Now Online Safety Act is law, UK has 'priorities' – but still won't explain 'spy clause' The UK government has set out plans detailing how it will use the new law it has created to control online platforms and social media – with one telling exception. The Draft Statement of Strategic Priorities for online safety places an emphasis on platform providers preventing online harms in the first place, and collaborating …
When you write a systems spec for a new product you don't specify the libraries or what manufacturer's LEDs should be used on the PSU panel. If laws were written prescriptively, particularly in this environment, they'd have to be changed every month as technologies developed and the social media companies changed the way they did things to slip through loopholes. I'm not defending this law but it's the way English common law, and it's dependence on the man on the Clapham omnibus, works. The law as written is describes the overarching intent of Parliament and its detail will be created in case law in court by judges and juries.
"How can something be signed into law when a significant portion requires systems/technologies that have not been invented or approved yet? This is a textbook example of a law which cannot be enforced"
SSHH! Don't ask awkward questions like that. The new law is far removed from reality. Its only purpose is public relations. ie Showing the Daily Heil's readership that the government has listened to them and Something Has Been Done. They can now sleep easily in their beds because now there's a law against people doing bad things on the interwebs.
Whether a law is passed has nothing to do with whether it's practical or even possible to comply with it.
See the law almost passed to dictate the value of pi. Or any other attempt to require a back door decryption ability in an encryption technology.
Legislatures tend not to be experts in any given field, so they rely on expert testimony. We currently have a crisis, more or less worldwide, where we're discovering that many of the experts called to testify on things, are either corrupted or cranks.
Not in this case though. This legislation was shoved through parliament by the previous government. The one where Michael "we've had enough of experts" Gove had a starring role.
At that time I'm sure the tech sector explained to ministers and MPs their "won't someone think of the children?" bill was stupid and unworkable bollocks. Clearly, none of them were listening.
"Clearly, none of them were listening."
I'm sure some of them were. Unfortunately the various agencies who just want their jobs made easier - and preferably done for them by somebody else - have a lot more influence on the relative ministers than backbench MPs. Home Secs are notoriously well house trained very quickly, apart from the few who start that way.
Whether a law is passed has nothing to do with whether it's practical or even possible to comply with it.
Hence idiocies like Malcolm Turnbull's declaration that the laws of mathematics don't apply in Australia because of an Oz law requiring tech companies to unencrypt end-to-end encrypted messages.
> The majority of the "tech" companies involved are not UK companies and would not be subject to UK laws anyway.
What utter tosh. Facebook (and others) has a significant presence in the UK, from physical assets to employees—jurisdiction over any or all of which could be exercised by UK authorities to enforce UK law. Crikey, look how despite Elon's absolute very best efforts to avoid it, X was compelled to comply with Brazilian law.
This law is for public relations only and will be impossible to enforce. The majority of the "tech" companies involved are not UK companies and would not be subject to UK laws anyway.
It's a very lengthy act if it's only for PR. A quick flick through shows enforcement powers against service providers include: fines, criminal offences for senior managers, and 'access restriction orders' (which appears to be a broadly defined way of ordering other service providers to restrict access to the offending service).
On the other hand parts of the act are only relevant for services with large numbers of UK users, or who target/market to the UK specifically, so expect the likes of Facebook to feel the heat much more than 'Blake & Dolly's redneck tractor porn blog'.
Medium sized tech companies will probably start playing down their UK monthly active user counts..
How can something be signed into law when a significant portion requires systems/technologies that have not been invented or approved yet? This is a textbook example of a law which cannot be enforced.
Some of this is perfectly normal and has been this way for a long time, eg-
But it falls silent on the most controversial aspect of the Act, Section 122, which says platform providers should use "accredited technology" to access online content required by law enforcement or regulation.
If you hold a telecomms licence, run an ISP, then you're already legally obligated to support things like lawful intercept. But then you're also legally obligated not to talk about the kit used, how that works etc because that's classified. Especially given very bad people doing very bad things would like to know so they can try and avoid being caught and hopefully locked up for a long time. Which will probably be much the same for service providers and encryption. TPTB no doubt know what they want done, but that would again be classified. And if the SP's don't co-operate, then they can be fined, shut down and possibly execs jailed.
I think the biggest problem is some of the naughty stuff is so broad or vague, we won't know if it's enforceable until cases hit the courts, work their way up to the Supreme Court, then maybe batted back to Parliament to draft something specific enough to be enforceable.
