Security Experts:

EFF, OTI Respond to UK's Online Harms Legislative Proposal

The Electronic Frontier Foundation (EFF) and New America's Open Technology Institute (OTI) have published their combined response to the UK government's Online Harms White Paper. The white paper, published in April 2019, with a public consultation period ending July 1, 2019, proposes legislation designed to increase the safety of users online.

The proposed legislation is intended to target any company that allows users to share or discover user-generated content or interact with each other online. While this obviously includes large social media sites, it will also include small niche sites that allow users to comment on articles. The white paper specifies "a very wide range of companies of all sizes, including social media platforms, file hosting sites, public discussion forums, messaging services and search engines."

The inclusion of 'messaging services' is interesting, because it brings the whole problem of end-to-end encryption within the purview of the legislation. The paper mentions encryption just once, giving it a low profile, but linking it to child exploitation over an encrypted messaging service. However, it specifically asks, "In developing a definition for private communications, what criteria should be considered?"

It could be argued that the content of private communications is a separate issue to online harms legislation aimed at hateful, hurtful and illegal visible content; and there is a danger that the encryption issue is quietly being hidden in the discussion. Governments tend to do this with contentious issues.

Interfering with encryption could thus be seen as legislative overreach for online harms, and EFF/OTI are forthright in their response (PDF): "access to encryption including for end-to-end encrypted messaging services is vital for safeguarding the rights to privacy and freedom of expression. As a result, no channels or forums that offer private encrypted communications or messaging services should be in scope of the regulatory framework."

EFF/OTI add that access to encryption "is fundamental for safeguarding human rights in the digital age, including privacy and freedom of expression. The UK government should not create any rules or regulations that require internet platforms and technology companies to pre-filter or otherwise scan or monitor private communications. In addition, no rules or regulations should mandate interference with technology companies' ability to offer messaging services that are end-to-end encrypted."

An independent regulator and annual transparency reporting are key parts of the UK proposal. EFF/OTI support transparency reporting but offer several suggestions to ensure it is effective. Standardized reporting by the companies concerned should be encouraged so that "data points can be effectively compared and contrasted." Reporting should be sufficiently granular to be meaningful, but not so granular that it impacts on user privacy issues. EFF/OTI call on the UK government to standardize transparency around the Santa Clara Principles on Transparency and Accountability in Content Moderation.

This is linked to a separate concern. Internet services are transnational, meaning that service operators will need to satisfy multiple jurisdictions. There is consequently a distinct possibility that the UK will ban content that is perfectly legal in the U.S. This in turn is likely to have a knock-on effect on innovation and competition. While existing large companies might have the resources to treat separate jurisdictions differently, new companies will not. They will need to be mindful of different privacy regulations as well as different content regulations in different jurisdictions.

Enforcement is also complicated in the transnational environment. The government asks if the regulator should be empowered to require that foreign companies nominate a representative in the UK for liability purposes. EFF/OTI are not keen, because "only a handful of major platforms will be able to afford a representative in every separate regulatory environment." It will limit competition, "not just for new competitors hoping to enter the UK market, but also for British companies seeking to expand outside the UK."

This could lead to a further narrowing of the internet. Europeans are already denied access to large numbers of U.S. sites because of GDPR. Why should U.S. sites with primarily U.S. audiences worry about conforming to European privacy legislation when they have a simple solution: geo-block European IP addresses? This process is likely to be adopted further to prevent entanglement with UK content laws -- and it doesn't work. Europeans who want access to those sites simply by-pass the self-imposed geo-block with a VPN. The same process will be used by UK citizens wishing to engage with sites considered harmful by the UK regulator, but legal in other regimes.

One area of concern for EFF/OTI is the funding of the regulator, which is "intended to be cost neutral." In short, the industry will be required to fund its own regulation, which ultimately means that the consumer will pay the cost but with no say in how he pays that cost. There are numerous problems with this approach, both in its effect on the regulator and the effect on the consumer.

For the regulator, EFF/OTI quote Bruce Schneier from his book 'Liars and Outliers': "If a government agency exists only because of the industry, then it is in its self-preservation interest to keep that industry flourishing." The implication is clear -- if the regulator is paid by the industry there is a danger that it will be owned by the industry. This in turn feeds back into the danger of excluding competition -- there is a "risk of the regulator becoming over-receptive to the needs and approaches of internet giants, versus potential competitors and better solutions across the wider Web."

Few people will deny that users need to be protected from the more severe harms that can come from the internet, whether directly from bullying and hate speech or indirectly from criminal and terrorist communications and fake news. The difficulty for governments is in finding the right level of regulation; and their natural proclivity is to subsume as much control as possible. There is consequently a constant danger of regulatory overreach, and EFF/OTI clearly see such a danger here.

"As the UK government works to address a growing range of online harms," comments Spandana Singh, policy program associate at OTI, "it must also take steps to protect free expression online. The government should refine their approach to tackling online harms in a manner that fosters a culture of transparency, trust, and accountability; safeguards free expression online; and respects international human rights law more broadly."

Related: Ten Principles for a New Approach to Regulating the Internet 

Related: Improved IoT Security Starts with Liability for Companies, Not Just Legislation 

Related: Inside the Legislative and Regulatory Minefield Confronting Cybersecurity Researchers 

Related: How the Government Could Improve Security Through Legislation 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.