Written evidence submitted by The Information Commissioner’s Office (OSB0211)
Damian Collins MP
Joint Committee on Draft Online Safety Bill
House of Lords
Our reference: ICO/O/ED/L/RFM/0326
By email to: firstname.lastname@example.org
28 October 2021
RE: Follow up to ICO’s oral evidence session
As per my letter of 26 October following my appearance, I promised I would send the ICO's completed position paper on end to end encryption. I now attach that paper for the committee's interest.
Elizabeth Denham CBE
UK Information Commissioner
A Framework for Analysing End to End Encryption in an Online Safety Context
- At her appearance before the Joint Committee for the Draft Online Safety Bill (the Committee) on 23 September the Information Commissioner offered to provide the Committee with a paper setting out a framework for considering the impact of end-to-end encryption (E2EE) on online safety.
- E2EE raises challenging questions for online safety which we continue to consider given the context in which we regulate the processing of personal data. It is important that any approach to E2EE seeks to reconcile addressing the immediate harms with longer term privacy and safety impacts.
- The paper provides a summary of the Information Commissioner’s Office’s (ICO) current thinking to support the evolving discussion on governance of E2EE. It builds on our engagement with a range of national and international stakeholders to build up our own picture around E2EE as the UK’s data protection regulator but does not necessarily represent our final settled policy position.
- E2EE is a technical measure that encrypts content in communications channels so that only the sender or recipient can access it. This approach prevents third parties, including the provider of the communications platform service, from accessing the content. It is increasingly used to support secure communications and content sharing between users.
- Keeping their personal information secure matters to people. In our 2021 annual tracking research 77% of respondents said that protecting their personal information is essential. Recent consumer shifts towards services with high encryption standards (for example the move to Signal and Telegram in response to WhatsApp terms and conditions changes) demonstrate how much the public value private and secure communication services.
- Security is particularly important for children. In the 2020 joint research on Internet Users’ Experience of Online Harms that we carried out with Ofcom, 16% of 12-15 years old’s voiced unprompted concerns about having their personal information stolen. Stakeholders within the child advocacy space have told us that children need safety but they also need private spaces when they are online.
- Systems that do not use E2EE can be abused, creating the risk for financial fraud, exposure to harmful content and other harms. Real-life circumstances where the lack of E2EE has exposed people to harm include: children having their pictures accessed or location tracked, access to medical data, collection of data for fraud and misuse, and the acquisition of sensitive data as part of broader data collection processes.
- E2EE is also crucial for businesses. It enables them to share information securely and fosters consumer confidence in digital services. The lack of E2EE has been shown as a critical vulnerability to validating data integrity,,. The effect of weakening encryption has been assessed in a report commissioned by the Internet Society analysing the impact of the Australian Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA). The report concluded that TOLA has the potential to result in significant economic harm to the Australian economy, in part because of the likely indirect impact of customers and businesses losing trust in digital security.
- From a data protection perspective, E2EE acts as a key enabler for compliance with the requirements of data protection law. It is directly relevant to the data protection principle of integrity and confidentiality which places a legal requirement on organisations to deploy measures to process personal data in a way that ensures security. More broadly, it underpins a key outcome of data protection law which is to give citizens confidence about how their personal data is processed by digital services, including confidence that it is stored and shared securely.
- The ICO has a long history of recommending encryption, dating from our public statement in 2010 where we recommended it as a security measure under the Data Protection Act 1998. Our current guidance explicitly discusses how organisations should adopt encryption ‘at rest’ and ‘in transit’ as recommended measures to secure personal data they either store and/or transmit.
- While we do not say that organisations must encrypt in all circumstances, there must be a strong justification for not doing so. This also applies to E2EE. Our position aligns with recommendations by key actors in the cybersecurity domain such as the National Cyber Security Centre (NCSC) who also recommend encryption as a security measure for protecting personal data in a number of guidance products, including the Cyber Assessment Framework, their Cloud Security principles, their guidance on protecting bulk personal data and their guidance on securing incoming connections.
E2EE and Online Safety
- E2EE is vital to citizens and industry because of the security, safety and trust that it generates and the wider benefits that private spaces provide. It is an essential component of a safe digital ecosystem, providing safety for users online, including protection against exposure to harmful content and activity.
