The Online Safety "Bull"
How the UK government does not understand security and cryptography and the impact of proposed changes
Imagine you wanted to send a message to a friend. The message has sensitive information so you want to send it securely.
They have given you a box which you can put your message in and a key to lock it. They own the only key that will unlock it - not even the key you used to lock it will open it. You have also given them the same sort of set up to send messages back to you. You happily send these messages and chat about what is happening in the world.
Unfortunately the rulers of your kingdom think that you might be sending illegal messages, or at least saying horrible things about them, so they want to see everything you are sending. From the perspective of keeping the kingdom safe this sounds reasonable. However they can't open the box so they decide that the only way that may work is to look at the message before it is sent.
They decide that they will send over a robot they call a "scanner" to read your message before it is put in the box. One company tried this approach before but wrote it off as not possible for ethical and technical reasons. The rulers tell you it is okay as they know how to do it and not to worry as the scanner will be developed by a trusted company and won't share anything it reads with anyone else, well not much anyway - it will give a thumbs up or thumbs down to the message.
The scanner has to read the message, interpret what it sees and then decide. However its interpretation is not perfect and sometimes it will block perfectly legitimate messages. If a message is blocked it will notify the rulers that you are trying to send something and may end up with you not being able to send any more messages - it could even involve them reading the messages and deciding to take more serious actions. So your harmless message about the next door neighbours cat could end up with you being blocked if the alternative word you used for cat is misinterpreted.
Obviously the bad guys will try and read your messages so they will try and come up with schemes to do this. Maybe they could send you fake scanner; it looks like the real one but sends them all the messages instead. Maybe the fake scanner could threaten to send all your messages out unprotected unless you pay a ransom. Maybe someone could be peering through the window and looking at the message while the scanner reads it.
All the makers of the secure boxes decide that they don't want to be involved with this so they choose to no longer allow their boxes to be used in your kingdom. No-one is able to send any messages any more but the rulers are happy as there are no illegal messages being sent.
This may sound like fiction but this is effectively what the UK government is proposing with their Online Safety Bill. They want messaging companies to either remove encryption so messages are sent in a form that others could intercept and read or introduce a magical technology that will securely scan messages before they are sent. No-one has yet developed an approach to this that works and still keeps the messages secure. Experts in security and cryptography have raised concerns about this along with the technology companies involved. Regardless of this they are still ploughing ahead and vaguely waving their arms around claiming it will work with no evidence to back this up.
Watch this space ...
Links
Online Safety Bill: Suella Braverman fails to understand encryption risk | Open Rights Group