Connect with us

Technology

Surveillance powers in UK’s Online Safety Bill are risk to E2EE, warns legal expert

Published

on

Independent legal analysis of a controversial UK government proposal to regulate online speech under a safety-focused framework — aka the Online Safety Bill — says the draft bill contains some of the broadest mass surveillance powers over citizens every proposed in a Western democracy which it also warns pose a risk to the integrity of end-to-end encryption (E2EE).

The opinion, written by the barrister Matthew Ryder KC of Matrix Chambers, was commissioned by Index on Censorship, a group that campaigns for freedom of expression.

Ryder was asked to consider whether provisions in the bill are compatible with human rights law.

His conclusion is that — as is –– the bill lacks essential safeguards on surveillance powers that mean, without further amendment, it will likely breach the European Convention on Human Rights (ECHR).

The bill’s progress through parliament was paused over the summer — and again in October — following political turbulence in the governing Conservative Party. After the arrival of a new digital minister, and two changes of prime minister, the government has indicated it intends to make amendments to the draft — however these are focused on provisions related to so-called ‘legal but harmful’ speech, rather than the gaping human rights hole identified by Ryder.

We reached out to the Home Office for a response to the issues raised by his legal opinion.

A government spokesperson replied with an emailed statement, attributed to minister for security Tom Tugendhat, which dismisses any concerns:

“The Online Safety Bill has privacy at the heart of its proposals and ensures we’re able to protect ourselves from online crimes including child sexual exploitation. It‘s not a ban on any type of technology or service design.

“Where a company fails to tackle child sexual abuse on its platforms, it is right that Ofcom as the independent regulator has the power, as a last resort, to require these companies to take action.

“Strong encryption protects our privacy and our online economy but end-to-end encryption can be implemented in a way which is consistent with public safety. The Bill ensures that tech companies do not provide a safe space for the most dangerous predators online.”

Ryder’s analysis finds key legal checks are lacking in the bill which grants the state sweeping powers to compel digital providers to surveil users’ online communications “on a generalised and widespread basis” — yet fails to include any form of independent prior authorisation (or independent ex post facto oversight) for the issuing of content scanning notices.

In Ryder’s assessment this lack of rigorous oversight would likely breach Articles 8 (right to privacy) and 10 (right to freedom of expression) of the ECHR.

Existing very broad surveillance powers granted to UK security services, under the (also highly controversial) Investigatory Powers Act 2016 (IPA), do contain legal checks and balances for authorizing the most intrusive powers — involving the judiciary in signing off intercept warrants.

But the Online Safety Bill leaves it up to the designated Internet regulator to make decisions to issue the most intrusive content scanning orders — a public body that Ryder argues is not adequately independent for this function.

“The statutory scheme does not make provision for independent authorisation for 104 Notices even though it may require private bodies – at the behest of a public authority – to carry out mass state surveillance of millions of user’s communications. Nor is there any provision for ex post facto independent oversight,” he writes. “Ofcom, the state regulator, cannot in our opinion, be regarded as an independent body in this context.”

He also points out that given existing broad surveillance powers under the IPA, the “mass surveillance” of online comms proposed in the Online Safety Bill may not meet another key human rights test — of being “necessary in a democratic society”.

While bulk surveillance powers under the IPA must be linked to a national security concern — and cannot be used solely for the prevention and detection of serious crime between UK users — yet the Online Safety Bill, which his legal analysis argues grants similar “mass surveillance” powers to Ofcom, covers a much broader range of content than pure national security issues. So it looks far less bounded. 

Commenting on Ryder’s legal opinion in a statement, Index on Censorship’s chief executive, Ruth Smeeth, denounced the bill’s overreach — writing:

“This legal opinion makes clear the myriad issues surrounding the Online Safety Bill. The vague drafting of this legislation will necessitate Ofcom, a media regulator, unilaterally deciding how to deploy massive powers of surveillance across almost every aspect of digital day-to-day life in Britain. Surveillance by regulator is perhaps the most egregious instance of overreach in a Bill that is simply unfit for purpose.”

