Apple warns that UK’s Online Safety Bill puts people at ‘greater risk’

Apple has raised its voice against a UK law that will dramatically undermine secure commerce and trust online, warning it could put UK citizens at risk.

And Apple is not alone. More than 80 civil society organizations, academics, and experts from 23 nations have warned against the UK government’s decision, which would turn the UK into the first democracy to require routine surveillance of people’s private chats.

The current UK government’s Online Safety Bill includes the power to force encrypted messaging tools such as WhatsApp, Signal, and iMessage to scan messages.

Normalizing surveillance in the UK

The pretext given is that this is to watch for child sexual abuse material (CSAM), but the impact of the approach described is to dramatically weaken the end-to-end encryption that’s foundational to the internet, from banking to healthcare and beyond.

Organizations point to the chilling impact the law will have on investigative journalists researching powerful entities, including work monitoring Russia’s atrocities in Ukraine. They warn this privacy is vital to journalists, lawyers, doctors, human rights defenders, and activists.

‘Could put UK citizens at greater risk’

In a statement, Apple said:

“End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches.

“The Online Safety Bill poses a serious threat to this protection and could put UK citizens at greater risk. Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all.”

Bad people use back doors, too

While the UK government claims it’s possible to surveil people while maintaining privacy, experts know this is not so. Even Apple, which attempted to introduce its own CSAM scanning tech in iMessage, found that a technical solution that enables surveillance while also guaranteeing privacy does not exist.

It subsequently rolled back its plan.

Experience shows that once any kind of system-level back door is put in place, tools to exploit it will also appear.

Attempts to exploit security vulnerabilities have become a multi-billion dollar business involving nations states. With the prevailing international security environment rendered more dangerous by the likes of high-level “surveillance as a service’” firms such as NSO Group, the proposed law will weaken the UK’s digital infrastructure at the worst possible time.

There’s little doubt that if such technologies are normalized, they will be abused by repressive or authoritarian governments everywhere.

Far from making people safer, that will make the global internet less secure.

When the tech doesn’t work, it makes things worse

“It is not possible to scan in a way that only gets the ‘bad guys’ and leaves everyone else untouched. This law would adversely affect not only the 40 million users in the UK, but the two billion people around the world who rely on secure messaging services,” experts from the Open Rights Group (ORG) warn in an open letter.

The UK government incorrectly argues that client-side scanning will not compromise privacy, but the weight of evidence refutes that claim.

“The idea that you can do surveillance while respecting privacy is just magical thinking,” said Ross Anderson, professor of security engineering at Cambridge University and Edinburgh University.

UK gov – now with magical thinking

Anderson points out that not one of five prototypes of the proposed surveillance tech created by the UK Home Office came close to meeting “reasonable requirements for efficacy and privacy.”

“This revives the magical thinking of the Blair government during the first Crypto War, in the late 1990s and early 2000s, which limited the strength of commercial cryptography,” he said. “That has had devastating effects on security, leading to buildings that are easy to burgle, cars that are easy to steal, and government communications that are easy for our enemies to intercept.”

The truth, rather than the fantasy narrative peddled by a fading UK government, is that it is not possible to have privacy for law-abiding citizens and none for criminals. Either everyone has privacy, or no one does.

Damage by design

Privacy, as well as being a human right, is also fundamental across almost every aspect of digital commerce. The proposed law will cause great damage to the UK’s position in the digital economy. “Companies that respect the privacy of people using their services will be forced to leave the UK, moving away capital, resources and services,” warns ORG.

Signal and WhatsApp say they will quit the UK if these proposals are put in place.

In April, WhatsApp, Signal and Element and others, warned the proposal, “poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws”.

As it stands, the UK proposals seem designed to make the entire global online economy less secure while imposing yet more damage on the faltering UK economy. In fact, the dangers are so visible that I’d argue the damage they cause is intentional.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.