Now Apple takes a bite out of encryption-bypassing 'spy clause' in UK internet law

Apple has joined the rapidly growing chorus of tech organizations calling on British lawmakers to revise the nation's Online Safety Bill – which for now is in the hands of the House of Lords – so that it safeguards strong end-to-end encryption.

"End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats," Apple argued in a statement to the media.

"It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk."

Apple, you may remember, announced in December 2022 that it will provide end-to-end encryption (E2EE) for most iCloud services.

"Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all," the iGiant's statement on the internet bill continued.

The iGiant declined to address The Register's specific inquiries about what, if anything, the American titan will do should Parliament adopt the bill.

As the draft law is currently written, the UK's communications watchdog Ofcom will have the power to instruct chat app makers and other tech companies to monitor conversations and posts for child sexual abuse material and terrorism content. Such data should be blocked or deleted when found, and potentially even reported to the cops, the government hopes.

If that doesn't lead to apps watering down or backdooring their E2EE so that data can be inspected in transit, it may bring about automated on-device scanning, which could end up censoring people's private chats or leaking them to the authorities – whether illegal activity was correctly or incorrectly detected. Such technology would be government-accredited, which means the app makers may have little choice over its eventual implementation.

Under that regime, an app or platform can't really say it offers truly strong E2EE on all messages if there's a chance those messages can be silently inspected by someone or some system outside the private conversation. There's a concern this all starts with tackling child abuse and terrorists – something with which the population won't generally have a problem – but will later lead to broader surveillance and censorship. It smacks of a government fed up with not being able to peer into private chatter whenever it feels necessary.

The Open Rights Group has a paper on the proposals here [PDF] if you want to read more about it. "According to an expert legal opinion, this bill would create the power to mandate some of broadest surveillance powers in any Western democracy," the body wrote in that document.

In February, encrypted chat service Signal said it will stop operating in the UK if the British government goes ahead with its Online Safety Bill as it stands.

And in April, other E2EE comms platforms Element, Session, Threema, Viber, WhatsApp, and Wire urged UK lawmakers to rethink the bill instead of "weakening encryption, undermining privacy, and introducing the mass surveillance of people's private communications."

Wikipedia, meanwhile, has called out another piece of the proposal that would require verification of visitors' ages, and said if the Online Safety Bill passes with the age-gating requirement, its site may no longer be available in the UK.

• Wrong time to weaken encryption, UK IT chartered institute tells government
• Online Safety Bill age checks? We won't do 'em, says Wikipedia
• International cops urge Meta not to implement secure encryption for all
• One year after Roe v Wade overturned and 'uterus surveillance' looks grim

The controversial draft law, which the government claims will make the UK "the safest place in the world to be online," continues to face backlash because of its so-called "spy clause" [PDF]. 

This provision requires companies to intercept and block child sexual exploitation and abuse (CSEA) material and terror content "whether communicated publicly or privately." That means encryption applied to messages and anything else shared must be bypassed to allow scanning – or scanning must occur prior to encryption or after decryption.

Those in favor of this E2EE workaround, as always, say it's to protect the children – as Meta recently found out when an international group of law enforcement agencies urged the social media giant not to standardize strong E2EE on Facebook Messenger and Instagram. E2EE, according to the Virtual Global Taskforce, will prevent cops from fighting – wait for it – CSEA.

Apple is no stranger to this argument. In 2021, the fruiterer floated a plan to scan photos on people's iPhones for CSEA automatically as they uploaded stuff to iCloud.

The information security community and civil rights groups strongly opposed turning punters' own devices against them, and Apple ultimately ditched the plan. Instead it deployed communication safety tools in iOS 15.2. ®