Impact on E2EE

While much of the controversy attached to the Online Safety Bill — which was published in draft last year but has continued being amended and expanded in scope by government — has focused on risks to freedom of expression, there are a range of other notable concerns. Including how content scanning provisions in the legislation could impact E2EE, with critics like the Open Rights Group warning the law will essentially strong-arm service providers into breaking strong encryption.

Concerns have stepped up since the bill was introduced after a government amendment this July — which proposed new powers for Ofcom to force messaging platforms to implement content-scanning technologies even if comms are strongly encrypted on their service. The amendment stipulated that a regulated service could be required to use “best endeavours” to develop or source technology for detecting and removing CSEA in private comms — and private comms puts it on a collision course with E2EE.

E2EE remains the ‘gold standard’ for encryption and online security — and is found on mainstream messaging platforms like WhatsApp, iMessage and Signal, to name a few — providing essential security and privacy for users’ online comms.

So any laws that threaten use of this standard — or open up new vulnerabilities for E2EE — could have a massive impact on web users’ security globally.

In the legal opinion, Ryder focuses most of his attention on the Online Safety Bill’s content scanning provisions — which are creating this existential risk for E2EE.

The bulk of his legal analysis centers on Clause 104 of the bill — which grants the designated Internet watchdog (existing media and comms regulator, Ofcom) a new power to issue notices to in-scope service providers requiring them to identify and take down terrorism content that’s communicated “publicly” by means of their services or Child Sex Exploitation and Abuse (CSEA) content being communicated “publicly or privately”. And, again, the inclusion of “private” comms is where things look really sticky for E2EE.

Ryder takes the view that the bill, rather than forcing messaging platforms to abandon E2EE altogether, will push them towards deploying a controversial technology called client side scanning (CSS) — as a way to comply with 104 Notices issued by Ofcom — predicting that’s “likely to be the primary technology whose use is mandated”.

Clause 104 does not refer to CSS (or any technology) by name. It mentions only ‘accredited technology’. However, the practical implementation of 104 Notices requiring the identification, removal and/or blocking of content leads almost inevitably to the concern that this power will be used by Ofcom to mandate CSPs [communications service providers] using some form of CSS,” he writes, adding: “The Bill notes that the accredited technology referred to c.104 is a form of ‘content moderation technology’, meaning ‘technology, such as algorithms, keyword matching, image matching or image classification, which […] analyses relevant content’ (c.187(2)(11). This description corresponds with CSS.”

He also points to an article published by two senior GCHQ officials this summer — which he says “endorsed CSS as a potential solution to the problem of CSEA content being transmitted on encrypted platforms” — further noting that out their comments were made “against the backdrop of the ongoing debate about the OLSB [Online Safety Bill].”

Any attempt to require CSPs to undermine their implementation of end-to-end encryption generally, would have far-reaching implications for the safety and security of all global on-line of communications. We are unable to envisage circumstances where such a destructive step in the security of global online communications for billions of users could be justified,” he goes on to warn.

Client side scanning risk

CSS refers to controversial scanning technology in which the content of encrypted communications is scanned with the goal of identifying objectionable content. The process entails a message being converted to a cryptographic digital fingerprint prior to it being encrypted and sent, with this fingerprint then compared with a database of fingerprints to check for any matches with known objectionable content (such as CSEA). The comparison of these cryptographic fingerprints can take place either on the user’s own device — or on a remote service.

Wherever the comparison takes place, privacy and security experts argue that CSS breaks the E2E trust model since it fundamentally defeats the ‘zero knowledge’ purpose of end-to-end encryption and generates new risks by opening up novel attack and/or censorship vectors.

For example they point to the prospect of embedded content-scanning infrastructure enabling ‘censorship creep’ as a state could mandate comms providers scan for an increasingly broad range of ‘objectionable’ content (from copyrighted material all the way up to expressions of political dissent that are displeasing to an autocratic regime, since tools developed within a democratic system aren’t likely to be applied in only one place in the world).