- However, because it restricts the detection of harmful content, it also presents a challenge from an online safety and law enforcement perspective. The characteristics of E2EE that enable private and secure communications for the public also provide safe harbour for criminal activity. Child safety has emerged as central to the current debate, with valid concerns that encrypted channels are creating spaces where children are at risk.
- We are mindful of this wider context and recognise that we do not regulate in a vacuum. We understand that there are real and present issues at the intersections of encryption, national security, law enforcement and online harms. However positioning E2EE and online safety as being in inevitable opposition is a false dichotomy. Instead what is needed is an approach that seeks to reconcile the different demands whilst recognising the need to create a safe online ecosystem for all users. The challenge is to create tailored and proportionate responses to the issues that manifest without unduly interfering with the wider benefits that E2EE provides or the rights and freedoms of wider society. It is vital that one form of online safety is not traded off for another.
- Measures that would introduce widespread “backdoors” to encrypted channels or otherwise enable indiscriminate widespread access, would create systemic weaknesses unacceptably undermining security and privacy rights, introducing data protection risks and adding to the overall safety concerns by creating more spaces for harm. We do not support such measures. We welcome the UK Government’s support for strong encryption as well as its position that it does not support the development of so-called ‘backdoors’ in social media platforms to allow access for law enforcement or security agencies,.
- Further, when asked, the Government has also stated to us that:
- ‘HMG is not looking to undermine security on E2EE platforms, for instance by introducing ‘backdoors’. Our approach is about considering the introduction of specific additional functionality to companies’ services, to enable access to messaging content by law enforcement, or the service/platform provider, under specific and tightly controlled circumstances. This would need to be underpinned by a detailed design, implementation and management process by the company in question, to industry good practice standards, that respected the importance of cyber security and the protection of users’ data and privacy.’
Reconciling Safety and Privacy Objectives
- Here we outline how the consideration of E2EE and the impact on privacy and online safety could be framed around reconciling objectives rather than putting them at odds.
- Key factors that should be considered include:
- The demand from consumers for services that safeguard their privacy and thereby support their safety online.
- The requirements that existing legislation places on businesses, including the legal obligation on data controllers to process personal data securely.
- The effectiveness of existing legislative and technical tools to ensure lawful access to data for law enforcement and national security purposes without weakening or ‘breaking’ widely-adopted encryption standards. Consideration should be given to whether the objectives of the online safety regime can be met through these channels without introducing additional requirements on organisations to adopt processes which could undermine E2EE on their services.
- The potential future development of technical solutions for detecting harmful content without weakening E2EE, which offers promise for reconciling E2EE and the detection of harmful content. There are certain solutions which currently suggest a tangible roadmap. Consideration should be given to the extent to which legislative intervention will be needed as technology evolves.
- The necessity, proportionality, targeting and effectiveness of any proposed legislative solutions. For example, interventions that weaken E2EE across all mainstream services/users will threaten the safety and security of the majority of users and may not achieve the desired safety outcomes because bad actors can easily switch to more niche services.
- The social impact of any proposed legislative solutions on online safety and privacy for the population as a whole. Any proposed solutions should seek to reconcile the need to address harms on encrypted channels with the wider impact on privacy and online safety flowing from any reductions in security, and seek to reduce harms overall, particularly to vulnerable users.
- The economic impact of any proposed legislative solutions, both in terms of their direct costs to business and any indirect effects of weakening user trust in digital services.
- At the ICO we will look to shape this landscape to support privacy. In practice this means both ensuring that mature access mechanisms and technologies are used lawfully, necessarily, and proportionally, and supporting the growth of more nascent privacy-preserving techniques such as homomorphic encryption as they scale.
- We are pleased to be engaged in the Government’s Safety Tech Challenge Fund which is supporting innovative solutions to tackle child sexual exploitation and abuse in end-to-end encrypted environments. Additionally, we are leading a programme with support from the Government’s Regulators’ Pioneer Fund to stimulate the development of privacy enhancing technologies, and we are also developing guidance for the use of these technologies. Although this is not directly relevant to the provisions of the Online Safety Bill the Committee may wish to consider recommending that the development of technical solutions continues to be prioritised and supported.
