The Home Secretary Priti Patel will use a conference organised by the NSPCC today to warn that end-to-end encryption will severely erode the ability of tech companies to police illegal content, including child abuse and terrorism.
The Home Secretary’s intervention is the latest salvo in a long running battle by ministers and the intelligence services against the growth of end-to-end encryption.
Speaking at a round table organised by the NSPCC to discuss the “next steps to securing child protection within end-to end encryption,” Patel will warn that end to encryption could deprive law enforcement of millions of reports of activities that could put children at risk.
“Sadly, at a time when we need to be taking more action, Facebook are pursuing end-to-end encryption plans that place the good work and progress achieved so far in jeopardy,” she is expected to say.
“The offending will continue, the images of children being abused will proliferate – but the company intends to blind itself to this problem through end-to-end encryption which prevents all access to messaging content.”
The Home Office estimates that 12 million reports of potential child abuse could be lost if Facebook introduced end to end encryption on Facebook Messenger and Instagram, significantly increasing the risk of child exploitation or other serious harm.
The NSPCC will present research at the event – which will be attended by child protection, civil society and law enforcement experts from the UK, US, Canada, Ireland and Australia – to show that more than half of UK adults believe the ability to detect child abuse images is more important than protection of privacy.
End to end encryption is widely used by internet messaging services such as Signal, Telegram, email services including Protonmail and mailbox.org, and Facebook’s own WhatsApp messaging service, to protect the privacy of personal data and messages.
Encryption poses threat to detection of child abuse
A report published by the NSPCC today from based on research from PA Consulting, argues that tech companies have prioritised the privacy of adults at the expense of their duty of care to children.
The NSPCC’s chief executive, Peter Wanless argues that end to end encryption could “render useless” the technology used by social media companies to identify child abuse images and to detect grooming and sexual abuse in private messages.
“Private Messaging is at the frontline of child sexual abuse but the current debate around end -to-end encryption risks leaving children unprotected where there is most harm,” he said.
Facebook’s proposals for end-to-end encryption are particularly high risk, the NSPCC says, because groomers can exploit the platform to contact children in large numbers and can groom and coerce them into sending images on encrypted chats and video calls.
“We need a coordinated response across society but ultimately government must be a guardrail that protects child users if tech companies chose to put them at risk with dangerous design choices,” said Wanless.
Weakening encryption will put people at risk of crime
There is widespread concern that any attempt to weaken end-to-end encryption, for example by adding government-accessible “back doors” will damage the safety and security of ordinary people who are not suspected of any crime.
End-to-end encryption has an important role in protecting the security of people by protecting financial transactions, helping people to avoid scams, blackmail, or by allowing people to discuss their sexuality or religious beliefs in private.
Jim Killock, executive director of the Open Rights Group, which campaigns for privacy and free speech online, said that restricting end-to-end encryption would expose ordinary people to greater risks on the internet.
“Every day encryption isn’t just about privacy, it’s about your basic security. It’s about avoiding scams, avoiding blackmail, being able to use these products for financial transactions or business transactions,” he told Computer Weekly.
“Its about being able to worry less about abusive partners, protecting people from domestic abuse,” he said. “Or being able to use communication services to explore their sexuality, their religious beliefs or any other number of things in a private space, securely, without risk.”
Facebook said that end-to-end encryption protected people from having their private information misused.
“End-to-end encryption is already the leading security technology used by many services to keep people safe from having their private information hacked and stolen. Its full rollout on our messaging services is a long-term project and we are building strong safety measures into our plans,” a spokesman said.
Facebook removes profiles, pages and Instagram groups that share sexualized images of children, or contain inappropriate comments.In 2019 Facebook’s WhatsApp encrypted messaging service removed around 250,000 suspect profiles.
The company began experiments this year with pop-up alerts to warn people who type in search terms associated with child exploitation or who share viral child exploitative content.
Patel will say Facebook’s removal of accounts does not go anywhere near far enough.
Online Safety Bill requires companies to take action
The NPSCC will argue at the meeting that the debate about end-to-end encryption should not be “an ‘either or argument’ skewed in favour of adult privacy” rather than the safety and privacy rights of children.
Wanless said the focus should be on the impact end-to-end encryption on the ability of tech firms to detect and disrupt abuse at an early stage, rather than the ability of law enforcement to access communications.
The charity’s concerns have won ready backing from government ministers who have tacitly threated sanctions against Facebook if it fails to address child abuse on its platforms.
The government announced in March 2021 plans to introduce an Online Safety Bill which will impose a statutory “duty of care” on social media companies.