An attempt by Apple to deploy CSS last year on iOS users’ devices — when it announced it would begin scanning iCloud Photo uploads for known child abuse imagery — led to a huge backlash from privacy and security experts. Apple first paused — and then quietly dropped reference to the plan in December, so it appears to have abandoned the idea. However governments could revive such moves by mandating deployment of CSS via laws like the UK’s Online Safety Bill which relies on the same claimed child safety justification to embed and enforce content scanning on platforms.

Notably, the UK Home Office has been actively supporting development of content-scanning technologies which could be applied to E2EE services — announcing a “Tech Safety Challenge Fund” last year to splash taxpayer cash on the development of what it billed at the time as “innovative technology to keep children safe in environments such as online messaging platforms with end-to-end encryption”.

Last November, five winning projects were announced as part of that challenge. It’s not clear how ‘developed’ — and/or accurate — these prototypes are. But the government is moving ahead with Online Safety legislation that this legal expert suggests will, de facto, require E2EE platforms to carry out content scanning and drive uptake of CSS — regardless of the state of development of such tech.

Discussing the government’s proposed amendment to Clause 104 — which envisages Ofcom being able to require comms service providers to ‘use best endeavours’ to develop or source their own content-scanning technology to achieve the same purposes as accredited technology which the bill also envisages the regulator signing off — Ryder predicts: It seems likely that any such solution would be CSS or something akin to it. We think it is highly unlikely that CSPs would instead, for example, attempt to remove all end-to-end encryption on their services. Doing so would not remove the need for them analyse the content of communications to identify relevant content. More importantly, however, this would fatally compromise security for their users and on their platforms, almost certainly causing many users to switch to other services.”

“[I]f 104 Notices were issued across all eligible platforms, this would mean that the content of a almost all internet-based communications by millions of people — including the details of their personal conversations — would be constantly surveilled by service providers. Whether this happens will, of course, depend on how Ofcom exercises its power to issue 104 Notices but the inherent tension between the apparent aim, and the need for proportionate use is self-evident,” he adds. 

Failure to comply with the Online Safety Bill will put service providers at risk of a range of severe penalties — so very large sticks are being assembled and put in place alongside sweeping surveillance powers to force compliance.

The draft legislation allowing for fines of up to 10% of global annual turnover (or £18M, whichever is higher). The bill would also enable Ofcom to be able to apply to court for “business disruption measures” — including blocking non-compliant services within the UK market. While senior execs at providers who fail to cooperate with the regulator could risk criminal prosecution.

For its part, the UK government has — so far — been dismissive of concerns about the impact of the legislation on E2EE.

In a section on “private messaging platforms”, a government fact-sheet claims content scanning technology would only be mandated by Ofcom “as a last resort”. The same text also suggests these scanning technologies will be “highly accurate” — without providing any evidence in support of the assertion. And it writes that “use of this power will be subject to strict safeguards to protect users’ privacy”, adding: “Highly accurate automated tools will ensure that legal content is not affected. To use this power, Ofcom must be certain that no other measures would be similarly effective and there is evidence of a widespread problem on a service.”

The notion that novel AI will be “highly accurate” for a wide-ranging content scanning purpose at scale is obviously questionable — and demands robust evidence to back it up.

You only need consider how blunt a tool AI has proven to be for content moderation on mainstream platforms, hence the thousands of human contractors still employed reviewing automated reports. So it seems highly fanciful that the Home Office has or will be able to foster development of a far more effective AI filter than tech giants like Google and Facebook have managed to devise over the past decades.

As for limits on use of content scanning notices, Ryder’s opinion touches on safeguards contained in Clause 105 of the bill — but he questions whether these are sufficient to address the full sweep of human rights concerns attached to such a potent power.

“Other safeguards exist in Clause 105 of the OLSB but whether those additional safeguards will be sufficient will depend on how they are applied in practice,” he suggests. “There is currently no indication as to how Ofcom will apply those safeguards and limit the scope of 104 Notices.

