Matthew GreenHere is my counterintuitive take on the UK online safety bill: although it’s a disaster for UK citizens, it may be good news for (non-UK) privacy advocates and those who want to see end-to-end encryption survive.
Here’s my justification for this: for years, the US, UK (plus sometimes Australia and India) have been threatening tech firms with all manner of legislation if they don’t *voluntarily* weaken their encryption features: most recently by adding content scanning.
Probably the best externally-visible example of that pressure campaign is this 2019 open letter to Facebook signed by US AG William Barr and UK Home Secretary Priti Patel. Along with some dude from Australia whose name I’ve already forgotten. https://www.justice.gov/opa/press-release/file/1207081/download
These campaigns don’t explicitly threaten consequences, but with all pressure campaigns there are always (implicitly) consequences if tech firms don’t comply voluntarily. The biggest consequence is the threat of weird, ambiguous and badly-written legislation.
The problem, of course, is that in the US we have a First Amendment; our Congress is disfunctional at even passing basic laws to keep the country operating: also Americans don’t love weird speech laws. Some legislation was proposed, but it died. https://www.judiciary.senate.gov/press/rep/releases/graham-cotton-blackburn-introduce-balanced-solution-to-bolster-national-security-end-use-of-warrant-proof-encryption-that-shields-criminal-activity
Graham, Cotton, Blackburn Introduce Balanced Solution to Bolster National Security, End Use of Warrant-Proof Encryption that Shields Criminal Activity | United States Senate Committee on the Judiciary
WASHINGTON – Senate Judiciary Committee Chairman Lindsey Graham (R-South Carolina) and U.S. Senators...
Nobody gives a crap about Australia. I mean this in the kindest way.
So with US legislation off the table, fundamentally the big legislative threats here come from the UK, the EU and maybe India.
And these threats very nearly worked. In 2021 Apple voluntarily introduced a client-side content scanning system that would have worked on photo backup. People wrote articles like this.
No, Apple’s photo backup wasn’t end-to-end encrypted at the time. (It is now, if you turn on ADP.) Their proposal was limited to the US. But these were details. Apple’s system would have been the first domino in terms of voluntary client-side scanning. It nearly happened.
What’s important to note here is that *Apple’s system did not get rolled out.* It very publicly failed. Apple eventually delayed and then canceled the proposal entirely.
And they even rolled out end-to-end encryption for iCloud. https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/
My view is that this is very significant. Apple is an industry leader. If they publicly wrestled with these plans, received pushback, and then abandoned them: that will encourage other firms across the tech industry. Voluntary compliance isn’t dead, but it isn’t happening soon.
Anyway the nature of threats is that if people don’t voluntarily comply under threat, sometimes you have to follow through with the promised consequences. This is the frame through which I view the UK Online Safety bill.
The point here is that when you threaten someone and they *don’t* comply, that is good evidence you’re not fighting from a strong position. The UK badly wanted to get what they wanted from tech firms without passing stupid, draconian laws that might hurt them. They failed.
And worse: right now the UK is entirely on its own. The EU Commission has some vague proposals like “chat control” that might someday incorporate similar scanning requirements. The US is out of the game legislatively. (I’m not sure about India. Australia is irrelevant.)
So now tech firms are going to be forced to decide whether to comply with a weird, badly written law *just in the UK*. Last I checked the bill was so nuts even its advocates have got to be ashamed of it. Eg:
The Matrix.org Foundation@matthew_d_green some of the proposed amendments are indeed excruciatingly bad. but the actual current legislation wording is pretty simple... and terrifying: it simply says that the regulator can mandate "content moderation" (i.e scanning) to mitigate CSAM & terrorism. We tried to summarise at https://news.ycombinator.com/item?id=34923537. Even if Apple isn't doing OS-level scanning, this clause sets a massive precedent for other govts to try to follow, even if the US holds out.
Jeff Enderwick@matthew_d_green sounds like Russia?
Nick Phillips@matthew_d_green Hoping for a big Foxtrot Uniform from big tech tbh. Getting themselves even more isolated might wake a few people up. I mean it's unlikely, but I can hope.
My hope is that tech firms will stand firm and force the UK to react. Maybe some will have to shut down services in the UK, or threaten to as Signal is. (Sadly: Signal is the Australia of social media apps: no government official cares about Signal.) https://www.theguardian.com/technology/2023/feb/24/signal-app-warns-it-will-quit-uk-if-law-weakens-end-to-end-encryption
So sorry for this thread. The TL;DR here is that a timeline with things like the Online Safety Bill is a bad timeline. But if we must live in a bad timeline, I’d rather live in one where the UK is losing the war for (tech CEO) hearts and minds and putting its economy on the line.
imikotoba 🏴❤️🇯🇵@matthew_d_green and given they did Brexit, those currently in power in Westminster won’t be put off by logic or further economic self harm 🤷😞
Michał "rysiek" Woźniak · 🇺🇦@matthew_d_green good stuff, thanks for sharing your thoughts
Joseph Beaudreau@matthew_d_green The UK is just a mythical place that only has legitimacy if you believe it is important. The most bark/no bite of all "industrialized" countries. If tech companies slightly resist, this will fall apart. Whatever economic benefits the tech companies get from the UK will be a small, short term loss compared to trying to implement the disastorous law. Hopefully they'll think strategically, even if they lack principle like Signal.
Cassandrich@matthew_d_green What does "quit UK" mean for Signal? How are they "present"? By virtue of stupidly wedding themselves to phone numbers & SMS delivery?
Ed Davies@dalias Signal could just label their product as being incompatible with UK law and advise people not to use it in the UK (and for people travelling to the UK to delete it from their phones?). Then it would be up to the UK government to bring prosecutions against individual users. Not Signal's problem.
barsteward@matthew_d_green I’m not sure that the UK government see Signal leaving the UK as a bad thing!
Christie Dudley@matthew_d_green EDRI as an umbrella organization is too organized to ever see anything that compromises security for state control. Also, they have some opinions about state control of media.
@matthew_d_green Not sure Apple's wobble on content scanning is exactly a win - speaking to folks in the UK govt, Apple's proposal to do bulk CSAM scanning was seen as a *massive* legitimising of the technology, and a reason why both UK OSB and EU ChatControl are attempting to mandate it as a viable option. Despite Apple eventually backing away from it.
Thomas A. Fine 
@matthew_d_green The "cookie law" is already a disaster.
Tech Untangler@matthew_d_green as an Australian it’s clear that the politicians of Australia don’t give a crap about Australia either.