The communications regulator OFCOM will have powers to fine companies up to £18 million or 10% of their global turnover, if they fail to take action against communications used for terrorism, the sale of drugs and weapons, and child sexual abuse.
There is nothing in the government’s interim codes of practice that explicitly bans encryption, however ministers argue having end-to-end encryption will not exempt tech companies like Facebook from having a duty of care towards children.
OFCOM will also be able to order tech companies to implement technical fixes if there is no other practical way to solve the problem.
Investigatory Powers Bill allows ‘backdoors’
In March, the Culture Secretary, Oliver Dowden told a press briefing that the government was working with Facebook to resolve the issue but was keeping “all options on the table” including new legislation.
The govenment has powers to issues secret orders to the company, that will force it to install a “permanent capability” for the intelligence services and Law Enforcement the ability to remotely access messages sent on Facebook Messenger.
Technical Capability Notices (TCNs), which were introduced under the Investigatory Powers Act 2016, give the government powers to order companies to break their encryption, or introduce government designed malware. Employees face a maximum sentence of five years in jail if they disclose the existence or content of such an order.
Jim Killock of the Open Rights Group said that it would be possible for the government to issue TCN against Facebook that would prevent it from offering end to end encryption for UK users.
The order could require, for example, Facebook to negotiate with the government before making any changes to Facebook Messenger, that would make it harder for the state to read messages on the platform.
“That could all happen in secret. There’s no reason for any public disclosure. Facebook would have no choice but to keep those measures in place for UK users,” he said.
Lobbying by Intelligence Services
The Intelligence Community has reported a growing trend towards the use of encryption to protect communications, following the release of the Snowden documents in 2013.
This has lead to a decline in the proportion of electronic communications that they have the ability to access, according to the 2015 review of government investigatory powers.
The UK and the US have capabilities to harvest and analyse bulk messages transmitted over the internet from submarine cables and have legal powers to obtain communications from internet and phone companies.
The home secretary, Priti Patel, has been the most vocal government minister to call for law enforcement and intelligence agencies to have access to encrypted communications offered by Facebook and other companies.
The campaign against end-to-end encryption has won ready backing from ministers and the intelligence communities of the Five Eyes nations, the UK, the US, New Zealand, Australia and Canada, along with other countries.
Statements issued in a series of communiqués over the years have focused on the impact that encryption is having on the ability of the intelligence services and law enforcement agencies to police the most serious crimes of child abuse and terrorism.
However limiting end-to-end encryption would also open up the communications of people who are suspected of no crime, to harvesting and analysis by GHCQ and its US equivalent, the NSA.
This has led to a polarisation in the debate between law enforcement and those who are concerned that weakening encryption will damage the safety and security of law abiding citizens.
Ross Anderson, professor of security engineering at the University of Cambridge said that the intelligence and security agencies appear to want to collect communications traffic from people’s phones rather than from service providers and telecoms companies.
“Collection on the network is less effective now that lots of traffic is encrypted – thanks to the Snowden revelations – while collection at the server depends on either getting paperwork to target a specific user, or on the service provider’s content filter throwing up something of interest,” he said.
The NSPCC said it was in the interest of technology firms to find a technical solution that allows them to continue to use technology to disrupt abuse “in an end-to-end encrypted world”.
In its report, the NSPCC puts forward technical solutions that could prevent the distribution of illegal content on social media while still preserving – at least to some degree – the privacy of users.
On possible solution is to use software on phones or computers to create digital signatures – or hashes – of images that people upload to messaging services and to compare them a database of signatures of illegal content.
Ross Anderson, said there was a danger that such filters could also provide intelligence agencies with a back door into people’s mobile phones, allowing them to access messages, voice calls or remotely turn on a mobile phone’s microphone to listen in to a conversation.
How technology can risks of end-to-end encryption
Mobile phones or computers can be fitted with software which create a digital signature of images and compare them against the signatures of harmful content stored in a database on the device before it is encrypted. The technology could be incorporated into operating systems. It is not clear how feasible updating the database would be. There are risks of users reverse-engineering or subverting the detection tools.
Software sends both the hashed signature of a users message and the encrypted message to a server. The server checks the hashed signature against a database of illegal images before releasing the encrypted message.
A “back door” allows service providers or government bodies access to a server to decrypt and assess the content of a specific communications. The method creates a vulnerable access point that malicious hackers could exploit, while reducing privacy.
Technology companies could create a “secure enclave” on the cloud that can decrypt communications and check the content before re-encrypting it. It offers an equivalent level of privacy to end-to-end encryption, unless the service is compromised.