“For example, Clause 105(h) alludes to Article 10 of the ECHR, by requiring appropriate consideration to be given to interference with the right to freedom of expression. But there is no specific provision ensuring the adequate protection of journalistic sources, which will need to be provided in order to prevent a breach of Article 10.”

In further remarks responding to Ryder’s opinion, the Home Office emphasized that Section 104 Notice powers will only be used where there is no alternative, less intrusive measures capable of achieving the necessary reduction in illegal CSEA (and/or terrorism content) appearing on the service — adding that it will be up to the regulator to assess whether issuing a notice is necessary and proportionate, taking into account matters set out in the legislation including the risk of harm occurring on a service, as well as the prevalence of harm.

Technology

Mozilla acquires the team behind Pulse, an automated status updater for Slack

Published

on

Firefox developer Mozilla is making a rare foray into the world of mergers and acquisitions, with news that it has snapped up recently-shuttered California-based productivity startup Pulse.

Terms of the deal haven’t been disclosed, but the deal is tantamount to an “acqui-hire,” with Mozilla looking to deploy the Pulse team across an array of machine learning (ML) projects.

“We’re acquiring Pulse for the incredible team they have built,” Mozilla chief product officer Steve Teixeira told TechCrunch. “As we look to continue to improve user experiences across all of our products, ML will be a core part of that.”

Feel the pulse

Founded out of Menlo Park in 2019, Pulse in its initial guise was a “virtual office” platform called Loop Team, but after honing the idea for a couple of years it pivoted and rebranded last November. Pulse, essentially, was an automated status-updating tool that used signals based on pre-configured integrations and preferences set by the user.

For example, users could synchronize Pulse with their calendar and Slack, setting rules to stipulate what their status and corresponding emoji should be based on keywords in their calendar event title. If their schedule for a particular time says “hair appointment” from 12-1pm, then the person’s Slack status update might display a scissors emoji alongside the word “haircut.” Or, it might say “birthday” alongside a cake emoji if that’s what is in their calendar.

Pulse: Calendar rules

But Pulse sported myriad integrations with business tools that brought similar functionality. For example, users could link Pulse with Zoom, so that whenever they start a video meeting, a telephone emoji automatically displays in their Slack status to tell people they are unavailable.

Shutting shop

Pulse had flown largely under the radar since it started rolling out to a small group of users last December, but the company had apparently garnered some fairly big-name customers, including Netflix and 1Password, with monthly premium plans starting at around $3 per user.

The company was among TechCrunch’s Battlefield 200 startups at TC Disrupt in October, and TechCrunch interviewed Pulse cofounder and CEO Raj Singh at the event for a potential future startup profile piece. Singh said at the time that it was planning to raise a seed round of funding early in the new year, something that obviously won’t be happening now. When quizzed on whether Pulse was more like a feature that the big tech platforms could just build themselves, rather than a sustainable business in its own right, Singh was adamant that Pulse could thrive as a standalone product. While he acknowledged that companies such as Microsoft or Google might well want to develop a similar automated status update tool for their own products, they were less incentivised to make it work well as an integrated feature that plays ball with various third-party tools.

Pulse was all about communicating things to colleagues around the world passively, regardless of what tools they were using or what timezone they’re in. This is particularly important with remote work becoming the norm, and Pulse was looking to find its niche at a time when workplace culture is rapidly changing.

“A lot of people actually want to update their status, but it’s tedious,” Singh told TechCrunch in October. “But there’s hundreds of signals, and the thing we realised was status is not just ‘availability’, it’s actually a way to communicate empathy.”

While Pulse did have plans to expand beyond Slack into other workplace communication tools including Microsoft Teams and Google Workspace, the company abruptly announced in late October that it was shutting down. In an email distributed to customers at the time, the company attributed this to “market conditions,” noting that it was finding it difficult to raise fresh capital — but it did confirm that it had found a buyer, the identity of which was unknown until today. Singh also said in the email that there was a chance that the buyer could resurrect Pulse in some form, but there is little indication that Mozilla has such a plan on its radar.

