Government puts Facebook under pressure to stop end-to-end encryption over child abuse risks

Encryption poses threat to detection of child abuse

A report published by the NSPCC today, based on research from PA Consulting, argues that tech companies have prioritised the privacy of adults over their duty of care to children.

The NSPCC’s chief executive, Peter Wanless, argues that end-to-end encryption could “render useless” the technology used by social media companies to identify child abuse images and to detect grooming and sexual abuse in private messages.  

“Private messaging is at the front line of child sexual abuse, but the current debate around end-to-end encryption risks leaving children unprotected where there is most harm,” he said.

Facebook’s proposals for end-to-end encryption are particularly high risk, the NSPCC says, because groomers can exploit the platform to contact children in large numbers and can groom and coerce them into sending images on encrypted chats and video calls.

“We need a coordinated response across society, but ultimately government must be a guardrail that protects child users if tech companies choose to put them at risk with dangerous design choices,” said Wanless.

Weakening encryption will put people at risk of crime

There is widespread concern that any attempt to weaken end-to-end encryption, for example by adding government-accessible “backdoors”, will damage the safety and security of ordinary people who are not suspected of any crime.

End-to-end encryption has an important role in protecting financial transactions, helping people to avoid scams or blackmail, and allowing people to discuss their sexuality or religious beliefs in private.

Jim Killock, executive director of the Open Rights Group, which campaigns for privacy and free speech online, said restricting end-to-end encryption would expose ordinary people to greater risks on the internet.

“Everyday encryption isn’t just about privacy, it’s about your basic security. It’s about avoiding scams, avoiding blackmail, being able to use these products for financial transactions or business transactions,” he told Computer Weekly.

“It’s about being able to worry less about abusive partners, protecting people from domestic abuse,” he said. “Or being able to use communication services to explore their sexuality, their religious beliefs or any other number of things in a private space, securely, without risk.”

Facebook said end-to-end encryption protected people from having their private information misused.

“End-to-end encryption is already the leading security technology used by many services to keep people safe from having their private information hacked and stolen. Its full roll-out on our messaging services is a long-term project and we are building strong safety measures into our plans,” a spokesman said.

Facebook removes profiles, pages and Instagram groups that share sexualised images of children or contain inappropriate comments. In 2019, Facebook’s WhatsApp encrypted messaging service removed around 250,000 suspect profiles.

The company began experiments this year with pop-up alerts to warn people who type in search terms associated with child exploitation or who share viral child exploitative content.

Patel will say Facebook’s removal of accounts does not go anywhere near far enough.

Online Safety Bill requires companies to take action

The NPSCC will argue at the meeting that the debate about end-to-end encryption should not be “an either-or argument skewed in favour of adult privacy” rather than the safety and privacy rights of children.

Wanless said the focus should be on the impact of end-to-end encryption on the ability of tech firms to detect and disrupt abuse at an early stage, rather than the ability of law enforcement to access communications.

The charity’s concerns have won ready backing from government ministers who have tacitly threatened sanctions against Facebook if it fails to address child abuse on its platforms.

The government announced in March plans to introduce an Online Safety Bill which will impose a statutory “duty of care” on social media companies.

The communications regulator Ofcom will have powers to fine companies up to £18m, or 10% of their global turnover, if they fail to take action against communications used for terrorism, the sale of drugs and weapons, and child sexual abuse.

There is nothing in the government’s interim codes of practice that explicitly bans encryption, however ministers argue having end-to-end encryption will not exempt tech companies such as Facebook from having a duty of care towards children.

Ofcom will also be able to order tech companies to implement technical fixes if there is no other practical way to solve the problem.

Investigatory Powers Bill allows backdoors

In March, culture secretary Oliver Dowden told a press briefing that the government was working with Facebook to resolve the issue, but was keeping “all options on the table”, including new legislation.

The government has powers to issues secret orders to the company that will force it to install a “permanent capability” for the intelligence services and law enforcement to remotely access messages sent on Facebook Messenger.

Technical capability notices (TCNs), which were introduced under the Investigatory Powers Act 2016, give the government powers to order companies to break their encryption, or introduce government-designed malware. Employees face a maximum sentence of five years in jail if they disclose the existence or content of such an order.

The Open Rights Group’s Killock said it would be possible for the government to issue TCNs against Facebook that would prevent it from offering end to end encryption for UK users.

The order could require, for example, Facebook to negotiate with the government before making any changes to Facebook Messenger that would make it harder for the state to read messages on the platform.

“That could all happen in secret. There’s no reason for any public disclosure. Facebook would have no choice but to keep those measures in place for UK users,” he said.

Lobbying by intelligence services

The intelligence community has reported a growing trend towards the use of encryption to protect communications, following the release of the Edward Snowden documents in 2013.

This has led to a decline in the proportion of electronic communications they have the ability to access, according to the 2015 review of government investigatory powers.

The UK and the US have capabilities to harvest and analyse bulk messages transmitted over the internet from submarine cables and have legal powers to obtain communications from internet and phone companies.

The home secretary has been the most vocal government minister to call for law enforcement and intelligence agencies to have access to encrypted communications offered by Facebook and other companies.

The campaign against end-to-end encryption has won ready backing from ministers and the intelligence communities of the Five Eyes nations – the UK, the US, New Zealand, Australia and Canada – along with other countries.

Statements issued in a series of communiqués over the years have focused on the impact encryption is having on the ability of the intelligence services and law enforcement agencies to police the most serious crimes of child abuse and terrorism.

However, limiting end-to-end encryption would also open up the communications of people who are suspected of no crime to harvesting and analysis by GCHQ and its US equivalent, the National Security Agency (NSA).

This has led to a polarisation in the debate between law enforcement and those who are concerned that weakening encryption will damage the safety and security of law-abiding citizens.

Ross Anderson, professor of security engineering at the University of Cambridge, said the intelligence and security agencies appear to want to collect communications traffic from people’s phones rather than from service providers and telecoms companies.

“Collection on the network is less effective now that lots of traffic is encrypted – thanks to the Snowden revelations – while collection at the server depends on either getting paperwork to target a specific user or on the service provider’s content filter throwing up something of interest,” he said.  

The NSPCC said it was in the interest of technology firms to find a technical solution that allows them to continue to use technology to disrupt abuse “in an end-to-end encrypted world”.

In its report, the NSPCC puts forward technical solutions that could prevent the distribution of illegal content on social media while still preserving – at least to some degree – the privacy of users (see box: How technology can reduce risks of end-to-end encryption).

One possible solution is to use software on phones or computers to create digital signatures – or hashes – of images that people upload to messaging services and to compare them against a database of signatures of illegal content.

Anderson said there was a danger that such filters could also provide intelligence agencies with a backdoor into people’s mobile phones, allowing them to access messages, voice calls or remotely turn on a mobile phone’s microphone to listen in to a conversation.