Fixing the UK’s Online Safety Bill, part 1: we need answers.

comment 1
UK policy
Forked branches in my garden

Here we go with the second of three posts on potential paths forward for the UK’s Online Safety Bill. This one will cover what needs to be cleared out of the way before the Bill can progress, regardless of who takes over that work next month.

That means a series of questions which need answers.

Any one of these questions would be a deal-breaker in a normal political environment. But we have four of them, in as abnormal a political environment as it’s possible to endure.

I do not lay these questions here out of policy pique. This is the time when the people, projects, and companies in scope of this Bill – which, you’ll recall, includes pretty much any one-man-and-a-dug small business on upwards as well as any site containing potential online harms such as “hyperlinks” (I kid you not) – need to start planning their next steps. So they need to know, right now, what it is they’re preparing for.

That may mean a full compliance process, or as is more likely than not, getting ready to jettison their British customers, wind up their UK operations, block all UK access, and get the hell out of here as fast as they can.

For what it’s worth, I am as sick and tired of writing about this thing as you are of reading about it. I should be outside enjoying what’s left of the Great Scottish Summer. But time is of the essence, given the Conservative leadership race, and so wonk we must.

Question 1: Does the UK intend to introduce a general monitoring obligation?

I cannot stress enough how critical this point is, and how dangerous this territory is for the open internet as a whole.

The Bill’s explanatory notes (.pdf, page 12) state the following:

27. Prior to the United Kingdom’s exit from the European Union, the legal framework for the regulation of online services was primarily set out in the EU e-Commerce Directive (eCD). The eCD detailed the rules for online service providers in respect of transparency and information requirements, rules for cooperation between member states, and, most importantly for the Bill’s purposes, a framework limiting the liability of online intermediaries for the content they host on their services.

28. The eCD prevented member states from imposing liability on service providers who provide a service that ‘consists of the storage of information provided by the recipient of the service’ for content created by users, so long as ‘the provider does not have actual knowledge of illegal activity or information and … is not aware of facts or circumstances from which the illegal activity or information is apparent’. This limitation was contingent on the host, upon gaining knowledge of such content, removing it expeditiously. Article 15 of the eCD also contained a prohibition on the imposition of requirements on service providers to generally monitor content they transmit or store, or to actively seek facts or circumstances indicating illegal activity.

29.
The status of the eCD following the United Kingdom’s exit from the EU is governed
by the European Union Withdrawal Act 2018 (EUWA), which contains some provision for the continued operation of EU law. Section 5 of the EUWA holds that the supremacy of EU law ceased following the end of the transition period. This means there is no longer a legal obligation on the United Kingdom to legislate in line with the provisions of the eCD following the end of the transition period on 31 December 2020.

I hope you can see that this is a very shifty way of going about it. They are saying “we are no longer subject to the prohibition on a general monitoring obligation”, but they don’t have the bollocks to actually go out and say “we are introducing a general monitoring obligation”.

The Bill does, indeed, create a general monitoring obligation in all but name. And in some corridor of power, they know that this is such a radical shift that it alters the UK’s technical internet architecture, with extraterritorial implications for anyone anywhere in the world who has the audacity to communicate with a Brit.

No wonder they’re afraid to say the quiet part out loud.

To make this truly absurd, the withdrawal from the prohibition on a general monitoring obligation is presented as a positive, framed as “taking back control” from the European Union. That puts us on very dangerous territory here, as both of the candidates for the top job have made the requisite noises to Middle England about their intentions to get rid of any and all EU legislation, regardless of its purpose or merit. That implies that retaining any principle which carries the tinge of Europe – such as the prohibition on a general monitoring obligation – could be discarded out of sheer spite.

It is rather staggering that the fundamental principle which has enabled the growth of the internet since 1996 has been relegated to a legalese fudge in a corollary document, bogged down in language which speaks to the Mail and the Express but not to the people whose work will be impacted by it.

So job number 1 for the new Premiership, and Minister for Digital, needs to be to stop fudging and spit out the truth.

Question 2: Is this, in fact, a splinternet?

And if not, what is it?

At some point in the plague-ridden recent past, it became clear that government’s tagline about making the UK “the safest place in the world to be online” means a splinternet.

That is the only thing, by its own words and deeds, that it could possibly mean. Because the OSB introduces three additional technical layers to the UK’s internet stack, all delegated to the private sector and to service providers, using the “duty of care” as the legislative vehicle.

The first additional technical layer is the identity layer, meaning the mandatory age verification requirement for all sites, all services, all users, and all content, regardless of scope, risk, or proportion, because of rent-seeking by the age verification industry.

The second additional technical layer is the general monitoring obligation, which as I’ve previously covered, will require service providers in scope (meaning everyone) to install automated filtering, monitoring, surveillance, and tracking technology, because of rent-seeking by the filtering, monitoring, surveillance, and tracking technology industry.

The third additional technical layer, as I’ll cover in the next point, is the likely requirement to break the security of end-to-end encrypted communications. This is ostensibly because of the four horsemen of the infopocalypse – isn’t it always? – but in this particular political context, the Bill also covers subjective and legal communications. It also means any subject which a political appointee (e.g. the Secretary of State for DCMS) determines must fall into scope, for wholly political reasons.

That’s a splinternet.

