Is the newly passed UK Online Safety Bill a security disaster waiting to happen?

The UK’s controversial Online Safety Bill has passed the final hurdle to becoming law, following a vote by peers in the House of Lords on 19 September. Why is a law that aims to make the internet a safer place to be, especially for children, controversial? In particular, why do some people think the UK’s Online Safety Bill is a security disaster?

The devil is in the detail: the encryption backdoor detail.

The Online Safety Bill won’t actually become law until it has received Royal Assent, but the Technology Secretary, Michele Donelan, is already calling it a “game-changing piece of legislation”.

In a press release announcing the vote, Donelan said: “Our common-sense approach will deliver a better future for British people, by making sure that what is illegal offline is illegal online. It puts protecting children first, enabling us to catch keyboard criminals and crack down on the heinous crimes they seek to commit.”

Let’s take social media platforms, for example. These will have to remove illegal content “quickly” or prevent it from being available to begin with. They must also prevent children from accessing “age-inappropriate content” and employ age-checking measures.

Great news for child safety?

Julie Dawson, Chief Policy and Regulatory Officer at digital identity provider Yoti, reckons that the passing of the bill marks the start of a new chapter in online safety.

“With effective age assurance online, platforms can create safer, age-appropriate experiences,” Dawson said. “With a third of online users under the age of 18, this is clearly a vital safeguard. The Online Safety Bill is not about excluding children from the internet; it’s about giving them an experience appropriate for their age.”

Sir Peter Wanless, Chief Executive of the National Society for the Prevention of Cruelty to Children (NSPCC) called it “a momentous day for children and will finally result in the ground-breaking protections they should expect online”.

As a father of eight, and grandfather to seven, the safety of children online will always be at the forefront of my concern. However, whether the methods that are about to become law are even possible, let alone will prove to make the kind of difference that Donelan speaks of, is open to much debate.

It’s an important debate not only due to the size of the fines: non-compliant social media platforms could face fines of 10% of global revenue, or as much as £18 million, whichever is the biggest. It’s also important because the Online Safety Bill gives the telecoms regulator, Ofcom, the ability to require tech platforms to scan all users for any child abuse content. And that scan can include end-to-end encrypted files and messages.

UK Online Safety Bill a security disaster?

The Electric Frontier Foundation (EFF) is concerned. “As enacted, the OSB allows the government to force companies to build technology that can scan regardless of encryption–in other words, build a backdoor,” reads a statement.

Furthermore, it added, such a scanning system, were it possible, “can and will be exploited by bad actors”. And: “it will also produce false positives, leading to false accusations of child abuse that will have to be resolved”.

Even the Conservative Parliamentary Under-Secretary of State, Department for Culture, Media and Sport, Lord Parkinson of Whitley Bay, has stated that these scanning orders “can be issued only where technically feasible”.

A spokesperson for the Element end-to-end encryption messaging platform said that its own research has shown that 83% of the UK asked public wanted to keep encrypted messaging. Element itself is mostly used by governments and military around the world, including the UK Ministry of Defence. “If Element was forced to break its encryption due to the Online Safety Bill,” the spokesperson said, “it would be disastrous for the national security of many nations, let alone the privacy of citizens.”

Jake Moore, the global Cybersecurity Expert at ESET, and a former digital crime investigator for Dorset Police in the UK, argues that the bill is “packed full of good intentions” but “some of the new rules will be very difficult to implement and potentially impossible”.

While some aspects of the bill should be easy enough to implement, those making cyber flashing and the sharing of deepfake pornography for example, others will not.

“The request to locate a backdoor through encrypted messages causes a constant security headache,” Moore concludes, “and this is likely to push users, including criminals, to other more underground messaging platforms.”

Unexpected consequences

So, those are the arguments on both sides. All we can do now is wait to see what happens next.

There will be inevitable unexpected consequences. For example, Barry Collins argues that few will trust the UK to regulate AI due to what they see as invasive measures in the Online Safety Bill.

Others believe that some social media platforms will bypass the UK altogether. While that seems unlikely for the big, established names, it wouldn’t be a shock if that was true for startups afraid of a huge bill as a result of a huge Bill.

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.