sdecoret - stock.adobe.com
The government is funding a campaign that will put pressure on Facebook and other tech companies over their plans to introduce encrypted messaging services, warning that millions of cases of child abuse could go undetected.
The Home Office-backed campaign, known as No Place to Hide, warns that social media sites are “willfully blindfolding” themselves to child sexual abuse by introducing end-to-end encryption on messaging services.
The campaign, coordinated by M&C Saatchi, aims to bring together charities and experts to warn parents over the risks of end-to-end encryption.
The move has prompted a backlash from critics including the Open Rights Group (ORG), which accused the government of “scaremongering”.
Jim Killock, executive director of the Open Rights Group, said: “If the government weakens encryption, it will only help predators, criminals, blackmailers and scammers.”
The campaign is the latest salvo in a long-running battle by ministers and the intelligence services against the growth of end-to-end encryption.
Turning the lights off
No Place to Hide, which is backed by £500,000 from the Home Office, describes itself as a public awareness campaign which aims to alert parents to the dangers of end-to-end encryption. It claims that 14 million reports of suspected online child abuse could be lost every year if end-to-end encryption goes ahead.
A steering group of charities, led by Barnardo’s, the Lucy Faithful Foundation, the Marie Collins Foundation and SafeToNet are driving the work. Police forces, including the National Crime Agency (NCA), are also backing the campaign.
“Rolling out end-to-end encryption without safety measures in place would be like turning the lights off on the ability to identify child sex abusers online. These plans will mean that social media companies can no longer see the abuse that happens on their platforms,” the campaign groups said.
Rhiannon-Faye McDonald, survivor and subject matter expert at Marie Collins Foundation, said that it was important for social media companies to consider the privacy of victims of abuse.
“I have a right to privacy as a survivor of child sexual abuse. My abuse was recorded with photos and videos, which may be out there now as I speak,” she said.
“We want an assurance that E2EE [end-to-end encryption] will not enable and make it easier for child sex abusers to harm children, either directly by finding and grooming them or indirectly by circulating child sexual abuse material,” she added.
Although the campaign does not name Meta, which owns Facebook, home secretary Priti Patel has repeatedly criticised Facebook’s plans to introduce end-to-end encryption on its Messenger and Instagram services.
No Place to Hide refers to figures from the National Center For Missing and Exploited Children (NCMEC) in the US, which shows that Facebook was the source of the highest number of child abuse reports, some 203 million, from electronic service providers – some 94% of the total in 2020.
Facebook disclosed in November that it planned to delay rolling out full end-to-end encryption as the default across all of its services from 2022, and was now aiming for sometime in 2023.
Meta wrote in an article in the Sunday Telegraph that it was continuing to engage with outside experts to develop effective solutions to combat abuse.
Commentators described the first phase of the campaign launched on Twitter today as one-sided, and said its backers should also present the arguments in favour of end-to-end encryption.
Neil Brown, internet and telecoms lawyer at decoded.legal, wrote in a blogpost that the government-backed campaign had been silent on the legitimate benefits of encryption for information security, and said nothing about how children could be protected while still enabling encryption.
At issue is the question of whether it is possible for tech companies to introduce scanning technology that could identify illegal images sent through end-to-end encrypted messaging services, without fundamentally weakening secure communications or giving governments a backdoor route to monitor the public’s private communications.
Proposals to use “client-side scanning” technology that would covertly scan messages for possible abuse material on Apple iPhones before they were encrypted and to deliver reports to law enforcement were condemned by the world’s top cryptographic experts and internet pioneers in October as unworkable, vulnerable to abuse, and a threat to safety and security.
Meta is working with law enforcement
Antigone Davis, global head of safety at Meta, which owns Facebook, said in response to the campaign that Facebook prevented harm to children by banning suspicious profiles and restricting adults from sending messages to children they are not connected to on Facebook, among other measures.
“The overwhelming majority of Brits already rely on messaging services which use end-to-end encryption to keep them safe from hackers, fraudsters and criminals. We agree on the need for strong safety measures that work with encryption and are building these into our plans,” she said.
“We’re also encouraging people to report harmful messages to us so we can see the contents, respond swiftly and make referrals to the authorities. As we roll out this technology, we’re taking our time to get it right and are working with outside experts and law enforcement to help keep people safe online,” she added.
Online Safety Bill
Jim Killock, executive director from Open Rights Group, claimed that the campaign may be designed to “soften up” public opinion prior to amendments to the Online Safety Bill currently going through Parliament. “If the government weakens encryption, it will only help predators, criminals, blackmailers, and scammers,” he said.
Section 4 of the draft Online Safety Bill gives the communications regulator Ofcom powers to issue “technology notices” that require social media companies to install “accredited equipment” to identify child abuse and terrorist content.
That could include software to identify and categorise images and text or to compare the content of messages to the hashes of known images logged on the Home Office’s Child Abuse Image Database (CAID) and other databases before they are encrypted.
This will mean that encryption will either be disabled or the technology companies will create some kind of “backdoor” that will leave those users vulnerable to fraud, scams and invasions of privacy, the ORG argued.
The government also has powers to issue secret orders to force social media companies to install a “permanent capability” for the intelligence services and law enforcement to remotely access the contents of messages.
Technical capability notices (TCNs), which were introduced under the Investigatory Powers Act 2016, give the government powers to order companies to break their encryption or to introduce government-designed malware. Employees face a maximum sentence of five years in jail if they disclose the existence or content of such an order.
Tech companies should ‘take responsibility’
A Home Office spokesperson said that technology companies must take responsibility for tackling the most serious illegal content on their platforms and for protecting their users.
