UK gov flounders in encryption and security mire
- Backdoor plans unpopular with US tech firms.
- WhatsApp threatens to leave UK.
- UK governent receives backlash over the Online Safety Bill and Investigatory Powers Act.
- Recently it was revealed that Russian and Chinese hackers accessed the Foreign Office’s internal systems.
Encrypted messaging might be at risk under new UK regulation. A BBC journalist heard from a leader of a big US tech firm that there was a definite tipping point at which the firm would leave the UK. While there’s often big ego talk and empty threat, this felt different.
That tipping point could well be the Online Safety Bill, due to pass this fall, or Autumn, as the Brits like to say. Aimed at protecting children, the bill would see strict rules about policing social media content with high financial penalties and prison time for individual tech execs if the firms fail to comply. Like arguments that invoke Hitler too early, playing the child protection card is a red flag to any data privacy advocate.
Crucially, the rules would include the stipulation that encrypted messages be read and handed over to law enforcement by the platforms they’re sent on if there’s deemed to be a national security or child protection risk.
As it currently stands, apps like WhatsApp, Proton and Signal, which all offer encryption, can’t see content of sent messages themselves. According to NSPCC, though, encrypted messaging apps are the “front line” of where child abuse images are shared.
They’re also an essential security tool for activists, journalists and politicians (more on that later). It’s hard not to wonder how far the parameters would be drawn around what’s escalated and brought to law enforcement; do we truly believe that police access to private messages is a good idea?
Both WhatsApp and Signal have threatened to leave the UK market over the government’s demands.
After tech firms opposed the powers that could be used to scan encrypted messages for child abuse images, amendments were passed by the UK’s second chamber, the House of Lords. Changes to the Online Safety Bill say that a “skilled person” must write a report for communications regulator Ofcom before it uses the new powers to make a company scan its users’ messages.
As end-to-end encrypted messages can only be read by the sender or recipient, critics suggest this means companies would need to scan messages before they are encrypted – so called client-side scanning.
Ministers, police and children’s charities say the powers are necessary to tackle “record levels” of child abuse such as imagery and grooming on online platforms, and to prevent encrypted platforms allowing child abusers to “operate with impunity.”
In 2022, Google made headlines when it closed and refused to reinstate a father’s Google account after content was incorrectly flagged as child abuse. Photos he had taken to send his son’s doctor were explicit but not demonstrative of child abuse; Google handed over his entire account, including photos, messaging and emails, to the authorities.
Campaigners have dubbed the changes to encrypted messaging a “spy clause,” saying that as a minimum a judge should have to authorize the scanning of user messages. Among them is the Open Rights Group which campaignes for digital rights.
“Given that this ‘skilled person’ could be a political appointee, and they would be overseeing decisions about free speech and privacy rights, this would not be effective oversight,” the group wrote.
Proposed amendments to the Investigatory Powers Act, which included tech firms getting Home Office approval for new security features before worldwide release, incensed Apple so much that it threatened to remove Facetime and iMessage from the UK if they go through.
The tech giant has also been staunchly against the clause in the Online Safety Bill that would allow encrypted messages to be read. Its submission to the current consultation is nine pages long, opposing:
- having to tell the Home Office (ministry in charge of law & order) of any changes to product security features before they are released.
- the requirement for non-UK-based companies to comply with changes that would affect its product globally – such as providing a backdoor to end-to-end encryption.
- having to take action immediately if a notice to disable or block a feature is received from the Home Office, rather than waiting until after the demand has been reviewed or appealed against.
- It would not make changes to security features specifically for one country that would weaken a product for all users.
- Some changes would require issuing a software update so could not be made secretly.
- The proposals “constitute a serious and direct threat to data security and information privacy” that would affect people outside the UK.
Encrypted messaging is just part of the problem
The UK Parliament is also passing through the Digital Markets Bill which firms told the BBC gives an unprecedented amount of power to a single body. The bill proposes that the UK’s competition watchdog selects large companies like Amazon and Microsoft, gives them rules to comply with and sets punishments for noncompliance.
Big Tech isn’t exactly in the good books due to past behaviors and many feel accountability and regulation is overdue.
We shouldn’t confuse “pro-innovation” with “pro-Big Tech” warns Professor Neil Lawrence, a Cambridge University academic who has previously acted as an advisor to the CMA. “Pro-innovation regulation is about ensuring that there’s space for smaller companies and start-ups to participate in emerging digital markets”, he said.