If they had a sufficient method to reliably crack E2E encryption (classified or not) there'd be no need for this law, because the pre-existing setup for 'lawful intercept' via ISPs and network operators would be all they need to obtain the data in-transit. The specific issue this law is attempting (and utterly failing) to address is that proper E2E services can't be intercepted, even by the platform operator, especially if the comms are P2P and don't run through any form of centralised server. The only way this can possibly be addressed is to in some way compromise the encryption, either by breaking the E2E by effectively forcing providers to route all comms through their own servers where they can selectively MITM any and all of the messages, or else by breaking the encryption itself by adding in some kind of backdoor, which would likely be spotted by some bad actor and used to compromise all messages sent on that service. There is no secret 'decrypt this instantly' button or technology that works on properly encrypted data - this law's existence is proof of that.
The only way this can possibly be addressed is to in some way compromise the encryption, either by breaking the E2E by effectively forcing providers to route all comms through their own servers where they can selectively MITM any and all of the messages, or else by breaking the encryption itself by adding in some kind of backdoor, which would likely be spotted by some bad actor and used to compromise all messages sent on that service. There is no secret 'decrypt this instantly' button or technology that works on properly encrypted data - this law's existence is proof of that.
Yep, you've cracked it. Lawful intercept is already a requirement, so telcos have to implement it if they want to keep operating. The OSA just extends obligations to CSPs like FaceMelta, and they'll have to meet those legal requirements, if they want to continue to operate in the UK. That might mean changing their service to act as that MITM, but the law is currently the law. Like it or not, people do bad things. My usual example is a kid goes missing. LEOs might know they were chatting to someone, knowing who and what was said might help save the kid. Like it or not, sometimes privacy needs to be violated to hopefully stop very bad things from happening. LEAs need the tools to do their job.
New - and old - laws have to deal with situations, including technologies, that have not even been thought of when they're drawn up. Fitting them to current reality is the job of the courts. Normally this works and has done from the time of Henry II or earlier. The trick is to draw them up without inherent nonsense. In this particular instance the courts are going to have a bit of a problem.
On the other hand, if a problem for the Government arises, their lawyers can interpret the law in such a way that the problem can be dealt with quickly under "current legislation" and removed quickly
Or if the problem means the Government can't do something, oh well the law can be interpreted another way to let them do it.
"their lawyers can interpret the law"
Their lawyers can argue how they want the law interpreted. It will be the courts and no-one else who actually decide how it should be interpreted and they'll listen to arguments and expert witness from both sides, maybe also from amicus curiae briefs.
This post has been deleted by its author
Pegasus is the first "accredited" bit of software which springs to my mind. If it's already been used by a Government that surely implies it's "accredited".
Then there are those pesky side channels in the CPU/GPU/NPU/AIU accidentally keep turning up in Intel and AMD chips, not to mention that pesky Huwai networking hardware/software, which if I recall, still needs to be stripped out of a lot of places in the UK. I mean where the fuck is OUR 5G otherwise ?
IPV6 ? no doubt that external IP address in my ISP supplied router, which it is impossible to delete is/isnot covered by the ACT, as the Router command DELETE only works for IPV2/4 addresses listed in the IP Table.
Oh, don't forget those undocumented BIOS updates I mentioned a couple of years back. I haven't heard anyone come up with a fix for that one yet.
And when Microsoft keeps leaving it's Windows wide open on Github, CoPilot+, Windows Server 2025 release/escape (?).........
Do they actually need a legal framework ?
ALF
"Oh, don't forget those undocumented BIOS updates I mentioned a couple of years back"
Man, if you've ever analysed a BIOS image with binwalk, you'd know that BIOS images are such a mess that it would be impossible to put a reliable back door in.
I had a peek inside a Dell PowerEdge BIOS not all that long ago for a fairly recent server (R240) specifically because the documentation was a bit sparse...there's shit in that BIOS that has been hanging around since long before the server was a even footnote in a meeting agenda....BIOS code is carried over for decades through multiple iterations of BIOS chipsets...it's a fucking mess in there...putting in a reliable and cohesive backdoor would be quite the task, it would be far easier to add something new...like TPM or IME or UEFI...you would very likely have to build a new BIOS from the ground up to effectively backdoor it.
Most BIOS firmware is a hackjob at best...it's designed to get your hardware running and that's about it...it ain't bug free, it's not your modern hipster "clean code"...it's your grandpas code that he wrote with a bookies pencil on the back of a packet of fags while walking 50 miles in the snow to flash it to the test board that he had to power through his own body because the power cord wasn't long enough and he had to be the extension with the wire wrapped round his finger and his dick in the socket.
It really is a pity that there are tools like:
- Diffie/Hellman
- Very large prime numbers
- Samba20
- Curve25519
- AES
- ...and so on......
