Andreas Prott - stock.adobe.com
Home secretary Suella Braverman is stepping up pressure on Meta over its plans to roll out end-to-end encrypted message services on Facebook and Instagram.
The government claims that plans by the social media company to introduce encrypted messaging services will have a “catastrophic impact” on the ability of police to detect and prosecute child sexual abuse.
Braverman is challenging Meta to “urgently commit” to using technology to introduce safety measures to protect children from sexual abuse or to abandon its planned roll-out of end-to-end encrypted (E2EE) messaging services.
The home secretary’s campaign is backed by charities, including the NSPCC, the Marie Collins Foundation and the Internet Watch Foundation.
“Meta has failed to provide assurances that they will keep their platforms safe from sickening abusers. They must develop appropriate safeguards to sit alongside their plans for end-to-end encryption,” said Braverman. “I have been clear time and time again, I am not willing to compromise on child safety.”
Tech firms claim Online Safety Bill will undermine encryption
Braverman’s intervention comes as the controversial Online Safety Bill, which gives communications regulator Ofcom powers to require encrypted messaging providers to install “accredited technology” to scan messages for illegal content, was passed into law.
Technology companies and civil society groups argue that the new powers will introduce weaknesses that undermine encryption and could be exploited by hackers and rogue nation states.
Companies that offer encrypted messaging and email, including Proton, Signal and Element, have threatened to pull out of the UK if the plans are enacted.
James Babbage, NCA
Meta has announced plans to move its Facebook and Instagram messaging services to end-to-end encryption by the end of this year.
The National Crime Agency (NCA) said that if Meta proceeds with its plans to introduce encryption, the loss of criminal referrals from Facebook Messenger and Instagram Direct services could mean that thousands of criminals could go undetected.
NCA director general James Babbage said Meta has supported law enforcement by referring instances of sexual abuse to the authorities.
“However, if Meta implements end-to-end encryption as planned, it will make their platforms less safe for children and massively reduce our collective ability to protect them,” he said. “We are not asking for new or additional law enforcement access, we simply ask that Meta retains the ability to keep working with us to identify and help prevent abuse. This collaboration remains absolutely vital.”
No evidence of how Meta will protect children
The home secretary’s intervention came after she raised concerns with Meta in a joint letter with child safety experts, law enforcement, survivors and child safety charities in July 2023.
In the letter, Braverman asked Meta for detailed evidence of how it would be able to protect child safety if it encrypted its messaging services. According to the Home Office, Meta was unable to provide the evidence asked for, raising concerns that Meta does not have robust plans in place to protect the safety of children.
Braverman is urging Meta to use its “technological prowess” to develop systems capable of detecting child abuse material in its encrypted messaging services while still maintaining “the utmost privacy for users”.
The government-funded campaign No Place To Hide released letters and videos written and presented by abuse survivors to the founder of Meta, Mark Zuckerberg, calling on him to rethink Meta’s plans to extend its use of encrypted messaging.
In a video released today, abuse survivor Rhiannon-Faye McDonald, who was abused and blackmailed by someone she met online aged 13, asks Zuckerberg not to put children’s safety at risk by going ahead with end-to-end encryption.
“As a survivor of child sex abuse, I more than anyone want to know that my privacy is protected. I am also not opposed to E2EE in principle, as long as there are safeguards which mean it does not harm children and put them at risk,” she says.
Measures in the Online Safety Bill, under Section 122, known as the “spy clause”, will allow the regulator Ofcom to require technology companies to introduce “accredited” technology to scan encrypted messages and data for illegal content.
The proposals have alarmed encrypted email and message providers, including Signal, Element and Proton, which have threatened to withdraw their services from the UK if Ofcom enacts its powers.
They have raised concerns, along with cryptographers, academics and civil society groups, that the plans will weaken encryption and introduce security vulnerabilities that could be exploited by hackers, hostile nation states or abusers.
Meta denies home office claims
Meta said that contrary to the home office claims it had provided the government with detailed evidence about safety measures for its encrypted messaging services in July.
“The overwhelming majority of Brits already rely on apps that use encryption to keep them safe from hackers, fraudsters and criminals. We don’t think people want us reading their private messages so have spent the last five years developing robust safety measures to prevent, detect and combat abuse while maintaining online security," a spokesperson said.
Meta's safety measures, published in a report today, include, restricting people over 19 from messaging teens who don’t follow them and using technology to identify and take action against malicious behaviour.
"As we roll out end-to-end encryption, we expect to continue providing more reports to law enforcement than our peers due to our industry leading work on keeping people safe,” the spokesperson said.
Preserving privacy while detecting illegal content
During the passage of the Online Safety Bill in the House of Lords, junior minister Stephen Parkinson said regulators would not use powers in the bill to require tech companies to scan encrypted messages until it was “technically feasible” to do so.
