The UK’s communications controller, Ofcom, declares it is prepared to “interrupt” tech platforms that do not obey with the country’s controversial new Online Safety Act, as well as cutting them off from payment schemes or even blocking them from the UK.
The act—a extensive piece of regulation that covers a range of topics, from how technology platforms must shield children from manipulation to scam marketing and terrorist content—became law in October. Currently, the controller released its primary round of suggestions for how the act will be applied and what technology corporations will need to do to fulfill.
The proposed regulations would induce Big Tech companies to challenge avenues for preparing children for exploitation on their platforms, and to have “satisfactory” trust and security teams to limit the spread of damaging content. Companies will also have to designate an individual in the UK who can be held personally responsible for violations.
“Our regulation activity starts today,” says Gill Whitehead, a former Google executive who now control Ofcom’s Online Safety Group. “From today, we will be overseeing, one-to-one, the major firms and the firms that we think may have the highest risks of certain categories of illegal harms. The tech firms need to step up and indeed take action,” he said.
Ofcom’s suggestions give some precision over what tech corporations will need to do to evade consequences for breaching the act, which could comprise of penalties up to 10 % of their global proceeds and illegal charges for executives. But the suggestions are questionable to assure messaging platforms and online privacy promoters, who say that the act will induce platforms to undermine end-to-end encoding and create backdoors into their facilities, opening them up to privacy abuses and security hazards.
In defending the Operational Safety Act, the administration and its supporters have represented it as vital to shielding children online. Ofcom’s first tranche of suggestions, which will be trailed by more discussions stretching into 2024, emphasis severely on preventive minors’ access to troubling or unsafe content, and on averting them from being groomed by possible abusers.
Ofcom says its study shows that 3 out of 5 children between the ages 11 and 18 in the UK have acknowledged unwanted approaches that made them feel uncomfortable online, and that one in six have been directed or been requested to share naked or semi-naked images. “Scattergun” friend requests are made use by adults looking to groom children for exploitation, Whitehead says. Under Ofcom’s suggestions, companies would need to take measures to avoid children from being advanced by people external of their immediate networks, including making it impossible for accounts they’re not related to send them direct messages. Their friend portfolio would be concealed from other users, and they wouldn’t appear in their own lists.
To conform with this is likely to mean that platforms and websites will be required to expand their ability to confirm users’ ages, which will mean gathering more information on the individuals accessing their services. Wikipedia has said that it might have to block entree for UK users, because conforming would “violate our promise to collect minimal information about readers and contributors.” Companies in the UK are already facing certain guidelines that necessitate them to, for example, avoid underage individuals from accessing advertisements for age-restricted products, but have formerly struggled to implement so-called age-gating facilities that are suitable to both regulators and customers, according to Geraint Lloyd-Taylor, an associate at the law firm Lewis Silkin. “There does require to be a focus on explanations, not just recognizing the problems.” Lloyd-Taylor says.
Whitehead informs that Ofcom would be putting out additional detail about precise approaches to age confirmation in another discussion next month.
One of the most debated sections of the Online Safety Act commands that companies that offer peer-to-peer infrastructures, such as messenger apps like WhatsApp, must take measures to safeguard that their facilities aren’t used to convey child sexual abuse material (CSAM). That signifies that companies need to find a method to scan or search the content of users’ mails, something that safety experts and tech officials say is impossible without breaching the end-to-end encoding that is used to keep the platforms private.
Under end-to-end encoding, only the despatcher and recipient of a message can view its content—even the operator of the platform cannot decode it. To meet the necessities under the act, platforms would have to be able to look at operators’ messages, most likely using so-called client-side scanning, fundamentally observing the message at the device level—something that privacy protestors have associated to placing spyware on a user’s phone. That, they say, generates a backdoor that could be exploited by security services or cybercriminals.
Assuming the UK government is totally virtuous, and assume that they will practice this technology only for its planned purpose. It doesn’t matter because you cannot stop other actors from using it if they hack you, says Harry Halpin, CEO and initiator of the privacy technology company NYM. This means not only will the UK government be analyzing your messages and have entree to your device, but so will overseas governments and cybercriminals.
Meta’s WhatsApp messaging service, as well as the encoded platform Signal, threatened to leave the UK over the suggestions.
Ofcom’s planned rules say that community platforms—those that aren’t encrypted—should use “hash matching” to recognize CSAM. That technology, which is already used by Google and others, compares images to a former database of illegal images using cryptographic hashes—fundamentally, encrypted individuality codes. Promoters of the technology, including child safety NGOs, have claimed that this preserves users’ confidentiality as it doesn’t mean aggressively looking at their images, simply comparing hashes. Critics say that it’s not essentially effective, as it’s quite easy to cheat the system. You only have to alternate one pixel and the hash deviations completely, Alan Woodward, professor of cybersecurity at Surrey University, told WIRED in September, prior to the act becoming law.
It is doubtful that similar technology could be utilized in private, end-to-end encrypted communications without undermining those defenses.
In 2021, Apple said it was constructing a “privacy protective” CSAM recognition tool for iCloud, built on hash matching. In December last year, it abandoned the initiative, later indicating that scanning users’ private iCloud data would create security risks and “insert the possibility for a slippery slope of unintentional penalties. Scanning for one form of content, for example, opens the door for wholesale surveillance and could generate a desire to search other encoded messaging structures across content types.
CEO of Proton Andy Yen, which offers secure email, browse and other facilities, says that negotiations about the use of hash matching are a optimistic step compared to where the Online Safety [Act] initiated.
Although we still need precision on the exact necessities for where hash matching will be essential, this is a triumph for privacy, Yen says. But he added hash matching is not the privacy-protecting silver bullet that some indicate, it is and we are worried about the possible influences on file sharing and storage services…Hash matching would be a fudge that poses other risks.