Other experts are concerned that those writing the rules do not understand the rapidly-evolving technology they are trying to harness.
“There are some people in government who’ve got very deep [tech] knowledge, but just not enough of them,” said economist Dame Diane Coyle.
“And so [all] this legislation has been going through Parliament in a manner that seems to technical experts, like some of my colleagues, not particularly well-informed, and putting at risk some of the services that people in this country value very highly.”
The Department for Science, Innovation and Technology said that it had “worked hand-in-hand with industry and experts from around the world to develop changes to the tech sector”, including during the development of the Online Safety Bill and the Digital Markets Bill.
The UK shouldn’t be in a position where it’s held to ransom by US tech giants, but the services of apps like WhatsApp are widely used by millions, and there’s no UK-based alternative. The thing is, there are alternatives for US tech firms, AKA other countries, so leaving the UK wouldn’t do huge amounts of damage.
When the UK’s Competition and Markets Authority (CMA) blocked Microsoft’s acquisition of the video game giant Activision Blizzard, the company was furious.
“There’s a clear message here – the European Union is a more attractive place to start a business than the United Kingdom,” raged chief executive Brad Smith – CMA has reopened negotiations with Microsoft.
That’s not to say that the EU isn’t also getting stricter – in fact that’s kind of what hurts about tech firms moving there. Ultimately, the EU is a bigger market, so more valuable. Of course, until recently the UK was part of that market. But a bed has been made, so the UK government and its people must lie in it.
“There is growing irritation here about the UK and EU trying to rein in Big Tech… that’s seen as less about ethical behaviour and more about jealousy and tying down foreign competition,” says tech veteran Michael Malone.
The UK government: pro-tech, poor security
The UK Prime Minister Rishi Sunak calls himself a pro-tech PM. He’s trying desperately to entice the lucrative AI sector into the country. Some firms, including Palantir, OpenAI and Anthropic, have agreed to open UK headquarters.
Naturally, one would assume that a government so concerned with the security of encrypted messaging and controlling the way that technology is used would be tech savvy itself.
Speaking of encrypted messaging, who remembers when ex-government minister, Matt Hancock gave a journalist access to his WhatsApp messages? As part of her writing his memoir, Isabel Oakeshott was privy to 100,000 of Hancock’s private messages – which, in the name of public interest, she shared.
Had he not left parliament in favor of fame and fortune (appearing on the UK version of I’m A Celebrity, Get Me Out of Here) perhaps he’d be an ideal candidate to speak up for those against what Politico calls “screenshot scrutiny.”
It’s recently been revealed that in 2021 a major security breach was kept secret from the public. i News revealed that Russian and Chinese hackers accessed the Foreign Office’s internal systems in the last few weeks. Hackers from both countries compromised internet-connected servers belonging to the Foreign, Commonwealth and Development Office (FCDO), although the breach did not give them access to classified information.
Experts warned this may have put diplomats based in hostile environments at risk or potentially damaged relationships with important strategic allies by revealing private communications with other nations.
Both Russia and China were able to access the system at the same time in separate attacks. “At one point we believe both were on there,” a GCHQ insider told i. “It was very embarrassing and caused great stir in government because they didn’t know whether they should admit it or not.”
Essentially, the government system was an open door and both countries found a way in. It was likely the result of a phishing email.
A cyber security specialist, who worked at the FCDO at the time, also confirmed the hacks took place, adding, in a masterful use of understatement, that it was “certainly sub-optimal”.
A third source, a former intelligence officer at the Foreign Office, said incidents like this in “some form or another” were a “daily occurrence.”
“The issue with government departments is that they are culturally apathetic about security and particularly cyber security,” they told i. “The general feeling is that the intelligence [agencies] have got that [covered], so we don’t need to worry.”
So why is one of the highest security bodies in the UK so apathetic about breaches? The technology in use by staff is predominantly Windows PC – the proven least secure operating system out there.
Maybe just equipping all staff Macs would help – they’re typically less targeted than Windows (running POSIX-compliant BSD operating system variants). Running Linux on government desktop hardware would be an equally valuable security step, and one that would be cheaper to procureme than Apple desktops.
Either way, perhaps it would be best if the government focussed on its own security issues before threatening the UK’s access to tech manufactured by US-based firms.
28 September 2023
28 September 2023