An advanced technology known as homomorphic encryption allows calculations to be performed on encrypted data without decrypting it first. It is possible to create a hash signature of the images and match them with hashes of images on a service as the message is transmitted. The technology is currently too slow to be used practically.
Safety by design
Governments have been urging technology companies to develop services that prioritise the protection of children. One example is the social media company Tik Tok, which has removed access to messaging for under 16’s and blocks users from sending direct messages containing photographs or videos.
Source: “End-to-end encryption – understanding the impacts for child safety online” report by NSPCC based on research by PA Consulting.
UK leads lobby against encryption
20 January 2021 The Home secretary, Priti Patel, meets with Facebook “to discuss Facebook encryption proposals and other relevant issues.”
3 April 2021 Facebook’s head of safety says in an interview with the Telegraph that Facebook would not encrypt its Facebook Messenger before 2022 at the earliest.
11 October 2020 Home secretary Priti Patel, William Barr, attorney general of the USA, sign a statement calling for technology companies to enable law enforcement to have lawful access to content in a readable and usable format. They argue that end-to-end encryption undermines the ability of tech companies to police illegal content.
June 2020 Home secretary, Priti Patel warns a meeting of ministers from the Five Eyes countries (UK, USA, New Zealand, Australia and Canada) that the threat of terrorism and online child abuse would increase if Facebook and similar companies continue with plans for end-to-end encryption
4 October 2019 The home secretary, Priti Patel, and the US Attorney General, William Barr, and Peter Dutton, Australian minster for home affairs sign an open letter to Facebook CEO Mark Zuckerberg, urging him to suspend plans for end-to-end encryption. Facebook should ensure that encryption does not increase the risk of harm, or prevent the lawful access to communications content.
30 July 2019 The home affairs ministers and attorneys general of the United Kingdom, United States, Australia, New Zealand and Canada issue a communique calling for tech companies to provide government with lawful access to encrypted services. .
6 March 2019 Facebook CEO, Mark Zuckerberg announces plans for end-to-end encryption for messaging, declaring that the Future is Private.
November 2018 Ian Levy, technical director of the National Cyber Security Centre, a part of GCHQ, argued that technology companies could use “virtual crocodile clips” to allow intelligence agencies to listed to targeted encrypted communications. “You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication,” he wrote in an influential essay.
28-29 August 2018 Ministers from Australia, Canada, New Zealand, the UK and the US warn that the inability of intelligence and law enforcement to lawfully access encrypted data and communications poses challenges to law enforcement agencies.
21 February 2018 The then Home Secretary, Amber Rudd, meets with Apple to discuss encryption.
31 July 2017 Home secretary, Amber Rudd, warns in an op-ed in the Telegraph that the inability to gain lack of access to “encrypted data is limiting the ability to stop terrorist attacks and bring criminals to justice.” She said it was not about creating “back doors” in encryption but there were opportunities in the trade-offs tech companies make between usability and security.
23 June 2017 The then Home secretary and Culture Secretary, Karen Bradley, met with Sheryl Sandberg, Chief Operating Officer of Facebook, to discuss progress on an industry-led forum to tackle terrorist content online, end-to-end encryption and working with law enforcement.
23 February 2015 Mike Rogers, the Director General of the US National Security Agency uses a cyber security conference to defend government plans to access data held by US technology companies arguing that “backdoors” would not fatally compromise encryption or be harmful to privacy.
Alex Stamos, Yahoo’s chief information security officer, criticises Rogers, comparing the plan to “drilling holes in a windshield.” Rogers refuses to say whether Yahoo should create backdoors for Russia and China if they created similar laws.
13 February 2015 Apple’s chief executive, Tim Cook, warns of “dire consequences” if government attempts to weaken encryption lead to the sacrifice of privacy. “We still live in a world where all people are not treated equally. Too many people do not feel free to practice their religion or express their opinion or love who they choose,” he said.
January 2015 Prime Minister, David Cameron, speaking in the wake of terrorist attacks in Paris, said that a future government would give Britain’s intelligence agencies legal powers to break into the encrypted communications of suspected terrorists.
16 October 2014 FBI Director James Comey gives a speech at the Brookings institute saying he’s no longer seeking a “back door” to encrypted systems, but rather a “front door”. The proposal is widely criticised.
September 2014 Europol reports in its Internet Organised Crime Threat Assessment (iOCTA) that “law enforcement needs to be equipped with the tools and techniques necessary to address the increase in and further sophistication of encryption and anonymisation.”