A Multistakeholder Approach
- As outlined above the policy response to E2EE and online safety requires a nuanced and detailed understanding of the broader issues. We recognise that these are problems with no easy answers. Their complexity means a truly multistakeholder approach is needed to find solutions that recognise and seek to reconcile the different perspectives.
- At the ICO we are engaging with a variety of stakeholders so that we can better understand their priorities and concerns and be responsive to them. Through the Digital Regulation Cooperation Forum (DRCF) we are working with Ofcom, and the Financial Conduct Authority to understand the implications of E2EE for the people using digital services, as well as for industry, and its implications for us as digital regulators. We will be seeking the views of stakeholders to bring a range of perspectives on E2EE together and help set priority areas for future joint work. We will publish the outcomes of our work (which will not be limited to online safety) early next year.
- In summary, E2EE is central to a safe and private online experience and benefits citizens and businesses. It enables privacy, and privacy is also safety. Privacy and child safety are critical, and we recognise this, but achieving these objectives needs to be reconciled rather than put at odds. We do not see value in proposals that seek to weaken E2EE, but we do see value in accelerating innovations that allow the detection of harmful content without compromising privacy.
- We are taking our work forward in a multistakeholder manner. Through the DRCF we are working with Ofcom and other partners and we also continue our engagement with national and international stakeholders. We stand ready to provide further assistance to the Committee and to Government as required.
28 October 2021
 Information Rights Strategic Plan: Trust and Confidence June 2021: https://ico.org.uk/media/about-the-ico/documents/2620165/ico-trust-and-confidence-report-290621.pdf
 See for example ‘Millions switch to Signal and Telegram amid WhatsApp privacy fears | Telegraph: https://www.telegraph.co.uk/technology/2021/01/08/elon-musk-urges-users-use-signal-whatsapp-privacy-row/
 Internet users’ experience of potential online harms: summary of survey research | Ofcom: https://www.ofcom.org.uk/__data/assets/pdf_file/0024/196413/concerns-and-experiences-online-harms-2020-chart-pack.pdf
 Fresh warnings over Royal Mail parcel scam | BBC News: https://www.bbc.co.uk/news/business-56496203
 Number spoofing: meet the customers who lost thousands | Banks and Building Societies | The Guardian: https://www.theguardian.com/money/2019/may/04/number-spoofing-meet-the-customers-who-lost-thousands
 ‘Pictures of Children’ in Vtech hack | BBC News: https://www.bbc.co.uk/news/technology-34971337
 EU Recalls Children’s Smartwatch That Leaks Location Data | Threatpost: https://threatpost.com/eu-recalls-childrens-smartwatch-that-leaks-location-data/141511/
 Security and Privacy Investigation of Existing mHealth Applications | pitt.edu: http://sis.pitt.edu/jjoshi/courses/IS2955/Fall18/Presentation2.pdf
 International Hackers Indicted for Sniffing Credit Cards from Dave and Buster’s | WIRED: https://www.wired.com/2008/05/international-h/
 Download DroidSheep APK for Android (Latest Version): https://droidsheep.info/
 Google’s Wi-Fi snoop nabbed passwords and emails | The Register: https://www.theregister.com/2010/06/18/google_street_view_cars_wifi_data_includes_emails_and_passwords/
 Rogue Tor ‘exit node’ server added malware to legitimate downloads | PCWorld: https://www.pcworld.com/article/2839152/tor-project-flags-russian-exit-node-server-for-delivering-malware.html
 China’s Great Cannon | citizenlab.ca: https://citizenlab.ca/2015/04/chinas-great-cannon/
 Verizon Injecting Perma-Cookies to Track Mobile Customers, Bypassing Privacy Controls | Electronic Frontier Foundation (eff.org): https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
 The Economic Impact of Laws that Weaken Encryption-EN | internetsociety.org: https://www.internetsociety.org/wp-content/uploads/2021/05/The_Economic_Impact_of_Laws_that_Weaken_Encryption-EN.pdf. The research was carried out by Law and Economic Consulting Associates.
 ICO (2018.) Encryption and data transfer. ICO.org.uk. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/encryption/encryption-and-data-storage/.