Government funds charity campaign to warn big tech over the risks of encryption to children

Turning the lights off

No Place to Hide, which is backed by £500,000 from the Home Office, describes itself as a public awareness campaign which aims to alert parents to the dangers of end-to-end encryption. It claims that 14 million reports of suspected online child abuse could be lost every year if end-to-end encryption goes ahead.

A steering group of charities, led by Barnardo’s, the Lucy Faithful Foundation, the Marie Collins Foundation and SafeToNet are driving the work. Police forces, including the National Crime Agency (NCA), are also backing the campaign.

“Rolling out end-to-end encryption without safety measures in place would be like turning the lights off on the ability to identify child sex abusers online. These plans will mean that social media companies can no longer see the abuse that happens on their platforms,” the campaign groups said.

Rhiannon-Faye McDonald, survivor and subject matter expert at Marie Collins Foundation, said that it was important for social media companies to consider the privacy of victims of abuse.

“I have a right to privacy as a survivor of child sexual abuse. My abuse was recorded with photos and videos, which may be out there now as I speak,” she said.

“We want an assurance that E2EE [end-to-end encryption] will not enable and make it easier for child sex abusers to harm children, either directly by finding and grooming them or indirectly by circulating child sexual abuse material,” she added.

Facebook targeted

Although the campaign does not name Meta, which owns Facebook, home secretary Priti Patel has repeatedly criticised Facebook’s plans to introduce end-to-end encryption on its Messenger and Instagram services.

No Place to Hide refers to figures from the National Center For Missing and Exploited Children (NCMEC) in the US, which shows that Facebook was the source of the highest number of child abuse reports, some 203 million, from electronic service providers – some 94% of the total in 2020.

Facebook disclosed in November that it planned to delay rolling out full end-to-end encryption as the default across all of its services from 2022, and was now aiming for sometime in 2023.

Meta wrote in an article in the Sunday Telegraph that it was continuing to engage with outside experts to develop effective solutions to combat abuse.

One-sided campaign

Commentators described the first phase of the campaign launched on Twitter today as one-sided, and said its backers should also present the arguments in favour of end-to-end encryption.

Neil Brown, internet and telecoms lawyer at decoded.legal, wrote in a blogpost that the government-backed campaign had been silent on the legitimate benefits of encryption for information security, and said nothing about how children could be protected while still enabling encryption.

“Perhaps the government’s campaign could do with a little more balance and detail on the risks of communicating without #E2EE?” he wrote in a tweet.

At issue is the question of whether it is possible for tech companies to introduce scanning technology that could identify illegal images sent through end-to-end encrypted messaging services, without fundamentally weakening secure communications or giving governments a backdoor route to monitor the public’s private communications.

Proposals to use “client-side scanning” technology that would covertly scan messages for possible abuse material on Apple iPhones before they were encrypted and to deliver reports to law enforcement were condemned by the world’s top cryptographic experts and internet pioneers in October as unworkable, vulnerable to abuse, and a threat to safety and security.

Meta is working with law enforcement

Antigone Davis, global head of safety at Meta, which owns Facebook, said in response to the campaign that Facebook prevented harm to children by banning suspicious profiles and restricting adults from sending messages to children they are not connected to on Facebook, among other measures.

“The overwhelming majority of Brits already rely on messaging services which use end-to-end encryption to keep them safe from hackers, fraudsters and criminals. We agree on the need for strong safety measures that work with encryption and are building these into our plans,” she said.

“We’re also encouraging people to report harmful messages to us so we can see the contents, respond swiftly and make referrals to the authorities. As we roll out this technology, we’re taking our time to get it right and are working with outside experts and law enforcement to help keep people safe online,” she added.

Online Safety Bill

Jim Killock, executive director from Open Rights Group, claimed that the campaign may be designed to “soften up” public opinion prior to amendments to the Online Safety Bill currently going through Parliament. “If the government weakens encryption, it will only help predators, criminals, blackmailers, and scammers,” he said.

Section 4 of the draft Online Safety Bill gives the communications regulator Ofcom powers to issue “technology notices” that require social media companies to install “accredited equipment” to identify child abuse and terrorist content.

That could include software to identify and categorise images and text or to compare the content of messages to the hashes of known images logged on the Home Office’s Child Abuse Image Database (CAID) and other databases before they are encrypted.

This will mean that encryption will either be disabled or the technology companies will create some kind of “backdoor” that will leave those users vulnerable to fraud, scams and invasions of privacy, the ORG argued.

The government also has powers to issue secret orders to force social media companies to install a “permanent capability” for the intelligence services and law enforcement to remotely access the contents of messages.

Technical capability notices (TCNs), which were introduced under the Investigatory Powers Act 2016, give the government powers to order companies to break their encryption or to introduce government-designed malware. Employees face a maximum sentence of five years in jail if they disclose the existence or content of such an order.

Tech companies should ‘take responsibility’

A Home Office spokesperson said that technology companies must take responsibility for tackling the most serious illegal content on their platforms and for protecting their users.

“The UK government supports encryption and believes that end-to-end encryption can be implemented responsibly in a way which is consistent with public safety,” the spokesperson said.

The Home Office has offered a prize to companies that can implement end-to-end encryption “without opening the door to greater levels of child sexual abuse” through its Safety Tech Challenge.

Ciaran Martin, founder and former CEO of GCHQ’s National Cyber Security Centre, and now a professor at the University of Oxford, said in a lecture at the Bingham Centre for the Rule of Law in November that he was sceptical of the project’s chances of success.  

“The government has some way to go to convince people that it has not just launched a competition to develop the digital age equivalent of alchemy,” he said.