Apple Criticizes UK Government's Client-Side Scanning PushOnline Safety Bill Also Criticized by Leading Cybersecurity Experts and Academics
Technology giant Apple has joined the chorus of voices calling on the British government to rethink legislation intended to increase public safety by monitoring people's private communications.
At issue is the Tory government's Online Safety Bill, introduced in draft form in 2021 and subsequently much revised. Prime Minister Rishi Sunak's government described the OSB as being "a new set of laws to protect children and adults online."
Leading cryptographers, security experts and technology giants warned that the legislation is likely to do the opposite. At issue is the bill's requirement that messaging services push client-side scanning tools onto users' devices that would look for anything they believe the government would classify as "illegal content."
This week, more than 80 national and international civil society organizations, academics and cybersecurity experts sent an open letter to government ministers, warning that such an approach places everyone at greater risk because it undercuts strong encryption.
"Any form of workaround risks compromising the security of the messaging platform, creating back doors and other dangerous ways and means for malicious actors and hostile states to corrupt the system," the signatories wrote.
Meta's WhatsApp and Signal are among the messaging services that have criticized the government's push for client-side scanning. They have threatened to shut down their services in Britain rather than comply with any client-side scanning rules.
On Tuesday, Apple weighed in against the U.K. government's proposal. "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists and diplomats. It also helps everyday citizens defend themselves from surveillance, identity theft, fraud and data breaches," Apple said in a statement to the BBC.
"The Online Safety Bill poses a serious threat to this protection and could put U.K. citizens at greater risk," Apple said.
This isn't the first time cybersecurity experts and cryptographers have warned of the risks such systems pose.
"Client-side scanning reduces overall security and privacy for law-abiding users while running the risk of failing to meet its stated law enforcement objective," the Internet Society, a nonprofit U.S. advocacy group, asserted in 2020.
In 2021, a group of the world's most renowned cryptographers published a report warning that "there are multiple ways in which client-side scanning can fail, can be evaded and can be abused." They argued that the approach "neither guarantees efficacious crime prevention nor prevents surveillance," highlighting how the system might be abused by governments to monitor citizens.
Report co-author Ross Anderson, a professor of security engineering at Cambridge University and Edinburgh University, this week criticized the U.K. government's proposed push for client-side scanning. "The idea that you can do surveillance while respecting privacy is just magical thinking," he said.
Instead of mass surveillance, many experts continue to urge the government to use targeted surveillance. Encrypted end-to-end communications do not make criminals invincible, they say, and in fact can give crooks a false sense of security.
In 2020, Dutch and French police infiltrated encrypted messaging service EncroChat, enabling authorities to intercept and analyze 150 million messages before the service's operators pulled the plug. Investigating authorities reported Tuesday that thanks to the investigation, they have so far arrested 6,558 suspects, including 200 high-level targets.
In late 2018, the FBI secretly created an encrypted messaging service it marketed to criminals, dubbed Anom. A global consortium of law enforcement agencies monitored the criminal honeypot, which ran from 2018 until 2021. That's when the FBI shut down Anom, saying it had facilitated the arrest of more than 800 suspects across 16 countries, as well as the seizure of tons of cocaine and other drugs, firearms and cash. Anom-using criminals may have thought they were anonymous, but obviously they weren't.
Another challenge for governments that want to outlaw encrypted messaging platforms - unless they're paired with client-side scanning - is that numerous tools and technologies for building custom encrypted messaging systems remain available from a variety of worldwide sources.
Criminals have a habit of not complying with whatever rules or restrictions lawmakers might try to lay down.
"They can legislate all they like, but all they will do is cause service providers to withdraw from the U.K.," Alan Woodward, a professor of computer science at the University of Surrey who's an expert on cybercrime, told Information Security Media Group. "Everyone loses."