Signal uses many of these......but the interesting thing is that private, technically adept groups can also use all of these......and more!
That's one problem with "the law".....
The other problem is that the people "doing something" in SW1 simply have no money at all for enforcement!
....oh....and don't get me started about "age verification"....or "safety"....
What could possibly go wrong?
What until someone produces a viable homomorphic encryption product, where even the people processing the data don't know, have access to or can intercept the data itself.
Though regulation should be happening, there will come a time where communications can't be regulated (and it's possible with today's technology) and I don't see what they'd do about that when it happens.
Yeah but even then, key exchange will be the weak point...doesn't matter how strong or close to real time your encryption is if the key exchange is shit...that and if the key is in use, it's got to be readable somewhere.
You'd be surprised how often the key exchange mechanism and key storage method absolutely fucks a cryptographic setup.
I work in a place that uses a lot of virtual machine based "appliances" that cost a lot of money and as a result have lots of time and money spent on "protecting" them from prying eyes...there hasn't been one that I haven't managed to pop an encryption key on or somehow because you either have to know the key to be able to boot it or the key has to be stashed somewhere in plaintext for the bootloader to be able to use it...my point here being, no matter how robust the encryption is, if you can snag a key, it doesn't matter...I've had a few meetings over the years where I've had people talk at my face about the 8 million bit, destroyer class, solid fuel, multidimensional, subspace, quantum state, chronoton based cryptography they use...only for me to find the key to unlock it on a tiny 10mb FAT partition with a convoluted file structure as an attempt to hide the key.
Similarly, with encrypted channels like TLS, as you alluded to...you're only encrypted up to the "gateway" to an app (that means your ISP can't snoop on the traffic), at least that is as far as you can verify. So lets say a provider like Facebook decides to use load balancers and edge proxies, your connection to them is encrypted up to that point, beyond that point, communicating from the load balancer to the application server can be (and probably is) plain text, so viewing your session inside Facebook, Instagram etc is trivial for law enforcement. Even if the comms from the proxy to the app server is encrypted, there is that little sliver of plain text in there that you can tap into...most of the time, encryption really only applies within the Internet, beyond that, between edge servers and the backend, it's very likely to be unencrypted...at that point whether your comms are seen is entirely down to the platform provider and whether they comply with law enforcement requests...it's always been this way.
The exception is when you have end to end encryption and the platform in the middle has zero knowledge, like your WhatsApps and Signals of the world...even then though, there is a key exchange that happens somewhere. I'm not entirely sure how WhatsApp / Signal pull of their key exchange...but I'd wager it's the weakest link...and if I was going to design a backdoor, that's where it would be...you don't need to know the keys or have access to a device if you can just snag them during a key exchange...I'd be surprised if someone, somewhere hasn't already worked that out...this would also apply to homomorphic encryption as well...because at some point keys need to be exchanged.
The kind of organisations that think on that level when it comes to breaking cryptography aren't the ones this law is aiming to help. It's less for MI5&6's benefit than it is for the likes of Essex constabulary, or other forces whose forensic data specialists do the job on Sundays as a nice break from their 9-5 job installing McAfee on little old ladies' PCs. The plod in this country seem to only have about five actual experts who they share around the various forces, and the rest are folks who took a course on how to use Excel, which immediately makes them head and shoulders more qualified than everyone else in their forensics team. Under those circumstances, I'm not all that surprised that these forces are begging for laws like this, however unrealistic its ambitions are. They're in for a rude awakening though, when they realise that it'll have bugger-all impact on their backlogs.
"What until someone produces a viable homomorphic encryption product, where even the people processing the data don't know, have access to or can intercept the data itself."
I worked on a project to deploy a commercial homomorphic encryption proxy product back in around 2013. I forget the vendor's name. The "gateway" basically encrypted select fields (such as customer name, address, etc) in data passed to it via TLS by company internal servers before forwarding the resultant data on to external storage servers (and did the reverse for data queries).
I seem to remember the company selling the gateway had a reputation for being "sue happy" (they sued someone who'd read their publically available product literature and then wrote an article describing how he *thought* the product worked internally).
I remember being distinctly unimpressed with aspects of the product (i.e. with their TLS "implementation").
It doesn't matter what the tools are.
The fact is, that if you operate a service that cannot be backdoored, it is therefore illegal. If you have designed it so that only the endpoints have the keys to the transmission, well , you just made your compliance with the law more difficult, and prepare for some jail time.
These kinds of laws are basically ensuring that whilst E2E transmission is possible, you'd better not be using it for anything that the State wants a look at.
