A “Spy Clause”: Should Tech Companies Start Scanning Encrypted Messages For Child Abuse?

A UK government amendment was passed by the Lords on Wednesday which could force tech firms to start scanning encrypted messages for child abuse images. 

Tech firms such as WhatsApp, Signal and Apple have all opposed the amended powers due to privacy concerns. 

While the government protests the move as action amid rising concerns over child safety on major messaging apps, campaigners say this extra safeguard will fail to protect privacy, BBC reports.

The Online Saftey Bill Amendment

This government amendment to the Online Safety Bill says that a “skilled person” must write a report for Ofcom before it can use its new powers to make a firm scan encrypted messages. 

This report must detail the impact of scanning messages on people’s privacy as well as their freedom of expression. The report will also need to consider the use of technology on journalism and the protection of journalistic sources.

Ofcom will proceed to take this report into account when deciding if it is necessary to start forcing firms to scan messages and share a summary of their findings. 

If the bill is passed, it would let Ofcom force tech companies to use “accredited technology” to scan encrypted messages for child sexual abuse material. 

Exploring The Call For The Bill

With an Online Safety Bill already in place, why are current powers calling for this latest more drastic amendment?

Police, ministers, and children’s charities are all saying the new bill is necessary to tackle what is currently “record levels” of child abuse. Namely, exploitative imagery and grooming on online messaging platforms. 

They argue using technology to scan encrypted platforms will stop child abusers from being able to “operate with impunity”. 

The amended Online Safety Bill is currently in the later stages of its journey through Parliament, but this hasn’t silenced protests firmly against what they believe to be an utter breach of personal privacy. 

Oppositions To The Bill

Meredith Whittaker, president of Signal – an encrypted messaging app – says that the new bill would mean tech firms would have to start running “government-mandated scanning services on their devices”. 

This is because end-to-end encrypted messages can only be read by the sender or recipient. So, companies would need to scan these messages before they are encrypted, something known as client-side scanning.

Critics of the bill have protested that this fundamentally undermines the security and privacy of encrypted messaging. Due to this apparent breach on security, this amendment has been dubbed the “spy clause” by its critics.

The Open Rights Group, which campaigns for digital rights, has openly criticised the government amendment: 

“Given that this “skilled person” could be a political appointee, and they would be overseeing decisions about free speech and privacy rights, this would not be effective oversight”, the group wrote.

Moreover, free-speech campaigners at Index said of the new plans: “This is not the legal oversight that these important new powers require, and give short shrift to users’ rights,”

“Judicial oversight is a bare minimum for a government-appointed body to be able to break encryption and access private messages.”

Government minister Lord Parkinson said that, while he acknowledges “the concerns which have been aired about how these powers work with encrypted services”, he assures that strong safeguards will be built in to protect privacy. 

Elsewhere, party spokespeople spoke not against the bill, but in favour of amending it to become more privacy-focused. Labour’s Lord Stevenson was one of the spokesmen that proposed oversight by judges, though this was not moved to a vote. 

But despite an overarching agreement in the Lords, this isn’t to say there’s been a lack of internal opposition. Consecutive peer Lord Moylan had proposed an amendment that would exempt encrypted services from scanning altogether. 

He argued the government’s plans “opened a hole” in encryption, saying the powers were a “major assault on privacy”. Nevertheless, Lord Moylan did not move it to a vote, likely in anticipation that the house would vote against it.

Despite opposition to the government amendment, the Children’s charity NSPCC has not stopped calling for people to rally for the bill. It argues in favour of “a balanced settlement that should encourage companies to mitigate the risks of child sexual abuse when designing and rolling out features like end-to-end encryption”.

With the bill already nearly in the end stages of Parliament, we may expect the amendment to the Online Safety Bill to be passed soon. But will this really aid us in the fight against digital child abuse? And what privacy concerns will it sacrifice along the way?