How does the UK Online Safety Act impact privacy?

From my understanding, the Act gives Ofcom unprecedented powers to control content and codes of practice, and seems to require E2EE platforms to scan all content and messages. Does this not make using E2EE effectively useless in the UK now?

I think the material mentioned in the Act includes messages, calls, videos, photographs, music, and general data - so effectively everything? And it’s vague in that it applies to any services that have ‘reasonable grounds’ to host harmful content.

I’m just becoming more mindful of privacy after previously not giving a damn what data I gave to big tech. I’m just in the process of switching my photo storage, notes, search engine, browser, password manager, etc., away from big tech providers to more privacy-focused ones. But this new Act makes me wonder if it’s even worth bothering if companies will be strongarmed into compromising their services anyway.

I am very green to all this, so excuse me if this comes across as a stupid question! thank you :slight_smile:

1 Like

But does that not put us in a precarious situation, because many of these companies may simply decide to leave the UK at a later date as it’s not worth the fines or legal headache? Whatsapp (I think?) comes to mind, with them stating the British 2% of global users aren’t worth compromising security for (which is good), but means the UK may be left with few to no choices in the future?

1 Like

I see, thank you. Hopefully countless other providers will hold true to their words and not compromise on privacy behind their users’ backs :crossed_fingers: :crossed_fingers:

Ah right. So that means they couldn’t sneakily change their services without anyone knowing because the code is visible to everyone, is that right?

Sorry, as I said, I’m very green to this stuff!! :laughing:

1 Like

Thank you so much for your help. You’ve cleared things up for me :slight_smile:

If i remember correctly Element is based in the UK, does anyone have info about how they would respond to this (for EMS homeservers)?

The big difference between something like Matrix and Signal is that Matrix is just a protocol. Sure, we don’t know what is gonna happen to the homeserver, but it’s also mostly uninteresting. You can just use Synapse, Element etc. on your own or other’s infrastructure hosted wherever, completely unrelated to what is happening in any specific country. Signal however, is centralized, and while that is not all bad and also comes with certain benefits (I mean Moxie has been writing about stuff like that since forever), it has a downside here that there exists a single entity running the whole network that cannot move countries as easily as you can move your Matrix homeserver between countries.


Has this law been passed yet?

I mean, they could change their server-side code and whatnot without informing the users, but for many open source projects that would violate the license of the code (for code licensed under the AGPL for example), meaning they could be sued for copyright infringement.

I was also thinking about metadata in general, unencrypted group chats that don’t employ E2EE but are not necessarily open to the public and stuff like that. Of course you should ideally always use E2EE and Element is far from the only client implementing it (in fact, I mostly use NeoChat for my personal chats), but still it’s good to use homeservers that are not touching the data in the first place.

I still don’t get thses laws. How they plan to regulate e.g. Briar? Force Google to put insecure version in store? So I can take it from f-droid or .apk from server in Singapore? Same is for all 3rd party clients (forks) without backdoor.
Similar is with federated services, how will that look like? They will first try to identify users with proper E2EE clients, than look which servers they are using, and then force state agency to block connections to those servers? Great way to flush taxpayers money down the toilet.
They will also block Tor? Secure linux distros?

The only possible outcome i see is they’ll force Google, Facebook, Apple, Rakuten to break E2EE, probably also Signal & Telegram/Microsoft (secret chats) and that’s it. They will not bother with smaller services used by less than 1% of people. But IMO, these companies have more power than UK & EU governments and if they threatened to completely leave the market, this and similar acts won’t be implemented. I’m quite sure people trust more Apple than their governments, and if Apple explained them breaking E2EE is doing more harm than good, they would actually fight against these regulations.
Though I have feeling we’ll see more & more : “we would save this children on time & we would prevent these criminals/terrorist, only if we had access to their communication” scenarios. “It’s not our fault it’s Facebook’s and Apple’s these kids are dead”. So I wouldn’t be surprised if in a few years all e.g. Briar users are marked as terrorists, pedophiles or drug dealers.

1 Like