(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


How the #OnlineSafetyBill’s OFCOM surveillance measures can (will?) bring about public emasculation of the UK Government and a kind of #CyberBrexit effect (HT: @ciaranmartinoxf @allanofhallam @wongmja

2023-04-21 08:19:43+00:00

Background

So I have been reading two recent think-pieces:

By Ciaran Martin in the FT (paywalled, there is an illegitimate copy archived) which broadly discusses the pros and cons of the Government arrogating to itself — note: its parochial, British, self — the power to mandate client-side filtering of sent and received messages by means of obligate Government spyware, and then Mr Martin challenges the Government to describe up-front how it will use those powers so that parliamentarians can see for themselves before passing the powers. By Richard Allan, Baron Allan of Hallam, in his podcast-related blog, broadly outlining the same battleground and framing the debate (soon to occur in the House of Lords) in spite of Martin’s piece, somewhat as being the Home Office seeking wrestling leverage over the platforms:

Security services are in the market for as much information as they can get and if the threat of a decryption order may encourage a hesitant company to offer other useful data in order to avoid this being carried out then they will see this as a useful tool.

My emphasis. Hallam further writes in the blogpost:

As policy makers, this is a situation where ‘cakeism’ is not the answer and we have to make a choice – either a) to allow companies to offer genuinely secure end-to-end encrypted communications to people in the UK, or b) to make it clear that the only messaging services on offer will allow some third parties to access your messages without your consent.



I believe that the UK Government is still closer to the first position as it is nervous about losing public support if it went fully down the second path and services started to withdraw from the UK market, but with two provisos.



First, if another mainstream country did manage to force service providers to compromise their encryption and they did not withdraw from those markets, then the UK would be encouraged to follow suit.



Second, the UK Government may feel more comfortable issuing orders that would effectively prevent a currently unencrypted service from making the transition to become end-to-end encrypted if it feels this would not lead to withdrawal from the market.



We should also note that there is a strong ‘game of chicken’ dynamic in all of this that could lead to someone being run over if there are miscalculations on either the government or the industry side.

He’s right — there’s a global hope that someone will cause the “Tech Platform E2EE Consensus” to crack — but there’s also something here which has been forgotten:

This game of chicken is being played in public, and the zealots on both side are watching.

This Game is Different: It’s Played in Public

Spying is traditionally done in secret — I’ve posted an entire E2EE primer which can help provide examples — but what I would like to highlight here is the Technical Capability Notice of the Investigatory Powers Act 2016 and further legislation, where I would like to make a single observation:

When a company or person is coerced with a Technical Capability Notice to provide access to communications, they are meant to do so in such a manner that the risk of any unauthorised persons becoming aware of any matter within section 57(4) of the Act is minimised, in particular by ensuring that apparatus, systems or other facilities or services, as well as procedures and policies, are developed and maintained in accordance with security standards or guidance specified in the notice

In short: compliance with a TCN and collusion towards leaking message content, is meant to be secret… but the Android and iOS ecosystems do not work that way. The world of big platform applications is not like telephone companies where a wiretap can be surreptitiously plugged into someone’s line by a discreet visitor to the local phone exchange.

Instead: the world is watching, and there are people — notably the respected Jane Manchun Wong — who practically make a livelihood by digging through applications and surfacing the creation of new, test, or additional features which appear in the wild.

If code is developed — if client-side-scanning code is added to an app — it will be discovered, leaked, and publicised.

And then the fun will start.

The platforms — even more than Hallam’s perspectives on Government — do not want to be seen to be compromising their global privacy ethics for some parochial (e.g. merely “British”) purpose; and they also know that there is greater good to end-to-end encryption than even the statistics of actual abused children count against.

Thus, they are extremely motivated to not add “British-Government Client-Side Scanning Code” to their application, where the likes of Wong (et al) will discover it and publicise it to the world.

Therefore: if the UK Government does pass legislation empowering OFCOM to demand client-side scanning, but it is never implemented and never turns up in the applications… what happens next?

What Happens Next…

To get us to this point the Home Office has been stoking a bunch of child-safety charities, telling them that encryption is their biggest bugbear and that combating privacy for adults is a disproportionate “win” that will keep children safe.

In the process they have created an information security analogue of UKIP: a small band of zealots with ill-defined goals who are kicking back against what they perceive as a monstrous hugely-funded monolith which impinges upon their lives in every way.

“Tech”, to them, is the new “Europe” and the “Platform Duty of Care” is the new “Brexit,” i.e. they want to “hurt tech” by harming themselves and everyone else in the process of achieving their halcyon goals of “saving children”.

So the NSPCC and other charities — doubtless heralded by Charles Hymas in the Telegraph — because this all happens and will be visible to the public, are going to see the utter lack of delivery of what they demanded the Government should achieve and we shall be thrown into several years of OFCOM and the Home Office being harangued to “Get Child Safety Done!”

That will not look good at the time of the next election.

If Martin and Hallam are right and the Government are largely pursuing these powers in order to hang them as a Damoclean sword over the tech companies as leverage for “other” goals, perhaps they would like to consider the fact that this time the fact that the platforms have not knuckled-under will be public, and that the people they have exploited to get this far will actually turn to bite them.

Postscript

I suppose that the inevitable stage after the Tory government are roasted in the press for being demonstrably “weak on tech” is that either they crack down and the platforms abandon the UK — if they have not done so already — or else Labour promise to be “tough on tech and tough on the causes of tech” …and bring in something even more draconian.

This is how we get to “V for Vendetta,” no?
[END]

[1] URL: https://alecmuffett.com/article/57060
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.