alexskopje - stock.adobe.com

ICO criticises government-backed campaign to delay end-to-end encryption

Data protection watchdog warns that delaying end-to-end encryption will put children at risk

This article can also be found in the Premium Editorial Download: Computer Weekly: How Ocado pushes technological boundaries

The Information Commissioner’s Office (ICO) has stepped into the debate over end-to-end encryption (E2EE), warning that delaying its introduction leaves everyone at risk – including children.

The privacy watchdog said end-to-end encryption plays an important role in safeguarding privacy and online safety, protecting children from abusers, and is crucial for business services.

The intervention follows the launch of a government-funded campaign this week that warns that social media companies are “blinding themselves” to child sexual abuse by introducing end-to-end encrypted messaging services.

Stephen Bonner, the ICO’s executive director of innovation, said the discussion on end-to-end encryption had become too unbalanced, with too much focus on the costs, without weighing up the significant benefits it offers.

“E2EE serves an important role both in safeguarding our privacy and online safety,” he said. “It strengthens children’s online safety by not allowing criminals and abusers to send them harmful content.

“It is also crucial for businesses, enabling them to share information securely and fosters consumer confidence in digital services.”

Campaign aims to delay encryption

The ICO’s intervention follows the launch of a government-funded campaign, No Place to Hide, fronted by Barnardo’s and other charities.

The campaign calls on tech company bosses to make a public commitment to delay their deployment of E2EE until they have the technology to ensure that any changes do not make it easier for child sex abusers to commit crime and avoid detection.

A video promoted by the campaign this week shows a child sex abuser contacting a child using an encrypted messaging service and asking for photographs.

The video warns parents that 14 million reports of child abuse could be lost if some social media companies – a thinly disguised reference to Facebook – go ahead with plans to introduce encryption on messaging services.

ICO: Police don’t need access to encrypted content

However, the ICO, which Computer Weekly understands has not been consulted on the campaign, criticised claims that end-to-end encryption would leave law enforcement in the dark.

“E2EE is seen by some to hinder the clampdown on child abusers because it leaves law enforcers blind to harmful content,” said Bonner. “But having access to encrypted content is not the only way to catch abusers.”

Law enforcement agencies use other methods, such as listening to reports from people targeted by abusers, infiltrating groups planning offences and using evidence seized from convicted abusers to identify other offenders, he said.

A range of technologies are available that could be used to prevent abuse and to catch offenders without having to read the content of messages, said Bonner. “As an example, platforms are listening to teenagers’ reports and limiting search results for anyone attempting unwanted contact.”

NCA: Encryption could ‘blind’ law enforcement

The Home Office did not want to respond to the ICO’s comments, but referred to an op-ed written by Home Office minister Damian Hinds in The Times, which argues that “end-to-end encryption can be implemented in a responsible way which is consistent with public safety”.

The article refers to the case of Abdul Elahi, who videoed children he had blackmailed into committing abusive acts. “A fundamental part of his tactics was to move victims onto encrypted services,” wrote Hinds.

The minister argued that plans by Meta – the company that owns Facebook – to roll out end-to-end encryption across Facebook Messenger and Instagram would lead to the loss of almost 14 million reports of suspected child abuse worldwide.

“While we are supportive of encryption, clearly it is not acceptable to lose this intelligence,” he wrote. “There is a risk that end-to-end encryption without the right safety capabilities blinds companies and law enforcement, taking us backwards. Neither this government, nor society as a whole, could accept that.”

Responding to the ICO’s intervention, Rob Jones, a director general at the National Crime Agency (NCA), said the agency had made over 500 arrests and safeguarded more than 650 children a month as a result of industry reports.

“That would become much more challenging under E2EE,” he said.

Any move to end-to-end encryption needs to include measures to protect children and to identify abuse, said Jones. “Any move to E2EE without this capability risks turning the lights out for law enforcement worldwide,” he added.

Delaying E2EE puts children at risk

The ICO’s Bonner said the government should put effort into law enforcement and in developing innovative techniques to detect abuse in encrypted communications.

This includes through the Home Office’s Safety Tech Challenge, which seeks to encourage companies to develop technologies to detect abuse images in messages before they are encrypted.

“Until we look properly at the consequences, it is hard to see any case for reconsidering the use of E2EE – delaying its use leaves everyone at risk, including children,” he said.

Read about the increasingly politicised debate on end-to-end encryption

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close