68 Academics Defend End-to-End Encryption in Broadside Against New UK Law

A group of privacy and cybersecurity professors and PhDs has blasted the UK government for wanting to break end-to-end encryption of communications in order to assist the work of law enforcement. The 68 academics have published an open letter that targets the Online Safety Bill, a draft law that was first tabled in March 2022 and is nearing the time when it will likely be approved by the UK Parliament. Per their letter, the academics wish to…

…highlight alarming misunderstandings and misconceptions around the Online Safety Bill and its interaction with the privacy and security technologies that our daily online interactions and communication rely on.

They paint an evocative image of the danger of enabling more comms surveillance.

In brief, our concern is that surveillance technologies are deployed in the spirit of providing online safety. This act undermines privacy guarantees and, indeed, safety online.

They highlight that governments cannot be trusted.

…we have welcomed the wide-spread adoption of end-to-end encryption over the last 10 years, a development, we recall, that was at least partially motivated by revelations of extensive digital surveillance by nation-state actors.

And they remind the reader that some big and important tech companies agree with them.

We note that in the event of the Online Safety Bill passing and an Ofcom order being issued, several international communication providers indicated that they will refuse to comply with such an order to compromise the security and privacy of their customers and would leave the UK market.

But they do not deny that the protection of children is the best justification for automated spying on communications.

This monitoring is motivated and is being proposed to prevent the dissemination of child sexual exploitation and abuse (CSEA) content. We cannot speak to the relative merit of this step in preventing harm to children in our professional capacities. What we can confirm with authority is: Firstly, such monitoring is categorically incompatible with maintaining today’s (and internationally adopted) online communication protocols that offer privacy guarantees similar to face-to-face conversations. Secondly, attempts to sidestep this contradiction are doomed to fail on the technological and likely societal level.

And there is the rub of the argument. Everything they write about technology is true, but when weighing up their support for end-to-end encryption it is legitimate to enquire how much the curtailing of encryption might prevent harm to children. It is not legitimate to conclude that a change will definitely lead to an overall reduction in safety if you are not prepared to form any opinion as to its impact on children who are otherwise at risk of being abused.

I have written before about the UK government pushing a deliberately misleading narrative about online child sex abuse to justify their opposition to end-to-end encryption. The sexual abuse of children is already serious enough; it does not need to be exaggerated in order to be treated seriously. But two wrongs do not make a right. The academics present a lot of fine and accurate technical observations without addressing the core of the reason they oppose the Online Safety Bill. They believe it will lead to more harm than good. But an honest interlocutor must also admit the counterfactual: if the bill does not become law, then some children will suffer harm that would otherwise have been prevented. To make a decision is to judge which harm is greater, and which is lesser.

It is normal that supporters of the bill only want to talk about the harm done to children, and not of risks like an authoritarian government abusing the power to surveil anybody, or the chances of criminals exploiting the same gaps in privacy that the government mandated. And it is normal that supporters of end-to-end encryption should simply refuse to be drawn into a discussion about protecting children by implementing automated scanning of all messages in order to identify pedophilic content that would incriminate the people exchanging it. Both sides are behaving normally, and unhelpfully. If society is becoming more divided then the solution is not to shout louder whilst refusing to listen to those who disagree with your opinion. That is why I am deeply disappointed that some of the best brains in the twin domains of security and privacy have dodged the essential question of how to evaluate the countervailing risks associated with this law. In doing so, they have acted more like politicians than most actual politicians.

Regular readers of Commsrisk will have no trouble in discerning my opinion: it is better to have end-to-end encryption than not have end-to-end encryption. It is easy for me to explain how I reach that judgment: whatever harm can be done by an individual, it pales in comparison to the harm that can be done by a government. But this is a judgment about risk, and hence cannot be reached with certainty. I draw an inference from atrocities committed by governments throughout history, and the ongoing tendency of governments to accrue power and misuse power even when they have little need to. I look at the difficulty of ousting an authoritarian government and conclude that the magnitude of harm done by a bad government is so great that it is vital to minimize the risk of such a government being able to use surveillance to hold on to power. This weighs against the sure knowledge that there are many bad people, some of whom are child abusers, and that encryption benefits them by enabling them to do harm without being discovered. It is intelligible why some people prefer to give governments increased power so they may suppress the least desirable aspects of human behavior. I disagree with their priorities, but I can respect why they feel the way they do. You must also weigh up these risks for yourself.

The letter signed by these academics, entitled “Open Letter from Security and Privacy Researchers in relation (sic) to the Online Safety Bill” can be found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.