Police and government officials argue that Meta has the resources and the expertise to develop technology that can both maintain privacy and detect child sexual abuse, but claim it has not been willing to engage on the topic.
The government has funded proof-of-concept technologies through its Safety Tech Challenge Fund, which aims to find ways to preserve privacy while detecting illegal material.
One of these technologies is SafetoWatch software, which runs on a phone or computer and uses machine learning which it claims can identify previously unknown child sexual abuse content in real time to prevent it being seen or recorded.
Susie Hargreaves, Internet Watch Foundation
The company that developed the technology, SafetoNet, has been able to embed it in the operating system of an Android phone and claims to detect and block abuse images after they arrive from an encrypted message service or before they are sent.
Another technology being put forward is client-side scanning, which relies on software installed on a mobile phone or a computer to scan messages for known abuse images. Government experts argue that similar technology is already used by Microsoft and Apple to check the security of their customers’ passwords by comparing them with lists of known leaked passwords without the password leaving the device.
Another technology, known as Secure Multiparty Computing, also makes it possible to run calculations to compare an image on a phone with a list of known bad images without the image leaving the phone, according to government experts.
Home Office experts believe Facebook and Instagram pose a particular threat to children because they allow abusers to search for and contact potential victims. Although Facebook makes the accounts of children under 16 private by default, third-party services make it possible for people to locate account holders under 16.
The Home Office estimates that 14 million reports of potential child abuse could be lost if Meta goes ahead with its plans, significantly increasing the risk of child exploitation or other serious harm.
Susie Hargreaves, chief executive of the Internet Watch Foundation, said there was a danger of “switching off the lights” on child sexual abuse if Meta went ahead. “We urge companies looking to introduce end-to-end encryption to their services to think carefully about the impact on younger, vulnerable users, and to build in the safety features we’d expect in other areas of our lives,” she added.
Peter Wanless, chief executive of the NSPCC, said abusers attempt to move people from open platforms to encrypted services. “We hear from Childline and survivors how offenders actively move children they have targeted on open platforms to end-to-end encrypted services to groom and ultimately abuse them,” he said. “Victims say this amounts to their privacy and safety rights being eroded.”
Read more about the debate on end-to-end encryption (E2EE)
- Technology companies say reassurances by government ministers that they have no intention of weakening end-to-end encrypted communication services do not go far enough.
- BCS, The Chartered Institute for IT, argues the government is seeking a technical fix to terrorism and child abuse without understanding the risks and implications.
- Government boosts protection for encryption in Online Safety Bill but civil society groups remain concerned.
- CEO of encrypted messaging service Element says Online Safety Bill could pose a risk to the encrypted comms systems used by Ukraine.
- Tech companies and NGOs urge rewrite of Online Safety Bill to protect encrypted comms.
- Protecting children by scanning encrypted messages is ‘magical thinking’, says Cambridge professor.
- Proposals for scanning encrypted messages should be cut from Online Safety Bill, say researchers.
- GCHQ experts back scanning of encrypted phone messages to fight child abuse.
- Tech companies face pressure over end-to-end encryption in Online Safety Bill.
- EU plans to police child abuse raise fresh fears over encryption and privacy rights.
- IT professionals wary of government campaign to limit end-to-end encryption.
- John Carr, a child safety campaigner backing a government-funded campaign on the dangers of end-to-end encryption to children, says tech companies have no choice but to act.
- Information commissioner criticises government-backed campaign to delay end-to-end encryption.
- Government puts Facebook under pressure to stop end-to-end encryption over child abuse risk.
- Former UK cyber security chief says UK government must explain how it can access encrypted communications without damaging cyber security and weakening privacy.
- Barnardo’s and other charities begin a government-backed PR campaign to warn of dangers end-to-end encryption poses to child safety. The campaign has been criticised as ‘one-sided’.
- Apple’s plan to automatically scan photos to detect child abuse would unduly risk the privacy and security of law-abiding citizens and could open up the way to surveillance, say cryptographic experts.
- Firms working on UK government’s Safety Tech Challenge suggest scanning content before encryption will help prevent the spread of child sexual abuse material – but privacy concerns remain.
- Private messaging is the front line of abuse, yet E2EE in its current form risks engineering away the ability of firms to detect and disrupt it where it is most prevalent, claims NSPCC.
- Proposals by European Commission to search for illegal material could mean the end of private messaging and emails, says MEP.
Read more on Regulatory compliance and standard requirements
Tech firms cite risk to end-to-end encryption as Online Safety Bill gets royal assent
Parliament passes sweeping Online Safety Bill but tech companies still concerned over encryption
UK minister fails to reassure tech companies over encryption risk
IT experts issue new warnings over Online Safety Bill plans to weaken end-to-end encryption