Can the Government Have Its Cake and Eat It? UK Online Safety Bill Is Live.
Kindus has discussed the progress of the UK Online Safety Bill before in March 2023 and September 2022. The law is designed to protect vulnerable users, not just children, from exploitation on-line or exposure to harmful content. On 19th September 2023 the Bill finally became law but without conclusively resolving the conflict between privacy and protection. A late change was an amendment to remove animal cruelty activity from social media platforms. The debate between protecting vulnerable users and end to end encryption still stands unresolved.
Official UK guidance that just happens to coincide with publication of the bill stresses a noble stance in favour of child safety online. Facebook and Instagram are noted to be accounting for 85% of global referrals of child sexual abuse from tech companies. Under the new law social media platforms are now expected to:
- Remove illegal content quickly or prevent it from appearing in the first place, including content promoting self-harm.
- Prevent children from accessing harmful and age-inappropriate content.
- Enforce age limits and age-checking measures.
- Ensure the risks and dangers posed to children on the largest social media platforms are more transparent, to include publishing risk assessments.
- Provide parents and children with clear and accessible ways to report problems online when they do arise.
Ofcom could impose fines of up to £18 million or 10% of global avenue revenue (whichever is the greatest) for non-compliance.
The UK government has specifically noted the existing methods used by Meta to provide safety online. These include AI detection of incidents, age verification, privacy and blocking features. The new legal responsibilities apply irrespective of the technologies in use; this includes services using E2EE (End To End Encryption). Meta still plan to roll out E2EE on its Messenger service before the end of 2023. Other providers including Signal are already using this technology.
The official UK stance is that technologies do exist to track data within E2EE, citing a study by Levy and Robinson. One example being client-side scanning of content before it is encrypted. This technology had been proposed by Apple but has was quietly dropped in 2021.
Ciaran Martin, former head of the UK’s National Cyber Security Centre published a paper in 2021 arguing that a compromise within E2EE was not possible. The problem was labelled as ‘cakeism’ (having your cake and eating it). How could E2EE provide strong security yet still allow that security to be broken when strictly necessary?
It appears that the UK has a law which although noble and improving protection for the vulnerable online will not be able to applied in all cases. The official word is that the government ‘where appropriate encourages firms to use their vast engineering and technical resources to develop solutions that work for their own platforms.’ It is usual for legislation to avoid any technical prescription of how they might be implemented. This allows some flexibility in how they might be implemented and prevents their being overtaken by changes in technology. At present the required technologies do not appear to exist but on a positive note waiting for an ideal solution has not postponed an important development in protecting individuals online.