Missing Link: Why UK chat control is so much like EU plans

Inhaltsverzeichnis

(Hier finden Sie die deutsche Version des Beitrags)

In the UK, the "Online Safety Bill" has already passed its second reading in the House of Lords. The House of Lords is currently incorporating the amendments, and some obviously excessive passages have been removed. What remains, however, is the principle that all communications from all providers will be covered, regardless of whether they are in plain text or securely encrypted. It is the same totalitarian approach as in the "chat control" being pushed by EU Commissioner Ylva Johansson.

Coordinated attack on encryption

This British law on child protection online not only coincides with the EU chat control, which was launched in December. The parallels are also hard to miss in terms of content and even method, because both legislative projects stem from a common strategic goal. End-to-end encryption (E2E) from WhatsApp and the other messenger services is to be forced out of the network by requirements that E2E providers cannot technically meet. As recently as the end of January, the Swedish EU presidency had claimed that E2E encryption would make law enforcement "blind and deaf".

Section 98 of the Online Safety Bill, which lists all sanctionable types of violations, also includes encrypted communications. If a provider cannot deliver the communications requested in the search warrant in plain text, that becomes just as punishable as tampering with or subsequently deleting those communications.

Encryption systematically not mentioned

E2E providers will therefore potentially be under threat of punishment in the UK simply because of what they offer. The same is to be expected in the EU area, because the current draft for a European child protection regulation is based on the same premise, namely that E2E encryption threatens public safety. The methods of how encryption is presented in these two bills are identical in the first place. Encryption, to the extent that it is somehow possible, is not mentioned. In the excerpt above, for example, it is paraphrased as "not readable by OFCOM"; in total, the term "encrypted" appears only three times at all in both the "Online Saftey Bill" and in the text of the EU chat control.

The actual key concept is thus deliberately left out, but the requirements for providers are designed in such a way that they can only be fulfilled if the companies have duplicate or master keys for the communications. The following passage shows what consequences an E2E offer can entail if the regulatory authority issues a search warrant and the provider can only deliver encrypted data.

In Great Britain, this means that not only companies are under threat of punishment. From employees in managerial positions all the way down, everyone who is operationally responsible for forums, chats or even e-mail services has one foot in jail. Originally, even the possible extent of punishment was included in the text; in addition to fines, up to two years in prison can be imposed. Will Cathcart, the CEO of WhatsApp, had already announced several times that he would leave the British market in case of a passing in this form.

Omnipotent authorities, courts not needed

The search warrants for the platform operators do not come from an ordinary court, but from the British regulatory authority Ofcom. WhatsApp and all other providers are obliged to scan the communications of entire segments of their network when a complaint is made, almost at the behest of this authority. Appeals and all other interactions also go through the authority. According to a legal opinion for the civil rights organization Index on Censorship, the Online Safety Bill gives Ofcom far more monitoring powers than the Investigatory Powers Act 2016 granted the British intelligence service GCHQ.

In the EU area, too, courts will not be needed for a search warrant. This is according to the accompanying documents of the Commission's draft on chat control. Reports on the distribution of "child pornography" will go from the police authorities of the member state directly to the new "EU Center against Child Abuse" envisaged under the EU regulation. From there, a "detection order" is issued to the operator concerned, who must then compare the communications in certain segments of his platform with a central database maintained by the EU Center against Child Abuse.

With an annual expenditure of more than two billion euros and 100 employees, a completely new authority is being created that will be located directly at Europol in The Hague. De facto, this is tantamount to an expansion of Europol's powers.

On the occasion of the "Online Safety Bill", the British authorities had provided their joint statement on E2E encryption of 2018 with an update in mid-January. It was signed by the interior and justice ministers of Great Britain, the USA, Australia, New Zealand and Canada. That's all five countries in the "Five Eyes" spy alliance.

The approach described above was not agreed by politicians in London or Brussels, but at the conferences of the "Five Eyes" and the meetings in the "Club de Berne", the informal body of European intelligence services. Encryption falls under core competence of these services and that is why they were the first to deal with it, only then FBI and Europol were sent ahead in 2017. The campaign, luridly titled "Police go blind," was pushed for several months in 2018. Then, in November, two senior GCHQ technical staff published a manifesto on the renowned LawFare blog. The content is the long version of the Five Eyes statement from above.

In Australia, the goal was achieved just days after this manifesto. In December 2018, the Australian Parliament passed the Assistance and Access Act without debate or amendments. This is purely an enabling act for the Australian Signals Directorate intelligence service and police authorities to access encrypted communications.

What happens now

The British Online Safety Bill may return to the House of Lords as early as next week for its third and final reading, followed by the final vote. In the U.S., on the other hand, the Kids Online Safety Act (KOSA) is expected in the next few days or weeks, the draft of which has been in the U.S. Senate since mid-December. Not really surprisingly, this bill, which comes from Democratic Senator Richard Blumenthal, contains pretty much all the same provisions that are also included in EU Commissioner Ylva Johansson's chat control and the relevant laws in the UK and Australia.

Metacritiques and pertinent notes to the author can be submitted via this form, securely encrypted.

(mho)