Undermining encryption —

Apple criticizes UK bill that could require scanning of encrypted messages

UK gov't defends bill: Tech firms must "prevent abhorrent child sexual abuse."

The Messages app icon displayed on an iPhone screen.
Getty Images | NurPhoto

Apple has joined the growing number of organizations opposed to the UK's pending Online Safety Bill, saying the proposed law threatens the end-to-end encryption that protects private messages.

"End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats," Apple said in a statement reported by the BBC yesterday. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."

The BBC quoted a government spokesperson as saying that "companies should only implement end-to-end encryption if they can simultaneously prevent abhorrent child sexual abuse on their platforms."

Though the bill isn't yet finalized, UK regulator Ofcom provided an update this month on how it is preparing for its expanded regulatory role, saying the bill is in "the final stages of the parliamentary process." The bill, which includes criminal penalties like imprisonment, was approved by the House of Commons in January and is nearing approval in the House of Lords.

The bill is expected to be changed, but it's not clear whether the changes will eliminate concerns about mandated scanning of encrypted messages. The BBC article on Apple's opposition to the bill said there is "a growing expectation... that changes may be made to part of the bill which critics say could be used to mandate scanning. These could be included in a package of amendments to be revealed in the coming days. But it is not clear what the detail of those changes might be, or if they will satisfy the concerns of campaigners."

Signal and WhatsApp oppose weakening security

Signal said it will stop providing services in the UK if it's forced to weaken the privacy of its encrypted messaging system. The Meta-owned WhatsApp also told the BBC last year that it would refuse to lower the security of its messaging service.

We contacted Apple about its stance on the UK bill today and will update this article if we get any further information.

Apple faced backlash from privacy advocates and security experts in 2021 when it announced a plan to scan iPhones for child sexual abuse images. Apple initially defended the plan but later abandoned it.

According to the privacy-focused Open Rights Group, the proposed law could make the UK "the first liberal democracy to require the routine scanning of people's private chat messages." However, the group said the bill could be improved with a small change.

"Removing the word 'privately' from the draft legislation could preserve the security and privacy of billions of messaging app users," the Open Rights Group said, referring to a requirement to identify illegal content in private messages.

Finding child-abuse content in private messages

The UK's proposed law focuses heavily on terrorism content and child sexual abuse content. The bill text says that Ofcom may issue notices to service providers requiring them to "use accredited technology to identify CSEA [child sexual exploitation and abuse] content, whether communicated publicly or privately by means of the service, and to swiftly take down that content."

Ofcom would be authorized to issue "information notices" requiring recipients to provide Ofcom with "any information that they require for the purpose of exercising, or deciding whether to exercise, any of their online safety functions."

A person or technology provider that receives a notice requiring information "commits an offence if, in response to an information notice, the person provides information which is encrypted such that it is not possible for Ofcom to understand it, or produces a document which is encrypted such that it is not possible for Ofcom to understand the information it contains," the bill says.

The Open Rights Group organized an open letter signed this week by "over 80 national and international civil society organizations, academics, and cyberexperts." It says the bill would require client-side scanning software that "intercepts chat messages before they are encrypted, and as the user is uploading their images or text."

The required "scanning software would have to be pre-installed on people's phones, without their permission or full awareness of the severe privacy and security implications," the letter said. "The underlying databases can be corrupted by hostile actors, meaning that individual phones would become vulnerable to attack." The letter further said the bill "would infringe the rights to privacy to the same extent for the Internet's majority of legitimate law-abiding users as it would for potential criminals."

Channel Ars Technica