Opponents of the bill say that putting backdoors into people’s devices to search for CSAM images would almost certainly pave the way for wider surveillance by governments. “You make mass surveillance become almost an inevitability by putting [these tools] in their hands,” Woodward says. “There will always be some ‘exceptional circumstances’ that [security forces] think of that warrants them searching for something else.”
The UK government denies that it has changed its stance. Minister for tech and the digital economy, Paul Scully MP said in a statement: “Our position on this matter has not changed and it is wrong to suggest otherwise. Our stance on tackling child sexual abuse online remains firm, and we have always been clear that the Bill takes a measured, evidence-based approach to doing so.”
Under the bill, the regulator, Ofcom, will be able “to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content—which we know can be developed,” Scully said.
Although the UK government has said that it now won’t force unproven technology on tech companies, and that it essentially won’t use the powers under the bill, the controversial clauses remain within the legislation, which is still likely to pass into law. “It’s not gone away, but it’s a step in the right direction,” Woodward says.
James Baker, campaign manager for the Open Rights Group, a nonprofit that has campaigned against the law’s passage, says that the continued existence of the powers within the law means encryption-breaking surveillance could still be introduced in the future. “It would be better if these powers were completely removed from the bill,” he adds.
But some are less positive about the apparent volte-face. “Nothing has changed,” says Matthew Hodgson, CEO of UK-based Element, which supplies end-to-end encrypted messaging to militaries and governments. “It’s only what’s actually written in the bill that matters. Scanning is fundamentally incompatible with end-to-end encrypted messaging apps. Scanning bypasses the encryption in order to scan, exposing your messages to attackers. So all ‘until it’s technically feasible’ means is opening the door to scanning in future rather than scanning today. It’s not a change, it’s kicking the can down the road.”
Whittaker acknowledges that “it’s not enough” that the law simply won’t be aggressively enforced. “But it’s major. We can recognize a win without claiming that this is the final victory,” she says.
The implications of the British government backing down, even partially, will reverberate far beyond the UK, Whittaker says. Security services around the world have been pushing for measures to weaken end-to-end encryption, and there is a similar battle going on in Europe over CSAM, where the European Union commissioner in charge of home affairs, Ylva Johannson, has been pushing similar, unproven technologies.
“It’s huge in terms of arresting the type of permissive international precedent that this would set,” Whittaker says. “The UK was the first jurisdiction to be pushing this kind of mass surveillance. It stops that momentum. And that’s huge for the world.”
Updated 10/08/2023 2:50 am ET to add a statement from the UK government.