Twitter acquired Threader! Learn more

Sarah Jamie Lewis
+ Your AuthorsArchive @SarahJamieLewis Executive Director @OpenPriv. Cryptography and Privacy Researcher. @cwtch_im icyt7rvdsdci42h6si2ibtwucdmjrlcb2ezkecuagtquiiflbkxf2cqd May. 12, 2021 3 min read

So the new #onlineharms draft from the UK provides OFCOM the power to request seemingly unlimited data from a service provider in regards to enforcement, and makes it a crime to provide encrypted data "if the intention was to prevent OFCOM from understanding the data"...

Combined with "Technology Notices" which OFCOM can issue to force a service provider to use technology to identify and take down illegal content the ramifications on privacy and freedom of expression are pretty disturbing.

And if you are thinking "this only applies to large social media companies" you are wrong.

The only exceptions are for email, sms, internal business services, "limited functionality services" and public bodies.

Any kind of IM or group chat would seem to be covered by this law.

This is one of those "speak to a lawyer" kinds of questions but it would be interesting to know how this definition of "provider" related to something like Cwtch where there is no centralized mediation service that governs access.

Also this bill is full of Henry VIII powers and as such the meaning of "Regulated Service", "Online Safety", "Illegal Content" and various other aspects that you may be fine with now, can be changed arbitrarily without a subsequent act of parliament.

All relevant documents can be found here: 

Overall this is reads like quite a dystopian power grab by the UK government that endangers privacy and free expression online.

The bill doesn't explicitly mention end-to-end encryption but given UK government rhetoric in recent years that prominently contrasted e2e against online safety you would have to be a fool to think they won't try and use some of these provisions to circumvent e2e services.

Regardless of how this shakes out similar legislation is likely coming to a jurisdiction near you.

Please support people building decentralized, encrypted, metadata resistant tools because we are going to need them sooner rather than later. 

Oh I didn't even mention that the primary purpose of this bill is to censor "harmful" content (contrast with "illegal" content).

And we still don't really have a definition of what "harmful" means since the bill defers that question to regulation.

Again, I want to stress that "harmful" content is not "illegal" content. However you feel about how the UK chooses to designate "illegal" content this bill creates an entire new category of regulation-defined censorship under the banner of "harmful" content.

This bill grants OFCOM the power to regulate most online communication in the UK, to force services to use censorship tech, and makes it a crime to encrypt data that OFCOM might find useful to regulate you without being able to also decrypt it.

What is a Category 1 service v.s. a 2a or 2b service? Well that is also up to the regulator, but based on prior policy documents it won't be just about size, but also about functionalities (specifically called out is broadcast sharing and anonymous communication).

If you are wondering what kinds of online activities are covered by this bill...there are a whole lot of them...

The justification (from early policy documents) for not including email or telephony under this bill is that it would "resort to monitoring communications" which is interesting given the large scope of services and obligations covered by the new draft bill.

Also you've got to love the subtext of scattering "protecting users from *unwarranted* infringements of privacy." around the bill.

You can follow @SarahJamieLewis.


Tip: mention @threader on a Twitter thread with the keyword “compile” to get a link to it.

Follow Threader