This post has been deleted by its author
This post has been deleted by its author
This post has been deleted by its author
Don't go there... I went to a high school that installed CCTV in all the bathrooms one summer due to vandalism, then disconnected them all before the start of term after someone finally pointed out that it might be a Very Bad Idea to record schoolkids in the bathroom, even if they couldn't see into the stalls. Even with the cut wire dangling limply from them, they were creepy.
It's high time the RFCs for email were updated to make end-to-end encryption the default rather than an add-on, together with adding the required public key infrastructure into the mechanism (add the information as to location of the key store to the domain data and extend the mail sending protocol to request the key). Key store* would mostly become a part of the MSPs' offering.
PGP (I'm assuming this would be the mechanism) would become part of the mail client. Plebmail would scarcely see any difference as Microsoft and Google would provide all that anyway and the user will continue see plain text via MAPI but everyone else will get secure mail. It would get over the problem that virtually nobody uses encrypted email because they don't know anyone who uses it because virtually nobody uses it..
Correction - it's not high time for that now. It was high time for it years ago. It should have been the norm for years so the governments trying to pull this now would have to explain to the world why they're trying to unilaterally wanting to reduce confidential business communication to the equivalent of being written on the back of a post-card.
*Yes, I know. There's also have to be a mechanism for getting the key into the store.
How do you ensure that the YAAC you are encrypting the message for is the real YAAC ?
How do you do mass email ?
You can do encrypted mail to/from the email server but that just means the MMB have one tap at Google/Outlook/Apple, rather than having to tap the connection of every dissident el'reg reader
"It's high time the RFCs for email were updated to make end-to-end encryption the default rather than an add-on"
Assuming you mean adapting/extending SMTP, rather than inventing an alternative protocol, then how exactly would you do that?
SMTP (rather than SMTPS) doesn't use any transport encryption by default (STARTTLS provides an extension to optionally upgrade to TLS if both ends support it, though this can be "man in the middle"'d).
You can't mandate SMTPS as it would "take time" (years, if at all) for any SMTPS rollout to occur across the Internet and what would mail servers do when trying SMTPS delivery and the other end doesn't respond to SMTPS? drop the email? fallback to SMTP?
There is no way of seeing what people are sending to each other on an e2e encrypted peer to peer service. That's why politicians use them. It makes it easy for them to lose their messages by losing their phones when the inquiries start into what they did. [Although their messages could have been recovered from the other parties to them - something that was quietly ignored by the Covid Inquiry.]
I suspect they want to be seen to be doing something to quieten the screechy end of the activist spectrum who want everything banned and a UK only internet that only contains content suitable for 5 year olds. Brexit has set the UK back decades and damaged the economy as badly as if we had lost a war. Cutting the UK and young people off from internet services too would initiate an unstoppable spiral of decline - if we aren't already in one.
They are too scared to tell parents to do their job and keep an eye on their kids' smartphones, although that is the most sensible (and cheapest) solution. After 14 years of Tory destruction, cheap and sensible would be a plan.
quote: the government has commissioned a research project to explore the impact of social media on young people's well-being and mental health.
What, like this one, which has already been done by Oxford University.
https://www.oii.ox.ac.uk/news-events/no-evidence-linking-facebook-adoption-and-negative-well-being-oxford-study/
Because doing things twice is a waste of public money. Which is apparently in quite short supply.
So they're still dreaming of a way to "protect the children" by cracking encryption. Good luck on that - all that will happen is individuals and businesses outside the UK will refuse to do any business with the UK.
Besides, everyone knows the "child" they're most concerned about is the tax man's missing revenue from tax evaders and the black market.
I think it’s actually section 121
https://www.legislation.gov.uk/ukpga/2023/50/section/121
However, a first reading seems to imply the tools a service provider should use in response to receiving a ‘notice’ need to be “ accredited technology”, rather than the service being examined needs to be built using “accredited technology”…
Quote: "The set of priorities lists activities that might take place on online platforms."
Ha! "online platforms"! So the target is service providers....Meta, Signal, WhatsApp...and so on.
It's a pity that there are plenty of technically competent groups who are doing peer-to-peer encryption, maybe even just using email as transport:
- NO published keys (see Diffie/Helman for details)
- Huge prime numbers (or Curve25519)
- Multi-pass encryption
So, let me guess if the focus on "online platforms" misses some significant portion of "Online Safety"???
Of course, the bad guys might just get cute.....use private encryption BEFORE they send something over Signal!!!!
Do the people in SW1 know anything at all.....apart from how to draw down £83,000 per annum? No...I didn't think so!!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
