The Online Safety Bill is due to become law in a matter of weeks and – despite what you may have read about government U-turns – it remains a big threat to the everyday tech lives of Londoners and businesses in the capital.
The bill passed its third and final reading in the Lords yesterday, and now waits to be rubber-stamped by MPs this autumn. Yet, despite strong opposition, measures to force messaging companies such as WhatsApp and Signal to effectively break encryption remain in the legislation, potentially forcing them to carry out threats to leave the UK. Unproven age verification technology could prevent Londoners from accessing websites. And sweeping legislation designed to prevent children seeing “illegal” content could lead to broad-brush censorship.
One of the most controversial aspects of the Online Safety Bill is the requirement for messaging companies to scan people’s messages for child-abuse images. On the face of it, it seems a perfectly reasonable request. But as the tech companies have forcefully pointed out in recent months, there’s currently no way for them to scan for such images without compromising everyone’s privacy. If you create a “backdoor” that lets you scan for child abuse images, that same backdoor could be used by authoritarian governments to search for other types of content too.
Apple, which outlined plans to scan for child-abuse images on its iCloud service last year, was forced to admit even it couldn’t make the technology work without creating more huge security holes. “Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types,” Erik Neuenschwander, Apple’s director of user privacy and child safety, wrote last week.
WhatsApp, Signal and other companies had threatened to leave the UK if such legislation were introduced. And then at the eleventh hour yesterday, the government appeared to back down, confirming in the House of Lords that it would only require messaging firms to scan for child abuse images when it became “technically feasible”.
Crucially, however, that phrase didn’t make it into the amended legislation, leading many privacy advocates and industry bodies to worry that the can has simply been kicked down the road. “What they’re saying is Ofcom [the regulator] will deal with it in implementation guidance – softer laws that can be changed,” said Adam Leon Smith of BCS, the chartered institute for IT, which represents IT professionals. “We’d like to see the law itself updated.”
Should this or future governments decide to implement the legislation as it stands, we could well see messaging firms carry out their threat to leave the UK. Don’t be fooled into thinking those are idle threats, either. Companies such as WhatsApp have walked away from much bigger markets, such as China, because they’re not prepared to compromise on their principles.
Unreliable age verification
Age verification is another thorny issue that has been left unresolved in the Online Safety Bill. The bill puts the onus on website owners that carry content that “may be harmful to children” to check the age of visitors using an “age verification or age estimation” system.
Experts say these unproven systems can’t be relied upon and will lead to children getting access to sites they shouldn’t and to adults being wrongly blocked. “We think the reliance on age verification technology is excessive,” said Smith. “Australia’s just pulled out of a similar act, saying that that kind of technology isn’t workable enough to be put in place.”
“We think that there will be lots of 13-year-olds who will pass the age verification when they shouldn’t,” he added. “And there’ll be 22-year-olds who will fail the age verification when they shouldn’t. We don’t think it’s accurate enough to be relied on.”
Even if the technology can be made to work reliably – an enormous if – it won’t prevent children accessing adult websites. Many pornography sites are hosted from countries such as China and Russia, for example, well beyond the reach of UK regulators.
Age verification could create huge workloads and costs for legitimate UK businesses, while leaving foreign sites hosting the really dangerous content untouched. Even huge, well-funded sites such as Wikipedia have threatened to leave the UK because of the bureaucracy associated with age verification. What hope do smaller sites have?
Then there are fears about the broad scope of the legislation and sweeping definitions of what companies such as Facebook are expected to remove. For example, the bill puts an onus on social media firms to “swiftly” take down “any illegal content”. But what is considered illegal remains poorly defined.
Campaingers such as the Open Rights Group fear that this will lead to over-zealous censorship by the big social media firms, which will be keen to show they are obeying the new laws. “They will be judged not on fairness or upholding rule of law, but on how much illegal content they have taken down,” said Dr Monica Horten, the Open Rights Group’s policy manager, in a blog. “It is therefore within the realm of possibility that photographs and videos of people holding up a placard, if identified as an offence under Section 5 of the Public Order Act 1986, could be removed before it has even been uploaded.”
With politicians from both sides of the House arguing that social media executives should face jail if they fail to clean up their services, why would they stick their neck out to protect free speech? It is a very slippery slope.
Can they make it work?
If there’s any cause for optimism that some of the more draconian measures in the Online Safety Bill won’t be implemented, it’s that so much responsibility is being placed at the feet of regulator Ofcom.
Ofcom isn’t exactly famed for its speed and nimbleness as it is. Now faced with a huge list of new responsibilities, including monitoring social media companies, overseeing age verification systems and interpreting what is harmful content, it is entirely possible the regulator will simply be overwhelmed by the new workload.
Even if the Online Safety Bill is passed this autumn, it is likely to be years before much of the legislation takes effect because of the sheer time involved in implementing more than 300 pages of new laws. By which time technology will, of course, have moved on.