“The UK government supports encryption and believes that end-to-end encryption can be implemented responsibly in a way which is consistent with public safety,” the spokesperson said.
The Home Office has offered a prize to companies that can implement end-to-end encryption “without opening the door to greater levels of child sexual abuse” through its Safety Tech Challenge.
Ciaran Martin, founder and former CEO of GCHQ’s National Cyber Security Centre, and now a professor at the University of Oxford, said in a lecture at the Bingham Centre for the Rule of Law in November that he was sceptical of the project’s chances of success.
“The government has some way to go to convince people that it has not just launched a competition to develop the digital age equivalent of alchemy,” he said.
UK leads lobby against end-to-end encryption
8 January 2022: Bernardo’s and other groups, working with advertising agency M&C Saatchi, start the No Place to Hide campaign with £500,000 backing from the Home Office, stepping up pressure on technology companies over the use of end-to-end encryption.
23 November 2021: Ciaran Martin, founder and former CEO of GCHQ’s National Cyber Security Centre, states in a lecture that end-to-end encryption must be permitted unless a technical compromise can be found that is acceptable to the tech industry and cryptography experts.
20 November 2021: The head of safety at Meta, Facebook’s parent company wrote in the Sunday Telegraph that the company did not plan to finish the roll-out of end-to-end encryption by default across all of its messaging services until some time in 2023. “We are talking time to get this right,” she said.
18 April 2021: Priti Patel uses a conference organised by the National Society for the Prevention of Cruelty to Children (NSPCC) to warn that end-to-end encryption will severely erode the ability of tech companies to police illegal content, including child abuse and terrorism.
20 January 2021: Home secretary Priti Patel meets with Facebook “to discuss Facebook encryption proposals and other relevant issues”.
3 April 2021: Facebook’s head of safety tells The Telegraph that Facebook would not encrypt its Facebook Messenger before 2022 at the earliest.
11 October 2020: Home secretary Priti Patel and US attorney general William Barr sign a statement calling for technology companies to enable law enforcement to have lawful access to content in a readable and usable format. They argue that end-to-end encryption undermines the ability of tech companies to police illegal content.
June 2020: Priti Patel warns a meeting of ministers from the Five Eyes countries that the threat of terrorism and online child abuse would increase if Facebook and similar companies continue with plans for end-to-end encryption.
4 October 2019: Priti Patel, US attorney general William Barr and Australian minister for home affairs Peter Dutton sign an open letter to Facebook CEO Mark Zuckerberg, urging him to suspend plans for end-to-end encryption and saying Facebook should ensure that encryption does not increase the risk of harm or prevent the lawful access to communications content.
30 July 2019: The home affairs ministers and attorneys general of the UK, US, Australia, New Zealand and Canada issue a communique calling for tech companies to provide government with lawful access to encrypted services.
6 March 2019: Facebook CEO Mark Zuckerberg announces plans for end-to-end encryption for messaging, declaring that the “future is private”.
November 2018: Ian Levy, technical director of the National Cyber Security Centre, a part of GCHQ, argued that technology companies could use “virtual crocodile clips” to allow intelligence agencies to listed to targeted encrypted communications. “You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication,” he wrote in an influential essay.
28-29 August 2018: Ministers from Australia, Canada, New Zealand, the UK and the US warn that the inability of intelligence and law enforcement to lawfully access encrypted data and communications poses challenges to law enforcement agencies.
21 February 2018: Then home secretary Amber Rudd meets with Apple to discuss encryption.
31 July 2017: Amber Rudd warns in an op-ed in The Telegraph that the inability to gain lack of access to “encrypted data is limiting the ability to stop terrorist attacks and bring criminals to justice”. She says it is not about creating “backdoors” in encryption, but there were opportunities in the trade-offs tech companies make between usability and security.
23 June 2017: Then home secretary and culture secretary Karen Bradley meets with Sheryl Sandberg, chief operating officer of Facebook, to discuss progress on an industry-led forum to tackle terrorist content online, end-to-end encryption and working with law enforcement.
23 February 2015: Mike Rogers, director-general of the US National Security Agency, uses a cyber security conference to defend government plans to access data held by US technology companies, arguing that “backdoors” would not fatally compromise encryption or be harmful to privacy. Alex Stamos, Yahoo’s chief information security officer, criticises Rogers, comparing the plan to “drilling holes in a windshield”. Rogers refuses to say whether Yahoo should create backdoors for Russia and China if they created similar laws.
13 February 2015: Apple’s chief executive, Tim Cook, warns of “dire consequences” if government attempts to weaken encryption lead to the sacrifice of privacy. “We still live in a world where all people are not treated equally. Too many people do not feel free to practice their religion or express their opinion or love who they choose,” he said.
January 2015: Then prime minister David Cameron, speaking in the wake of terrorist attacks in Paris, says a future government would give Britain’s intelligence agencies legal powers to break into the encrypted communications of suspected terrorists.
16 October 2014: FBI director James Comey gives a speech at the Brookings Institute saying he’s no longer seeking a “backdoor” to encrypted systems, but rather a “frontdoor”. The proposal is widely criticised.
September 2014: Europol reports in its Internet organised crime threat assessment (IOCTA) that “law enforcement needs to be equipped with the tools and techniques necessary to address the increase in and further sophistication of encryption and anonymisation”.
Read more on Identity and access management products
EU plans to police child abuse raise fresh fears over encryption and privacy rights
IT professionals wary of government campaign to limit end-to-end encryption
Tech companies risk being compelled by law to protect children, says online safety expert
MPs say Online Safety Bill fails to tackle full range of harms