Media regulator fails to properly protect freedom of expression in online safety draft guidance

NEWS

Index on Censorship criticises Ofcom’s inadequate ‘passing references’ to users’ privacy rights and warns of legal battles if draft guidance on encryption is not updated

By Index on Censorship

10 Dec 24

News and features | Statements | United Kingdom

Ofcom has failed to properly consider human rights and practical implications in its approach to encryption. Photo by Geralt/Pixabay

Leading human rights KC, Phillippa Kaufmann, urges Ofcom to review landmark European Court of Human Rights judgment which established that a “statutory requirement to decrypt communications” was not lawful

Opinion warns that service providers can not be compelled to breach UK GDPR and compromise users’ cybersecurity

Index on Censorship criticises Ofcom’s inadequate ‘passing references’ to users’ privacy rights and warns of legal battles if draft guidance on encryption is not updated

Index on Censorship has published a legal opinion from Phillippa Kaufmann KC and Aidan Wills (both of Matrix Chambers) in response to Ofcom’s characterisation of End-to-End Encryption (‘E2EE’) as a risk factor in their Draft Guidance on online harms.

Ofcom has been tasked with implementing the Online Safety Act since 2023 and to explain how technology companies must fulfil their duty of care to users of their online services. The regulations Ofcom has drafted will go before Parliament early next year and require a careful balance between keeping people safe online while respecting individual privacy.

Index on Censorship, as well as a host of civil society organisations who submitted consultation responses on the regulations, have highlighted the regulator’s failure to recognise the benefits of using encrypted communication technologies to users’ privacy and security online.

Ofcom has implied that service providers should weaken encryption on their messaging services to mitigate risks of illegal harms. This is despite the fact that encryption of personal data is a measure that may be taken to comply with the human rights and cybersecurity requirements outlined in the legal opinion. Ofcom should outline the benefits of encryption expressly and clearly in their guidance.

CEO of Index on Censorship, Jemimah Steinfeld said:

“Index has published censored writers across the globe since 1972. Today, we’re using encrypted messaging apps to keep in touch with our network of correspondents around the world, from Iran, to Afghanistan, to Hong Kong.

We are disappointed that Ofcom has failed to properly consider human rights and practical implications in its approach to encryption. This legal opinion confirms there is inadequate consideration of how their draft guidance could undermine the security protections that millions of people rely on every day. Ofcom should revise its guidance before it’s too late, or face a wave of costly and time-consuming legal challenges in the years ahead.

We are calling on Ofcom (and if necessary, the Secretary of State for Science, Innovation and Technology, Peter Kyle) to:

update guidance to reflect the Podchasov v Russia (Feb 2024) ruling – specifically that requiring encryption to be weakened for all users violates Article 8 rights;
expand guidance beyond just “passing references” to provide “more detailed consideration of the human rights implications of service providers taking any measures which may weaken encryption.””

The legal opinion (which can be consulted below) was sought from expert human rights and technology barristers as Index on Censorship feared there is insufficient weight given to privacy and data protection laws in Ofcom’s draft guidance. Without encrypted communication services, journalists, their sources, and political dissidents across the world, for whom security is essential, will be negatively impacted.

Phillippa Kaufmann KC and Aidan Wills have explained the legal railguards of how content moderation regulation can operate next year when the OSA comes into force. Service providers in the scope of regulation are advised:

When mitigating risks, they must (as per s 22 of the OSA), have particular regard to service users’ rights to freedom of expression and privacy (including data rights); and can only implement measures if they are “proportionate” (as set out in Podchasov v Russia)
They must comply with UK GDPR which can include processing personal data “in a manner that ensures appropriate security of the personal data”, and to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.