As you may have heard, the government of the United Kingdom is trying to pass an Online Safety Bill. This piece of legislation would have far-reaching and negative consequences for online security and privacy. In an open letter well-known communication channels such as WhatsApp and Signal object. They believe that the Bill could “break end-to-end encryption” and would “open the door to routine, general and indiscriminate surveillance of personal messages.”

It can be hard to find your bearings in the discussion about online privacy. Government rhetoric construes the issue as if it was about whether or not you think criminals should be held accountable. There’s little room for discussion about that. But this rhetorical focus on crime is a red herring. Law enforcement agencies already have a wide range of powers to track down or spy on criminals. What is really at stake is our right to privacy, and whether it is worth anything still. I think it is worth a lot. As I see it, it has never been more important to stand up for online privacy and argue that we have a right to encrypt.

Life in a prison

So what is the Online Safety Bill trying to achieve? Many things, but a significant goal is to encourage proactive and arbitrary invasion of privacy. The UK government wants to see to it that online communication is screened by default. Messages and photographs you share with friends or colleagues should be disclosed to some third party to be scanned for illegal content, much like how messages sent to family and friends by prisoners in high-security prisons are currently checked by prison staff.

But unlike the prison, which requires the intervention of a judge, the UK government is trying to promote arbitrary screening. Regardless of what you’ve done or said, and free from the need of any court order or warrant, your messages and photographs will be treated as suspicious.

The Bill does not make law enforcement agencies themselves responsible for the screening. Instead, it requires websites and apps like WhatsApp and Signal to do the work for them. Outsourcing surveillance. As the Electronic Frontier Foundation writes,

Clause 110 [of the Online Safety Bill] mandates that websites and apps must proactively prevent harmful content from appearing on messaging services. That’s going to lead to universal scanning of all user content, all the time.

I think this is an Orwellian prospect. It is on a par with requiring of telephone operators that they eavesdrop on all conversations on phone lines, or expecting the postal services to open all the letters you send to make sure you’ve not written something that violates the law. Article 12 of the Universal Declaration of Human Rights determines that no one shall be subjected to arbitrary interference with their privacy, family, home or correspondence. And yet that seems exactly what the Online Safety Bill is demanding of the internet.

Why everyone needs encryption

But it gets worse. This is not just about screening messages that are sent in plain text. It is about screening encrypted messages, which currently means the bulk of online communication. Indeed, it seems that law enforcement agencies are particularly unhappy with the fact that more or less everyone these days can communicate in a way that successfully prevents prying eyes or eavesdropping. To most this added security would seem an advance, but not to those who want to spy on people.

High safety standards define the internet as we now know it, and rightly so. Internet communication by itself allows messages to be intercepted easily. Much of it travels through airwaves, which require no more than an antenna to receive. Without encryption, being online would be an unacceptable security risk. Paying on the web would become a gamble; your chat messages would be readable to anyone who can intercept network traffic (which is easy to do); and your smart speaker would end up under the control of more or less anyone who manages to sniff your network.

Encryption can mitigate these risks by making it impossible for third parties to read your communication. And note, these third parties include the websites or apps you use to communicate. End-to-end encryption prevents anyone apart from the intended receiver from accessing the contents of your messages, because current encryption standards are virtually unbreakable. Only the party you are communicating with can decipher what you send them.

This is why messaging apps like WhatsApp and Signal say that the Online Safety Bill could break end-to-end encryption. If platforms a required to screen messages, they will need access to their contents. And this means abandoning encryption altogether or building in some kind of ‘backdoor’ mechanism, which in practice amounts to abandoning encryption as well. Also the Electronic Frontier Foundation observes that what the Bill requires is neither compatible with our right to privacy, nor with encryption.

A worldwide push

Currently the Online Safety Bill is in the House of Lords and is likely to become law this summer. If from then on the government requires third-party screening, and if third-party screening is impossible when messages are encrypted end-to-end, then the UK government will already this summer effectively abolish end-to-end encryption on much of the internet in the United Kingdom. For citizens of the UK this would be bad news. They already have to face the fact that their offline lives are a mess because of their government’s incompetence, and now this Bill threatens to impose chaos on their online lives as well. John Thornhill in the Financial Times, says that this might make the UK “a strange kind of cyber pariah”.

But it is much worse than that. The real issue seems to extend well beyond the witless politics of the UK. The Online Safety Bill is merely an embodiment of a broader and worldwide push to undermine encryption.

Earlier in April the Global Encryption Coalition reported that senior officials from the United States and European Union want to join forces to shape public opinion against encryption. The aim is to legitimise access to encrypted communications by law enforcement agencies. It is not the first time this is happening, and the measure they are seeking is a mandatory ‘backdoor’, a change in communication software that allows encryption to be bypassed. Or, as the officials record the idea euphemistically in the minutes of their meeting about this, “to mirror privacy by design with lawful access by design”.

A ‘backdoor’ to bypass encryption would mean that a service like WhatsApp can continue to use what seems to be end-to-end encryption, but where law enforcement can directly or indirectly access the unencrypted messages without having to decrypt them. It is exactly such a backdoor that those drafting the UK’s Online Safety Bill seem to have in mind when they expect websites and apps to screen communications, including ones that were encrypted. So instead of a cyber pariah, it would be better to see the UK as the Orwellian front-runner. They seem currently closest to realising the unfettered access to communication the United States and the European Union are eyeballing as well.

But let’s be clear about it, requiring a backdoor to encryption software is unacceptable. This is the consensus among everyone except those that want to use the backdoor to spy on people. It is unacceptable first because it would break end-to-end encryption, as it would no longer be true that only someone in possession of the decryption key can access a message’s contents. This would break the internet as we know it. Specifically, backdoors introduce a costly security risk. These loopholes will inevitably be discovered, and before you know it it’s a free-for-all where your boss or your stalker can pay some dodgy website to snoop on you.

Moreover, a backdoor in encryption software would make arbitrary screening of private online communication possible—indeed, the point of the Online Safety Bill—and arbitrary screening is a plain violation of the human right to privacy as encoded by the UN. Human rights violations are unacceptable.

Splitting keys

In a recent letter to the Financial Times Andersen Cheng claims to have found a solution. “What law enforcement agencies, the government and platforms all miss”, Cheng writes, is “encryption key splitting.” The basic idea of this is obvious. Just give law enforcement agencies the decryption keys whenever you encrypt s