Here is my counterintuitive take on the UK online safety bill: although it’s a disaster for UK citizens, it may be good news for (non-UK) privacy advocates and those who want to see end-to-end encryption survive.

Here’s my justification for this: for years, the US, UK (plus sometimes Australia and India) have been threatening tech firms with all manner of legislation if they don’t *voluntarily* weaken their encryption features: most recently by adding content scanning.

Probably the best externally-visible example of that pressure campaign is this 2019 open letter to Facebook signed by US AG William Barr and UK Home Secretary Priti Patel. Along with some dude from Australia whose name I’ve already forgotten. https://www.justice.gov/opa/press-release/file/1207081/download

These campaigns don’t explicitly threaten consequences, but with all pressure campaigns there are always (implicitly) consequences if tech firms don’t comply voluntarily. The biggest consequence is the threat of weird, ambiguous and badly-written legislation.

The problem, of course, is that in the US we have a First Amendment; our Congress is disfunctional at even passing basic laws to keep the country operating: also Americans don’t love weird speech laws. Some legislation was proposed, but it died. https://www.judiciary.senate.gov/press/rep/releases/graham-cotton-blackburn-introduce-balanced-solution-to-bolster-national-security-end-use-of-warrant-proof-encryption-that-shields-criminal-activity

Nobody gives a crap about Australia. I mean this in the kindest way.

So with US legislation off the table, fundamentally the big legislative threats here come from the UK, the EU and maybe India.

And these threats very nearly worked. In 2021 Apple voluntarily introduced a client-side content scanning system that would have worked on photo backup. People wrote articles like this.

No, Apple’s photo backup wasn’t end-to-end encrypted at the time. (It is now, if you turn on ADP.) Their proposal was limited to the US. But these were details. Apple’s system would have been the first domino in terms of voluntary client-side scanning. It nearly happened.

What’s important to note here is that *Apple’s system did not get rolled out.* It very publicly failed. Apple eventually delayed and then canceled the proposal entirely.

And they even rolled out end-to-end encryption for iCloud. https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/

My view is that this is very significant. Apple is an industry leader. If they publicly wrestled with these plans, received pushback, and then abandoned them: that will encourage other firms across the tech industry. Voluntary compliance isn’t dead, but it isn’t happening soon.

Anyway the nature of threats is that if people don’t voluntarily comply under threat, sometimes you have to follow through with the promised consequences. This is the frame through which I view the UK Online Safety bill.

The point here is that when you threaten someone and they *don’t* comply, that is good evidence you’re not fighting from a strong position. The UK badly wanted to get what they wanted from tech firms without passing stupid, draconian laws that might hurt them. They failed.

And worse: right now the UK is entirely on its own. The EU Commission has some vague proposals like “chat control” that might someday incorporate similar scanning requirements. The US is out of the game legislatively. (I’m not sure about India. Australia is irrelevant.)