U.K. Government Says It Will Not Require Tech Companies to Use Impossible Methods to Beat Encryption Without Compromising Privacy, but It Will Empower Regulators to Demand They Build It ⇥ bbc.com

Cristina Criddle and Anna Gross, Financial Times:

The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is “technically feasible” to do so, postponing measures that critics say threaten users’ privacy.

A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour effort by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users’ security.

The statement is set to outline that Ofcom, the tech regulator, will only require companies to scan their networks when a technology is developed that is capable of doing so, according to people briefed on the plan. Many security experts believe it could be years before any such technology is developed, if ever.

Zoe Kleinman, Tom Gerken, and Chris Vallance, BBC News:

The government has denied that its position has changed. In a statement in the House of Lords, the minister, Lord Parkinson, clarified that if the technology to access messages without breaking their security did not exist, then Ofcom would have the power to ask companies to develop the ability to identify and remove illegal child sexual abuse content on their platforms.

Indeed, the Bill already stated that the regulator Ofcom would only ask tech firms to access messages once “feasible technology” had been developed which would specifically only target child abuse content and not break encryption.

The government has tasked tech firms with inventing these tools.

The statement, which begins at around 16:16:57 in this recording, does not sound to me exactly as the Financial Times described. Here is what Lord Parkinson, speaking in alignment with the government as a Conservative, said, as best as I could transcribe it:¹

A number of Noble Lords have mentioned — and I am aware of — press coverage about encryption. There is, let me be clear, no intention by the Government to weaken the encryption technology used by platforms, and we’ve built strong safeguards into the bill to ensure that users’ privacy is protected.

While the safety duties apply regardless of design, the bill is clear that Ofcom cannot require companies to use proactive technology on private communications in order to comply with these duties. Ofcom can only require the use of a technology — [sic] a private communications service by issuing a notice to tackle child sexual exploitation and abuse content under clause 122. A notice can only be issued where technically feasible, and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content. Ofcom is also required to comply with existing data protection legislation when issuing a notice under clause 122 and, as a public body, is bound by the Human Rights Act of 1998 and the European Convention on Human Rights.

When deciding whether to issue a notice, Ofcom will work closely with the service to help identify reasonable, technically feasible solutions to address the child sexual exploitation and abuse risk, including drawing on evidence from a skilled persons report. If appropriate technology does not exist which meets these requirements, Ofcom cannot require its use. That is why the powers include the ability for Ofcom to require companies to make best endeavours to develop or source a new solution. It is right that Ofcom should be able to require technology companies to use their considerable resources and their expertise to develop the best possible protections for children in encrypted environments.

That has been our longstanding policy position. Our stance on tackling child sexual abuse online remains firm, and we have always been clear that the bill takes a measured, evidence-based approach to doing so.

The second paragraph, as I have transcribed it, appears to be missing a connecting word — “by”, perhaps? Even though that is unclear, this argument is tautological: the government is arguing that technology companies will not be required to use technology which does not exist or is impossible. Which, well, duh. But then it says Ofcom is empowered to demand tech companies develop this impossible technology to the best of their abilities: “that is why the powers […] require companies to make best endeavours to develop” something which can meet the requirements it sets out.

I could be misinterpreting this, but I do not think I am. It really sounds like the U.K. government wants operators of encrypted services to throw their “considerable resources” at doing as much as possible to solve the impossible. And then Lord Parkinson has the gall to conclude this bill is “evidence-based”.

The BBC:

Another view is that this is an attempt at a last-minute diplomatic resolution in which neither the tech firms nor the government lose face: the government says it knew all along that the tech did not exist and removes immediate pressure from the tech firms to invent it, and the tech firms claim a victory for privacy.

This seems like the most realistic interpretation of this statement and, perhaps, it will close the book on the specific risks of the online safety bill for now. But, make no mistake, we will be having this same conversation in a few years. Maybe it will not be in a British accent — there are plenty of governments which are eager to weaken end-to-end encryption based on a wide variety of excuses — but we will be talking about this again very soon.

Update: Reader Ashley pointed me via email to the official transcript of Lord Parkinson’s remarks in which it is clarified that he had said (emphasis mine) “Ofcom can require the use of a technology by a private communication service only by issuing a notice to tackle child sexual exploitation and abuse content under Clause 122″.