a user’s age. The law requires that they use ‘accredited technologies’ to do so, which the UK government itself has acknowledged do not exist.

The Act also applies to any service that can be accessed by UK users, no matter where that company is based, even if it’s outside the UK. This means that the Online Safety Act is likely to have an extra-territorial effect, which leaves companies in the position where they have to choose between offering services in the UK, or providing end-to-end encryption.

If companies that offer encryption are forced to cut off UK users, then this would not only cut UK users from truly encrypted services, it also cuts them off from people who use those services outside the country. If these services choose to stay in the UK and comply with the law, people who communicate with those in the UK would also lose their confidentiality.

This makes the UK a less safe place to run a digital business. The Online Safety Act undermines confidence and trust in services developed in the UK. Because anyone implementing those services will have to assume those products are complying with it—and all that goes with it. The overall prospect is that the UK would become an untrustworthy endpoint in any digital communication, both inside the country, and across borders.

Status

The Online Safety Act became law in October 2023. It’s now up to OFCOM, the UK regulator, to put it into practice. They are required to deliver sector-specific guidelines and codes of conduct, and to do more work on the status of ‘accredited technologies’. OFCOM’s plan is to open four consultation periods over an 18-month period. As of November 2023, they had opened the first of these with 1700 pages of initial draft guidance.

As the Act is put into force, we anticipate that it could be subject to legal challenges. It could be challenged on grounds that it interferes with privacy and freedom of expression, and on grounds of disproportionality—and therefore incompatible with the government’s obligations around fundamental rights.

Our Position

The Internet Society has consistently opposed the damaging aspects of the then Online Safety Bill, as we believe it fails the tests of necessity and proportionality. Its requirement to either undermine or circumvent encryption makes the Internet less secure for everyone, but is unlikely to deliver the intended protection for children and other at-risk individuals.

We have identified multiple negative impacts on the open, global, and secure Internet. These include constraints on ease of access and permissionless use of endpoint technologies; reduction in reachability, if UK endpoints must be considered untrustworthy; impact on data confidentiality; and an increase in the attack surface available to malicious third parties and hostile governments, with corresponding impact on resilience and cybersecurity.

Green background with patterns

Talking Points

  • The Online Safety Act compromises the security of all UK users. This includes children it claims to protect. Even senior national security professionals from UK agencies have said that the benefits of confidential communication far outweigh the risks of harm, but the government has ignored their advice.
  • Not only does the Online Safety Act affect people in the UK, it would also undermine the security and confidentiality of anyone who communicates with people in the UK. This means it has an extra-territorial effect, imposing the laws of the UK onto people outside of its borders.
  • Companies offering end-to-end encrypted services have maintained that they will not be compromising on the security of their platforms, and would rather quit the UK market if they are compelled to undermine end-to-end encryption. People in the UK would have access to less secure online services. These less secure services are more vulnerable to cyber attacks, hackers, and bad actors who aim to harm children and vulnerable people—the same ones this law claims to deter.
  • Rather than make the UK the best place in the world to do business, the Online Safety Act would undermine global trust in UK businesses, since they would have to assume that products and services made there comply with this law. This means that people who value privacy or need encrypted services might be less likely to do business with a UK company.