Lawmakers in the U.K. have delayed enacting the so-called “spy clause” within its Online Safety Bill that would require companies to scan encrypted messages for harmful content, something that privacy advocates and many major tech companies have said is both technically infeasible and a massive violation of user privacy.
Lawmakers reached the same conclusion on Wednesday. A statement to the House of Lords clarified that the U.K.’s top communications regulator would require tech companies only to scan their networks once it was “technically feasible,” the Financial Times first reported.
Amendments to the bill clarified that the Office of Communications, the top U.K. communications regulator, cannot use the power to require companies to give access to their systems, addressing concerns raised by tech companies that doing so would force them to violate user privacy.
“There is, let me be clear, no intention by the government to weaken the encryption technology used by platforms and we’ve built in strong safeguards into the bill to ensure user’s privacy is protected,” Lord Stephen Parkinson, the junior arts and heritage minister, said at the meeting to discuss the bill.
A coalition including Meta and Signal expressed strong opposition to the original bill, saying in a joint statement it “could break end-to-end encryption, opening the door to routine, general and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human rights activists and even politicians themselves, which would fundamentally undermine everyone’s ability to communicate securely.”
WhatsApp, Signal and Apple all said they would pull services rather than weaken encryption in the U.K. Other companies such as Proton said they would continue to offer services in defiance of the bill.
Experts also raised concerns that passage of the bill could set a precedent for governments in other countries, including the U.S., to embrace encryption-breaking technology. That momentum is now “blocked,” Paige Collings, senior speech and privacy activist at the Electronic Frontier Foundation, told CyberScoop.
Human rights groups and tech companies say it’s a win to see the U.K. government acknowledge the technology to only scan harmful content isn’t feasible, especially days after the government seemed staid in its position meeting with privacy activists and tech companies just a few days okay.
However, they warn that it still leaves the door open for the U.K. to pursue encryption-breaking technologies in the future. Governments outside of the U.K. have also pushed for so-called “client-side scanning,” which scans a user’s device content against questionable thinking.
“To see the government now recognize this technology is not possible without breaking such an important thing like encryption and privacy rights, I think that’s a really great step forward,” said Collings. “But of course, the fight is not over. The very fabric of this bill has not changed.”
“Is it everything we want or need? No,” Signal CEO Meredith Whittaker posted on X, the platform formerly known as Twitter. “But it’s vital clarity and I’m hopeful that it opens the door for changes to the text of the bill in the final stages.”
Experts including Whitaker have called technology such as client-side scanning “magical thinking” and technically impossible to do without harming privacy.
Moreover, privacy groups say the amendments don’t fully resolve all their complaints with the intricate and extensive bill. For instance, the Online Safety Bill has also attracted criticism for its age verification requirements, which would require any website that contains content accessed by young people to verify the age of visitors using controversial methods such as submitting a government ID. Such requirements invade the privacy of users, risk collecting sensitive user data, and could lead to companies having to censor content on their websites, the EFF’s Collings said.
It seems unlikely that the age verification aspects of the bill will be amended before the final vote on the bill in the coming weeks. Privacy activists will then have to turn their attention to the operational guidelines the UK communications regulator offers, Collings said.