The spy clause and the end of anonymity

By Samuel Woodhams | Digital rights researcher and journalist

The long, turbulent history of UK’s Online Safety Bill can be traced back to 2017, with the publication of the Internet Safety Strategy green paper. Since then, the proposed legislation has gone through endless revisions, been delayed and, at times, looked like it might be dropped entirely.

Now the bill, which aims to protect people online, is finally nearing completion. Last week, it was transferred to the House of Lords for the final round of revisions and, with cross-party support, it looks more likely than ever to pass into law.

Despite all the time and effort politicians have spent working on the bill, major questions about its potential impact on privacy remain.

The end of private messaging?

One of the most controversial aspects of the legislation is the so-called spy clause. It means online platforms must actively monitor for child sexual abuse material (CSAM).

As per a recently updated government document, the legislation will enable Ofcom, the communications watchdog, “to require a platform to use highly accurate technology to scan public and private channels for child sexual abuse material” while ensuring legal content isn’t affected.

Although well-intentioned, in practice it’s impossible to monitor private, encrypted communications without impacting everyone. That’s because end-to-end encryption (E2EE) used by the likes of WhatsApp, iMessage and Signal only allows the sender and recipient to view the contents of messages. To comply with the legislation, companies will either have to deploy client-side scanning software or create back-doors that undermine encryption for everyone.

Both options risk being abused, increase the risk of bad actors gaining access to people’s conversations, and may even breach the European Convention on Human Rights. As digital rights groups have previously warned, “Far from protecting children, such a requirement would… introduce vulnerabilities into their platforms that jeopardise not only device security but place the rights of all users, including children, at grave risk.”

An encryption message is seen on the WhatsApp application on an iPhone in Manchester, Britain March 27, 2017

An encryption message is seen on the WhatsApp application on an iPhone in Manchester , Britain March 27, 2017. REUTERS/Phil Noble

Encrypted messaging apps may even decide to leave the country rather than comply with the law, as the head of WhatsApp recently indicated. With over 40 million users in the UK, WhatsApp has become a vital tool for almost everyone, including politicians.

It’s no understatement to say that if these provisions remain, the bill could effectively end private messaging in the UK, and encourage other governments to do the same.

No more online anonymity?

The proposed legislation will also “force social media companies to stop anonymous users spreading hate.” The issue came under the spotlight after several England football players were subjected to a barrage of racist abuse online during the European Football Championship in 2020.

It’s clear platforms need to do more to check racist abuse. But removing the ability to be anonymous online could have major implications for the entire web. As former United Nations Special Rapporteur on Freedom of Expression, David Kaye, argued back in 2015: “encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection.”

Anonymity isn’t always the problem, either. According to Twitter, 99% of accounts that posted racist messages during the Euros weren’t anonymous. As with other elements of the bill, it seems the government is focusing on digital problems at the expense of solving real-world causes.

Expanding age verification

As part of the government’s plans to keep minors safe online, the bill also proposes stronger age verification for companies “whose sites pose the highest risk of harm to children.” But checking people’s age online is fraught with difficulties: it increases the risk of data breaches and inadvertently creates dangerous loopholes.

If age verification is introduced on all porn websites as the government intends, there will be a huge increase in demand for circumvention technology like VPN apps. Using a VPN would allow anyone to bypass the legislation by connecting to a website via a server located outside the UK.

To counter this obvious technical shortcoming, the Labour Party recently called for a report on VPN use to make sure they’re not being used by people to get around elements of the bill. But even if the government decided to tackle this problem, preventing people from using VPNs – which are a vital security tool for businesses and citizens alike – is a tough challenge. Just ask Russia, China or Iran.

A girl during online school while her parents work from home and take care of a toddler amid surging COVID-19 cases caused by the coronavirus Omicron variant, in Hamilton, Ontario, Canada January 7, 2022. REUTERS/Carlos Osorio

A girl during online school while her parents work from home and take care of a toddler amid surging COVID-19 cases caused by the coronavirus Omicron variant, in Hamilton, Ontario, Canada January 7, 2022. REUTERS/Carlos Osorio

What’s next?

The Online Safety Bill’s long and arduous journey to becoming law may soon be complete. And with it, privacy online in the UK may be radically undermined. It could also encourage democratic and undemocratic countries alike to adopt increasingly repressive internet laws.

But all’s not lost just yet. In the coming weeks, members of the House of Lords will debate the legislation. One hopes they’re more privacy-conscious and digitally literate than their colleagues in the House of Commons.

Any views expressed in this newsletter are those of the author and not of Context or the Thomson Reuters Foundation.

We’re always happy to hear your suggestions about what to cover in this newsletter – drop us a line: [email protected]

Recommended Reading

Index on Censorship, New legal opinion on the Online Safety Bill, Nov. 29, 2022.

At the end of last year, the Index on Censorship commissioned lawyer Mathew Ryder to publish a legal opinion on the Online Safety Bill. He found that it would likely be unlawful under European and domestic human rights frameworks.

Open Rights Group, Who’s checking in on your chats in private online spaces?, Nov. 30, 2022.

This policy brief shows how the Online Safety Bill will increase surveillance, describes the various approaches that the government could adopt, and outlines the risks of undermining encryption and implementing client-side scanning.

Center for European Policy Analysis, UK threatens blowtorching internet platforms – including Wikipedia, Dec. 16, 2022

This piece by Rebecca Mackinnon and Phil Bradley-Schmieg points to threats the bill poses to non-commercial, public interest platforms such as Wikipedia, as the bill does not distinguish between community-governed content moderation models and advertising-driven business models of commercial platforms.