What’s next

To the casual observer, Slack was probably the obvious contender to acquire Pulse. For starters, there is the fact that Pulse had been focused exclusively on Slack status updates. But on top of that, Singh had previously founded a smart calendar app called Tempo AI which he sold to Salesforce for an undisclosed sum in 2015.

Singh then joined Salesforce to help with the initial transition of Tempo AI’s technology into Salesforce’s Inbox app. And as we now know, Salesforce went on to acquire Slack in 2020, so with Singh’s connections to Salesforce and his product’s close alignment with Slack, there seemed like only one possible suitor here. 

Tempo AI Image Credits: Tempo AI

Alas, Slack hasn’t acquired Pulse — the Mozilla Corporation has. It is something of a surprise, if for no other reason than Mozilla isn’t renowned for its M&A endeavors, though it is starting to ramp up its investment efforts after launching its first venture capital fund last month. But its only known acquisition to date was back in 2017, when it snapped up Pocket, a popular read-it-later web-clipping service that Mozilla had already integrated into its Firefox browser two years previous.

As a side point, Pulse itself had been on something of an acquisition spree this year, buying rival status updating service Holopod back in January, followed by audio-based communications platform Commons in March. Then in May, news emerged that Pulse had acquired team communication startup Lounge.

“Our strategy [with M&A] is pretty straightforward — we look for opportunities to bring on talent and technology that helps us improve experiences for our customers,” Teixeira said. “With Pulse, this is about supplementing the skillsets we have here already as a way to speed up our development efforts. We have a high bar for any acquisition, but if we find teams and technologies with incredible talent that share our mission and vision for the future of the internet, we are absolutely open to pursuing a transaction.”

As it happens, Pocket may be an early beneficiary of the Pulse acquisition. While Mozilla ultimately plans to deploy the Pulse team across various projects, Teixeira says that an early focus will be on using ML to improve personalization in Pocket, which presumably means in the form of content recommendations.

It’s worth noting that Mozilla has dabbled with ML a fair bit in the past, including experimental projects inside Firefox that recommend content to users, as well as tracking prices across myriad online stores. The company is also leveraging ML across various voice and speech projects.

“We see opportunity to use ML in virtually all of our products, including Firefox, as a foundation for improving the experience for all of our customers,” Teixeira said.

Mozilla hasn’t revealed how much it’s doling out for the startup, but Pulse had only raised around $4.7 million in pre-seed funding according to Crunchbase data, and given its difficulties in raising fresh capital, it’s safe to assume that Mozilla hasn’t broken the bank here.

What Mozilla is getting for its money is six people, including Pulse’s three founders Raj Singh, Jag Srawan, and Rolf Rando, each bringing significant engineering, ML, and product execution experience to Mozilla’s ML efforts. Singh actually created his previous startup Tempo AI as a project inside SRI International, the Stanford research institute responsible for Siri. He rejoined SRI as executive in residence (EIR) after leaving Salesforce, remaining there until founding Pulse (then Loop Team) nearly four years ago.

“In building Pulse, we enabled a variety of machine learning experiences to make distributed teams feel more connected,” Singh noted. “Finding ways to use AI and machine learning to simplify tasks for users is our passion.”

Continue Reading

Technology

Here’s your chance to show off your expertise at TechCrunch’s founder summit

Published

on

Do you have what it takes to present at TechCrunch Early Stage on April 20 in Boston, Massachusetts? We’re looking for trendsetting, game-changing, later-stage startup founders and ecosystem experts — of every stripe — to apply for the opportunity to share their hard-won expertise at our annual founder summit.

An entrepreneurial bootcamp experience, TC Early Stage connects people in the beginning or early stages of their startup journey with top industry experts for hands-on training. Presenting at this event is an opportunity to align yourself with TechCrunch and position yourself as a thought leader for hundreds of early-stage entrepreneurs. Apply here now.

