A call to arms: the UK's online safety bill
May 10, 2023•787 words
The attempt by the UK government to effectively disallow end-to-end encryption in the online safety bill is an illiberal and deeply stupid idea. People who support it are either acting in bad faith or have an education so poor that they don't understand what they are proposing. It is alarming if not surprising that the UK's security services are acting in such bad faith, and that our politicians are both acting in bad faith and have such low educational attainment.
Makers of end-to-end encrypted messaging systems have responded as you would expect them to: the UK is a small part of their market and they are unwilling to compromise the safety of the great majority of their customers to support surveillance by the UK government of its citizens. So they will simply withdraw their systems from the UK.
But let's be clear about just how stupid this legislation is: trying to legislate end-to-end encryption out of existence is like trying to legislate that π is 3: π is not, in fact, 3, and no matter how much bullshit the politicians and their enablers spout they can not make it be so. The only reason it even seems plausible to outlaw end-to-end encryption is that we treat the computers we all carry as appliances rather than as what they are: computers. If it was possible to treat our computers as computers then we could simply write or obtain a program written in a general-purpose programming language which would allow us to send and receive end-to-end encrypted messages.
Well, web browsers already contain a general-purpose programming language: JavaScript. If that is insufficient, then implementations of other languages are already available for our devices1.
The JavaScript environments in browsers have many restrictions on what they can do in the interests of security: I think that, even with those restrictions, an end-to-end encrypted messaging system which ran entirely in the browser should be perfectly possible, or could easily be made so2. Alternatively some other language could be chosen.
This is not quite enough. What is also needed is a cross-platform implementation of an end-to-end encrypted messaging system, available as source code, with a licence which does not restrict its distribution or use and which is simple to install and configure. It will also need infrastructure to store and forward encrypted messages: either it could reuse existing infrastructure or infrastructure needs to be created. The system must be cross-platform so that it is useful, available as source code so that experts can review it, have an unrestrictive license so it can be replicated and used freely, be simple to install and configure so that it is usable by non-technical people.
Such a system could be defeated in essentially one way: by forbidding access to general-purpose computing. An act like that is possible, perhaps, in Russia, China or other places afflicted by repressive regimes. I not believe the UK government is yet willing to place itself in such company.
A call to arms
We can defeat this illiberal, stupid, act by the government of the UK and other similar acts by governments which are not simply totalitarian. To do this requires work: the makers of the platforms which run our phones need to support features which allow end-to-end encrypted messaging systems to be deployed as source code on their devices, preferably in a way which is cross-platform. They need to warrant that they will not subvert these features to allow governments to acquire unencrypted messages. And, most importantly, at least one system which makes use of these facilities while being simple to install and use by non-technical users needs to be created, together with any needed infrastructure. This system then needs to be reviewed by experts, widely replicated and publicised so that many people understand how to install and use it.
Apart from its security, the most important attributes of this system are that it is freely available to download by anyone, widely replicated and, crucially, simple to use.
This is not hard: almost everything required exists already. We've defeated idiocy like this before3 and we can do so again. But we do need to defeat it: if we do nothing the malignant idiots in our government and security services will win.
-
The computers that sit on, or under, our desks are already very obviously fully user-programmable machines, which support numerous programming languages. It is already perfectly possible to obtain and use end-to-end encrypted messaging systems for these machines. ↩
-
In fact implementations of systems that are close to browser-based end-to-end encrypted messaging systems already exist: at least Proton Mail and Standard Notes can run in browsers, and store no plain text on the server. ↩
-
For instance the Clipper chip. ↩