So that’s that. It’s done. We’re out. Now what? What’s ahead for internet regulation in the UK in 2021? What’s the fight I’m resting up for?
To know where we’re going, first we have to look back at where we’ve been.
When it comes to the future of the web and digital sectors in the UK, we are still dealing with the leftovers from the May premiership. The current strategies, plans, and frameworks on our plates are products of her government’s time, and are still very much in the legislative train.
(The Johnson premiership has had no actual strategies, plans, and frameworks on digital, aside from Dominic Cummings and his “woohoo yay tech shiny gadgets tech bro mates AI machine learning, and BOOOO privacy law” mindset. The National Data Strategy is the only tangible result of the Cummings premiership, and it opened a pandora’s box which did not tell government what it wants to hear.)
In that light, the UK government and civil service are still essentially stuck in the Theresa May mindset towards digital, and that is the approach they bring to policy and regulation.
Let’s revisit Rowland Manthorpe’s essential essay on what Theresa May meant for tech and digital. He identified four components of the doctrine we can call Mayism:
- Antagonism towards big tech, and a conflation of big tech/social media regulation with internet regulation, and which as anyone who works in policy can tell you, can border on deranged obsession;
- Technological nationalism, inserted like buzzword bingo into any public statement or aspiration, which aims to Make Britain Great Again as a “world leading” nation which boasts a British web for British people;
- The surveillance state, one directed inwards rather than outwards, where everyone is a suspect presumed guilty until proven otherwise, everyone must be monitored, and everyone must be supervised; and
- Inaction. Policy is made through ministers (the kind who can barely suss a smartphone) penning table-thumping PREMIUM opinion columns in the Telegraph, in order to please the Telegraph*, while avoiding any engagment with the realities of policy and technology which actually lie ahead. (*Other papers are available.)
None of that has changed. But now we’ve left the European Union, the Digital Single Market, and soon enough, the body of human rights legislation which drove its values. Those four values of Mayism will therefore shape what lies ahead for us, with no EU bogeyman left to blame.
And so we come to the prediction.
What we are going to see in 2021 is a wholesale push to legalise the business models of the domestic stalkerware and surveillance industries.
Because, let’s face it, that is all that’s going to be left after the rest of the homegrown tech sector relocates back to Europe, meaning the few who haven’t left already.
Stalkerware is stalkerware. Surveillance is surveillance. Calling it online harms prevention, age assurance, child protection, safeguarding, anti-bullying, or safety tech doesn’t make it otherwise. Keyloggers, screen recorders, AI ML to recognise the words people are typing, even AI phrenology to measure the head of the person in front of the camera to identify the children, it’s all here already. Throw in the PR line which insists that all of that is to protect children from those evil bullies in “big tech”, and you have the sweet spot of the big tech antagonism, the surveillance state, and technological nationalism that Mayism craved. It’s happening. It’s all go.
So the push to legalise the business models of stalkerware and surveillance tech will be done, as it is already being done, under the guise of child protection – the goal, after all, is to “make the UK the safest place in the world to be online”. (That line is barely holding up in policy exchanges already, and within a few months, it will no longer hold water.) Children will become human shields in government’s bloody-minded determination to build a techno-nationalist, authoritarian firewall around the Great British Internet and all who sail in her. Cue sycophantic clapping from government about this great British success story as an example of what can be achieved through post-Brexit deregulation.
(None of this is to say that child protection and big tech aren’t problems. But what we’re seeing now is merely the creation of more problems, not more solutions.)
The push will come from many angles. One will be the erosion of intermediary liability law, which has been the outright goal for many years, and which saw a major boost with the online harms consultation response:
Today's Online Harms consultation response is perhaps the first major UK divergence from a big principle of EU law not tied to Brexit directly: it explicitly proposes a measure ignoring the prohibition on requiring intermediaries like platforms to generally monitor content.
— Michael Veale (@mikarv) December 15, 2020
(Read the whole thread, it’s a good one.)
It will also come through the erosion of privacy law, perhaps with carve-outs to the DPA 2018 to allow “safeguarding”. The six month moratorium on alterations to domestic privacy law during the EU adequacy process will be an interesting one to watch.
The push will also come through continued demands for backdoors and workarounds to encryption, ostensibly targeting literally one single company but impacting everyone who uses any form of encryption anywhere, in government’s continued determination to selectively regulate maths.
It may well even include proposed alterations to the Computer Misuse Act, which currently stands in the way of the child surveillance sector’s ultimate dream of being able to intercept and modify children’s communications outright.
Above all, though, it will mean a renewed push for age verification. The policy push to mandate age verification for all users on all sites and all services, which government thankfully failed to push through with the Age Appropriate Design Code, is back with a vengeance. We’re already seeing that idea rehashed as a means of identifying child users to ensure that their internet use is not protected by E2E encryption, or to apply different standards to them. The comprehension of mandatory AV for everyone as adding another layer to the internet stack is perpetually lost on them. Shrug.
Will the erosion of privacy, encryption, and intermediary liability regulation, on top of mandated age assurance processes, make people safer, reduce bullying and abuse, or make the web a better place to be? I think you know the answer to that.
So what can you do, if this prediction comes to pass, to keep the web open for all, in a way that will ensure that we might someday be able to actually get to grips with these issues outside a techno-nationalist, authoritarian mindset? That one’s easy.
First, you can join and support the civil society, privacy, and freedom of expression groups which work on these issues in the policy sphere. (No prizes for guessing which one is my favourite.) We are on these issues every day politically, technically, and legally.
Second, you can recommit to supporting strong standards of privacy, encryption, and intermediary liability, regardless of what legislative changes may be ahead. Define your values and your north stars, and don’t show up to the fight until you do.
Third, you can relocate your business either to Europe, or to a devolved nation which will soon rejoin Europe, to ensure regulatory consistency in a rights-based framework for both your business and your users. The British Internet for British People, with its micromanged rules which will require companies to carry out privatized censorship and surveillance, is not going to be a fun place to be online, much less grow a business.
Fourth, and this is a radical idea, I know, but talk to the young people in your life about the strong, confident, resilient and independent people they are going to become someday. Comprehend the role you play in making that happen. Because it ain’t going to be through stalking, surveillance, and suspicion. Don’t push that stuff on them. Don’t build that stuff. And don’t support companies who do.