Online Safety Bill must balance security and privacy to be effective

The Online Safety Bill seeks to protect users and their security, but may do the opposite unless sweeping changes are made
Little girl On computer without parental control

As tech increasingly dominates our lives, the drive to keep children and adults safe online has rapidly grown in urgency.

While the Online Safety Bill (OSB) will include the world’s first cybersafety laws, it is unlikely to be a panacea, as the balance between online safety and privacy seems precarious.

“Placing some accountability on the platforms, who currently have almost none, is a pro of the OSB,” says James Bore, a security consultant specialising in online and cybersecurity. “Whether the OSB is the right way to go it is very much a debate – I don’t see there being a right answer but what is clear, given the damage that platforms have done in terms of assisting the spread of misinformation and manipulation of democracy currently, is that the balance is very much in their favour.”

He says the sticking points surround a lack of clarity over what is considered ‘harmful’ behaviour, as this subjectivity will lead to people challenging definitions as technology and society evolve. 

Charlotte Aynsley is safeguarding advisor at Impero Software, which provides safeguarding advice to schools, concurs. “The Online Safety Bill will have to be dynamic and evolve year-on-year to address emerging trends,” she says. “We haven’t even started thinking about the metaverse, for example, where everything is interactive and where considerable harms to children have already reported. It’s important that we are responsive to developments through codes of practice that Ofcom will develop alongside industry.”

That said, Aynsley believes the OSB is an important step in the right direction towards protecting children and adults online, particularly as the internet was not designed for children and always lacked adequate controls. “For the first time, technology companies, including social media websites and search engines, will be responsible and held accountable for harmful content hosted on their platforms,” she says. 

The NSPCC strongly backs the OSB but in its report Time to Act, published in April 2022, it said further changes are urgently required, unsurprising given the fact that, in 2021, UK law enforcement received 97,727 industry accounts relating to online child abuse, a 29% increase from 2020. And online grooming offences in 2020/21 reached a high in England and Wales, increasing by almost 70% in three years.

The OSB marks a shift from liability to accountability and protection

Among its requests, the NSPCC wants the bill to take a proactive approach to tackling the child abuse risks in private messaging and groups, and to stem the ways in which abuse is facilitated on social networks, where it may not meet the criminal threshold. Abusers frequently use social networks to post so-called digital breadcrumbs that signpost to illegal content hosted on third-party messaging apps, offender forums and the dark web. The government, it adds, must strengthen its approach to tackling harmful content for children.

Aynsley says the OSB marks a shift from liability to accountability and protection, whereby companies will need to demonstrate that they have evaluated key risks such as misinformation, predatory behaviour and cyberbullying, and put suitable protections in place, especially for children. 

“Fines will be issued to those who fall short and executive teams held accountable,” she says. “Shifting responsibility will benefit everyone, especially children, as it puts the onus on big tech companies and social media platforms to be aware of the content they host.”

But she adds that the spotlight on large technology companies could mean that harmful behaviour occurring elsewhere is missed, while billion-dollar behemoths may not be sufficiently motivated by financial penalties. 

Bore agrees: “It’s worth remembering that the companies targeted by this law have been shown time and time again to be uncaring about the damage they knowingly cause to society and democracy,” he says. “Even if individuals within them may be well-intentioned, their ability to soften the overall negative impact is negligible. 

“That’s not to say there aren’t also benefits to society that come about, but we need to work to mitigate the harm, and holding these organisations to account – regardless of how imperfectly – is a huge step when they have shown for years that nothing else will work.”

According to the government, the OSB will “[deliver] the government’s manifesto commitment to make the UK the safest place in the world to be online while defending free expression,” but cyber experts beg to differ, warning that the OSB risks devastating the UK’s online security.

Robin Wilton, director of internet trust at the Internet Society, is damning, calling the OSB “an unworkable mess, with overreaching powers based on vague definitions, poor accountability structures, and new categories of offence added practically every month”.

The government, he adds, should refocus its approach by admitting that the problems it claims it’s solving with the OSB are societal and stop legislating as if regulating technology is “the miracle cure”. He is also concerned that the bill would force companies to undermine strong encryption, making everyone less safe, as service providers weaken or withdraw end-to-end encrypted services from their offerings. 

“The bill,” he says, “makes [service providers] liable for the behaviour of their users if they are unable to monitor and control their users’ conversations. The Culture Secretary recently expressed her delight that citizens in Ukraine could stay informed via secure messaging services and encrypted news sites. If the UK passes the OSB, companies will be forced to either leave the UK market or undermine the security and privacy of all their users, including the most vulnerable in Ukraine and other conflict areas.

“What the public doesn’t realise is that the content of all their communications will be scanned. Is this the kind of surveillance state we want in the United Kingdom?”

Wilton goes on to caution that the OSB will degrade the UK’s security throughout its online infrastructure, reducing inward investment, as companies will have little incentive to invest in a market for insecure products, or the insecure services built on them.

Clearly, the OSB is a work in progress to hone it into a robust tool that keeps individuals safe and maintains their privacy – and avoiding the somewhat ironic potential outcome of leaving people with even poorer protection online.