I am delighted, so I am, that so many of you are discovering what some of us have been warning for six years. And I’m equally delighted that so many of you are discovering what some of us have been working on – or rather, against – for six years.
(Did you detect my dripping Glaswegian sarcasm there? If not, try again.)
I 
do have a few things to say about what the OSA will mean for things going forward, as opposed to engaging in constant retrospection, but I’m in thorough dissertation writing mode right now. So I’ll write ’em when I write ’em.
In the meantime, here’s a tale from the journey. Yes, that “expert” would be me.
I’m laughing at it now, in fact, I was laughing at it on the day. But not everyone would.
It would be interesting to know your predictions for how this plays out. My obviously-apocalyptic theory is that the internet essentially becomes entirely inaccessible from the UK, with all UK internet companies dying. Except that, curiously, there is a vast amount of VPN traffic. An attempt is made to ban VPNs. In one scenario this succeeds, and a few days later banks, now no longer able to use VPNs, are successfully attacked resulting in the end of money in what was formerly the UK. More reasonably the attempt fails and the UK ‘intelligence’ services have to live with the conplete loss of any kind of detailed traffic analysis due to their own vast stupidity.
As often happens in the OSA, when someone makes a joke, I don’t always laugh because it actually happened.
In March 2021, a centre-right think tank, the Centre for Social Justice, released a report with policy proposals re: CSEA. Its signatory was the Centre’s chair, Sajid Javid, who at the time was an MP and the Secretary of State for Health and the former Home Secretary.
The report called for, as I was warning was likely, the use of end-to-end encryption to qualify as a violation of the “duty of care” in the Online Safety Bill. They wrote: “It will be insufficient for a platform to argue that introducing such a high-risk design feature will have benefits in other spaces like user privacy and preventing online financial crime.” (emphasis mine).
Page 57 went on to recommend that Ofcom should apply sanctions for this breach – e.g. the use of e2e encryption – *retroactively*. Those sanctions should include “criminal sanctions and bans” for companies which had deployed it.
So right there, you had a Cabinet-level policymaker seriously proposing that the financial security of the United Kingdom was an acceptable sacrifice, and that organisations (such as banks and, I dunno, the NHS) which deployed it to safeguard the most private data imaginable needed their management teams thrown into a police car.
That was, like, one week’s drama in 2021.