Technology mandated by UK online safety bill ‘could turn phones into surveillance tools’

Tech mandated by the UK government’s Online Safety Bill could be used to turn millions of phones into facial recognition tools.

That’s according to new research from Imperial College London, which looked at the potential privacy implications of a tool called client-side scanning (CSS). Under the Online Safety Bill, CSS will be introduced to flag when people are trying to share images that are known to be illegal content, such as child abuse images, before they are encrypted and sent .

New research suggests it would be possible for governments to use CSS to search people’s private messages, for example by facial recognition, without their knowledge.

The Online Safety Bill is currently under review in the UK Parliament. CSS is also part of a European Union proposal that, if passed, could mandate its installation on hundreds of millions of phones. It has already been developed by companies like Apple in the US.

The new paper is being presented and published next week at IEEE Security & Privacy, one of the world’s leading security conferences. “The bill would mandate the installation of software to check that you do not share images containing child sexual abuse material,” said corresponding author Dr Yves-Alexandre de Montjoy, from Imperial College London’s Department of Computing.

“But our paper shows that the software can be created or tweaked to include other hidden features such as scanning private content from hundreds of millions of people’s phones using facial recognition, The same technology used at airport gates.”

illegal online activity

Governments have long been concerned that end-to-end encryption—the function used by messaging apps such as WhatsApp and Signal that ensures only the sender and the intended recipient of a message can read it—will deter law enforcement agencies from finding illegal content. Blocks access to messages.

To tackle this perceived risk, the proposed bill would mandate apps to install CSS, which would scan images on phones before they are encrypted and sent.

The software will compare the signatures of images of known illegal content from official databases. A ‘match’ would indicate that the content is known to be illegal and will be reported and shared with crime agencies unencrypted.

However, the researchers say their findings suggest we don’t understand the risks well enough to mandate their deployment on hundreds of millions of devices.

To conduct the study, the team reworked the algorithms that underpin CSS, to match the signatures of images in a database of known illegal content. Then they also taught the software to scan the material for the desired faces. They show their software to be indistinguishable from the original software while being very accurate at identifying the faces of desired individuals in photographs of people.

Co-author Shubham Jain, also from Imperial’s Department of Computing, said: “Tackling illegal content online is extremely important and we must do this in an effective way. However, CSS threatens to add backdoors to personal devices. sacrifices the privacy of millions of people.” ,

Dr de Montjoy said, “We are of the opinion that client-side scanning is not the innocuous ‘single purpose’ technique as stated in Parliament. We call on policy makers to thoroughly evaluate the pros and cons of client-side scanning. calls for, including the risk of misuse, before laws are passed mandating its installation on millions of phones.”