You have until January 6 to submit an application outlining the content you’d like to present. TechCrunch will vet each application and select the top contenders to participate in an Audience Choice voting round where TechCrunch readers will choose the sessions they want to see most at TC Early Stage.

Our call for outstanding content is officially open, and here are the important dates to keep in mind:

  • Application deadline: January 6
  • Notify Audience Choice participants: January 23
  • Voting period: January 30 through February 17
  • Notify winners: By February  22

If you can deliver content that elicits this kind of attendee feedback, we want to hear from you.

“Early Stage offered a great variety of sessions and speakers — top investors, founders and credible subject-matter experts — who gave unique insights based on personal experience. You get great mentorship through attending the Early Stage sessions. It’s like a mini masterclass in entrepreneurship.” — Ashley Barrington, founder, MarketPearl

Show us your content — apply today!

TC Early Stage, which takes place on April 20, 2023, in Boston, Massachusetts, provides access to essential information, resources and community connections to help nascent entrepreneurs reach their potential. Grab your ticket now — just $149 for the next 30 founders — and join us in Boston!

Is your company interested in sponsoring or exhibiting at TC Early Stage 2023? Contact our sponsorship sales team by filling out this form.

Continue Reading

Technology

Amplio helps companies find components when supply chain breaks down

Published

on

When Covid shut down much of the world down in 2020, it ended up wreaking havoc on the supply chain. Suddenly companies built for just-in-time production couldn’t find parts they needed to build their products.

Even as Covid subsided, the supply chain woes continued. Veterans of supply management like the founder of startup Amplio watched, and figured there had to be a better way to guard against these kinds of disruptions in the future using software to find parts wherever they were.

Amplio launched last year with that goal in mind, and today the startup announced a $6 million seed to build a system to help track parts shortages. Trey Closson, CEO and co-founder at Amplio says his company’s goal is to build more resilience into the electronic components supply chain.

“We help our customers understand the components that are at highest risk of leading to material shortages, and then we connect our customers to alternative sources of supply to mitigate those shortages,” Closson told TechCrunch.

He knows what he’s talking about. He spent his entire career in supply chain management, and he’s seen firsthand how disruptions can have a negative impact on a business’s ability to function. He blames “Just-in-time production” techniques for the problems we are seeing today.

“The supply chains have been designed for 30 or 40 years to optimize for cost and for the best case scenario, but the reality is that we don’t live in a world of best case scenarios. We live in a world of constant disruptions,” he said.

“The way that our platform works is that we’re connected to our customers’ systems of record or their ERP solutions, and we take in in their bill of materials and their operational data, and then combine that with external datasets to be able to show the customer their ability to source their particular components over the next six to 18 months,” he said.

Amplio parts inventory screen showing which parts could be in danger of having supply issues.

Image Credits: Amplio

What’s more, in cases where the customer isn’t able to source the components, customers can go to the Amplio marketplace to find suppliers or other manufacturers who might have surplus inventory they are trying to sell.

Closson’s most recent job was working at Koch Industries, leading international supply chain for Georgia Pacific, where he was on the front line of the Covid-induced toilet paper shortages. But he decided to focus his startup on electronic components.

“So while supply chain resilience is really critical across the market, we want to focus on the electronics industry, because it has such a tremendous impact on the global economy,” he said. He conceived of and incubated the company as part of a program run by Koch and High Alpha Innovation, the program launched by former Exact Target execs to help startups with enterprise-focused ideas.

The company currently has 6 employees, but plans to expand with the funding (which closed in May). He says as he grows the company, diversity and inclusion is a core building block. “Diversity is one of the core principles for our hiring and in decision making processes. So just from a selfish standpoint, diverse organizations make better decisions and have more creative ideas, and are ultimately more successful,” he said.

Today’s round was led by Construct Capital with participation from Slow Ventures, High Alpha Capital, Flexport Ventures, Alpaca Venture Capital and various industry angels.

Continue Reading

Trending