Matthew GreenHere is my counterintuitive take on the UK online safety bill: although it’s a disaster for UK citizens, it may be good news for (non-UK) privacy advocates and those who want to see end-to-end encryption survive.
Here’s my justification for this: for years, the US, UK (plus sometimes Australia and India) have been threatening tech firms with all manner of legislation if they don’t *voluntarily* weaken their encryption features: most recently by adding content scanning.
Probably the best externally-visible example of that pressure campaign is this 2019 open letter to Facebook signed by US AG William Barr and UK Home Secretary Priti Patel. Along with some dude from Australia whose name I’ve already forgotten. https://www.justice.gov/opa/press-release/file/1207081/download
These campaigns don’t explicitly threaten consequences, but with all pressure campaigns there are always (implicitly) consequences if tech firms don’t comply voluntarily. The biggest consequence is the threat of weird, ambiguous and badly-written legislation.
The problem, of course, is that in the US we have a First Amendment; our Congress is disfunctional at even passing basic laws to keep the country operating: also Americans don’t love weird speech laws. Some legislation was proposed, but it died. https://www.judiciary.senate.gov/press/rep/releases/graham-cotton-blackburn-introduce-balanced-solution-to-bolster-national-security-end-use-of-warrant-proof-encryption-that-shields-criminal-activity
Graham, Cotton, Blackburn Introduce Balanced Solution to Bolster National Security, End Use of Warrant-Proof Encryption that Shields Criminal Activity | United States Senate Committee on the Judiciary
WASHINGTON – Senate Judiciary Committee Chairman Lindsey Graham (R-South Carolina) and U.S. Senators...
Nobody gives a crap about Australia. I mean this in the kindest way.
So with US legislation off the table, fundamentally the big legislative threats here come from the UK, the EU and maybe India.
And these threats very nearly worked. In 2021 Apple voluntarily introduced a client-side content scanning system that would have worked on photo backup. People wrote articles like this.
No, Apple’s photo backup wasn’t end-to-end encrypted at the time. (It is now, if you turn on ADP.) Their proposal was limited to the US. But these were details. Apple’s system would have been the first domino in terms of voluntary client-side scanning. It nearly happened.
What’s important to note here is that *Apple’s system did not get rolled out.* It very publicly failed. Apple eventually delayed and then canceled the proposal entirely.
And they even rolled out end-to-end encryption for iCloud. https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/
My view is that this is very significant. Apple is an industry leader. If they publicly wrestled with these plans, received pushback, and then abandoned them: that will encourage other firms across the tech industry. Voluntary compliance isn’t dead, but it isn’t happening soon.
Anyway the nature of threats is that if people don’t voluntarily comply under threat, sometimes you have to follow through with the promised consequences. This is the frame through which I view the UK Online Safety bill.
The point here is that when you threaten someone and they *don’t* comply, that is good evidence you’re not fighting from a strong position. The UK badly wanted to get what they wanted from tech firms without passing stupid, draconian laws that might hurt them. They failed.
And worse: right now the UK is entirely on its own. The EU Commission has some vague proposals like “chat control” that might someday incorporate similar scanning requirements. The US is out of the game legislatively. (I’m not sure about India. Australia is irrelevant.)
My hope is that tech firms will stand firm and force the UK to react. Maybe some will have to shut down services in the UK, or threaten to as Signal is. (Sadly: Signal is the Australia of social media apps: no government official cares about Signal.) https://www.theguardian.com/technology/2023/feb/24/signal-app-warns-it-will-quit-uk-if-law-weakens-end-to-end-encryption
So sorry for this thread. The TL;DR here is that a timeline with things like the Online Safety Bill is a bad timeline. But if we must live in a bad timeline, I’d rather live in one where the UK is losing the war for (tech CEO) hearts and minds and putting its economy on the line.
Joseph Beaudreau@matthew_d_green The UK is just a mythical place that only has legitimacy if you believe it is important. The most bark/no bite of all "industrialized" countries. If tech companies slightly resist, this will fall apart. Whatever economic benefits the tech companies get from the UK will be a small, short term loss compared to trying to implement the disastorous law. Hopefully they'll think strategically, even if they lack principle like Signal.