It’s a splinternet which is not private, due to the identity layer; filtered and censored, due to the general monitoring obligation; and insecure, due to compromised security and encryption.

Oh and by the way, service providers who refuse to collude in the “duty of care” obligations stated above will find themselves on the wrong end of the Bill, as its provisions can be used to disrupt the infrastructure providers which power your operations, such as web hosts, CDNs, and payment processors.

Does this sound like the safest place in the world to be online? DCMS certainly thinks so. Does this sound like the best place in the world to start a business online? The candidates for the top job certainly think so.

YMMV.

So if three layers of technical interception aren’t a splinternet, what are they?

Answer: yes, it’s a splinternet.

Question 3: Is the intention to use the Bill to target end-to-end encryption?

I’m not going to get into this whole mess – I put in enough hours on this in my previous job (here, for example) – but I can tell you that as of my meeting in Parliament at the beginning of the month, Priti Patel’s Home Office is still keen to use this Bill as the vehicle to break end-to-end encryption.

Or to put it correctly, to delegate the obligation to you to break end-to-end encryption, lest you face penalty fines, criminal sanctions, and even arrest.

That is not an exaggeration. The e2ee debate is happening around the world, but in the UK, it is taking place in a uniquely batshit political context. You’ll recall that we have a senior Tory who has called for any developer or company deploying e2ee encryption, for any reason including financial security or health data, to face retroactive criminal sanctions under the Online Safety Bill, in order to “get” Facebook and WhatsApp.

I’m just a girl, standing in the sunlit uplands, asking government to clarify whether it intends to start sending around Black Marias to round up developers who use end-to-end encryption to safeguard financial transactions, or NHS data, or our children’s education, or our vital national cybersecurity infrastructure, because one of the core principles of network integrity is collateral damage in government’s vendetta against one specific company.

Is that really too much to ask?

Question 4: What open, transparent, and accountable standards will be used to anchor the regime’s content moderation rules?

As I previously wrote, the UK’s approach to the OSB, and to post-European digital regulation as a whole, has rejected the principles of multilateral internet governance in favour of a bombastic obsession with devising a ‘world-leading’ system of internet regulation based on going it alone: and not just going it alone, but doing so in the belief that the rest of the world will kowtow to our genius and follow our lead.

(I hate quoting myself #wonkbloggingproblems but there you go.)

Meanwhile, in the rest of the world, there is some genuinely fantastic work being done on establishing standards, processes, and procedures for tackling problems of internet governance which are open, transparent, accountable, and most importantly, multilateral. They are the products of years of collaborative work across civil society, academia, law, technical experts, top thinkers, policymakers, service users, people with skin in the game, and yes, industry, whether you like that or not.

In fact, there’s so much amazing work out there I would barely know where to start. There are the Santa Clara Principles on content moderation, which have just had a refresh. There are the Internet and Jurisdiction Policy Network toolkits on cross-border content regulation. There are the new Council of Europe guidelines on combatting hate speech. There’s the UNICEF standard on children’s data governance which I was honoured to contribute to. There’s the work of the UN Special Rapporteur. There are the BSR guidelines on a human rights-based approach to content goveranace. There’s the work of the Internet Society. There’s the work of the IGF.

And goodness me, have you ever read Robin Berjon’s blog?

This is easily the most exciting time to work on the open internet since the mid-1990s. It almost feels like it again: people coming together across nations and borders to work together for the common good with no ulterior motives.

And standing well aside from all of that is our bitter little island + a bit, determined to make up its own rules, mark its own homework, and go it alone: a “world-leading” internet regulation regime which spitefully ignores the rest of the world and what they have to say, guided by finger-wagging Internet Karens who know best.

It’s quite sad, actually.

Ahead of the new regime, Ofcom has been on a hiring spree to pick up the civil servants who will do the grunt work. I know some of the people they’ve taken aboard. They’re neither conniving politicians nor greedy lobbyists nor scheming astroturfers; they’re good people, who want to do the right thing, and want to effect positive change from the inside. Unfortunately, as per modern Conservatism, they will be thrown under a bus and blamed for the Bill’s inevitable failures by politicians and media alike.

That means it’s all the more important for them to work in spite of their political leadership, not with it, and anchor their work in those international standards, multilateral principles, and accountable rules. In doing so, they won’t just be safeguarding your rights to privacy, freedom of expression, and security; they’ll be giving themselves the safety they need to push back against their political masters, who will inevitably order them to do as they’re told, regardless of how unilateral or harmful that direction may be.

So it may be worth it for government, DCMS, and Ofcom to clarify what open, transparent, accountable, and multilateral standards will underpin the UK’s “safest place in the world to be online” before they get to work on hammering down what that will mean in practice for you, and for all of us.

Better a little bit of extra homework, after all, than a judicial review.

Last point I want to raise here for today:

There is food for thought on why these questions remain both unasked and unanswered, over three and a half years into the Bill’s existence, and at a time when the next Prime Minister (whoever that is) may well shove the Bill into law with minimal debate, based on their personal and political misunderstandings of what it is and what it does.

That food for thought should be as much a part of the debate as the questions themselves.

Postscript: apparently the concept of splinternets is new to some readers; if that’s you, start here.

Header image by me: a project fork in my garden.

The Author

I advocate for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. This is my personal site, and the opinions on it do not reflect the views of any current or previous employer.

1 Comment

Leave a Reply

Your email address will not be published.