Further criticism of the UK’s proposed Online Safety Bill (OSB) has come from the country’s 70,000 member Chartered Institute for IT, known as BCS, and from privacy campaigners particularly concerned about the implications of the age-verification measures in the bill.
BCS said it is not possible to implement the proposals without creating systemic security risks and damaging the UK’s reputation for data security. In a new report, The Online Safety Bill and the role of technology in child protection, 70% of BCS members said they were not confident that measures to check encrypted messages for criminal content could be implemented without compromising secure encryption.
The chair of the BCS Fellows Technical Advisory Group, Adam Leon Smith, told Computer Weekly: “The government is trying to legislate technology into existence. Rather than looking at broader approaches such as education, training and public awareness, it is looking for technology to solve the problems.”
Ofcom regulatory powers
Under powers proposed by the Bill, communications regulator Ofcom would have the power to compel communications services to install “accredited technology” to inspect the contents of messages. For child abuse or terrorism content, those powers would not require authorization from a court or independent commissioner, effectively bypassing safeguards contained in the Investigatory Powers Act 2016.
The criticism adds to the chorus of concern over the Bill, which is currently undergoing its third reading in the UK’s second chamber. In July, legal opinion from Matrix Chambers said some clauses unlawfully interfered with freedom of expression and amounted to prior restraint. In the same month, a letter from 68 security and privacy academics voiced concerns over implications for online safety.
Messaging services have also raised objections, with some threatening to pull out of the UK if the Bill passes into law. And last year a coalition of rights groups and thinktanks wrote to Prime Minister Rishi Sunak warning of the threat to business and personal security.
“My fear for individuals is they will be forced to use technologies which do not protect privacy but claim that they do. My fear for businesses in the UK is they will become second-class citizens compared to their trading partners in terms of data adequacy,” said BCS’s Smith.
Age-verification
Measures to ensure minors cannot access content deemed harmful by the UK Parliament have come in for strong criticism by rights groups the Electronic Frontier Foundation (EFF) and the Open Rights Group. A post carried on both organization’s websites says the bill will “mandate dangerous age verification for much of the Web”.
It says: “To prevent minors from accessing ‘harmful’ content, sites will have to verify the age of visitors, either by asking for government-issued documents or using biometric data, such as face scans, to estimate their age.”
“This will result in an enormous shift in the availability of information online, and pose a serious threat to the privacy of UK internet users. It will make it much more difficult for all users to access content privately and anonymously, and it will make many of the most popular websites and platforms liable if they do not block, or heavily filter, content for anyone who does not verify their age.”
Dangers to encryption
Both organizations have already expressed concerns about the dangers the Bill poses to encryption. And they point to the real challenges companies will face in complying with age verification.
With details of implementation left to Ofcom to determine, there’s a lack of clarity about what measures providers should be taking, and what will constitute harmful material, leaving too much room for misinterpretation. The Bill talks about “preventing” children from accessing harmful material, but also “protecting” them from it, with no explanation of the distinction.
Research globally into the effectiveness of age verification has shown that every method has significant flaws. “Providers will have a Hobson’s Choice between age-gating at the site level and blocking children, ensuring they stay on the outside, or sanitise their entire site to child level,” says the EEF.
Risk assessments
All risk assessments and plans for complying with the Bill must be done within six months of the Bill obtaining Royal Assent.
In response to criticism, the government has denied the Bill will give it or any of its agencies the power to monitor private messages, and has said “we are unambiguously pro-innovation and pro-privacy”. But its refusal to take on board the concerns of industry, let alone privacy campaigners, is in marked contrast to the stance it is signalling on regulating BNPL providers.