Government puts Facebook under pressure to stop end-to-end encryption over child abuse risks
Facebook faces growing government pressure to abandon its plans to offer users end-to-end encryption to secure the privacy of their messages as the NSPCC raises concerns about child protection
Home secretary Priti Patel will use a conference organised by the National Society for the Prevention of Cruelty to Children (NSPCC) today to warn that end-to-end encryption will severely erode the ability of tech companies to police illegal content, including child abuse and terrorism.
The home secretary’s intervention is the latest salvo in a long-running battle by ministers and the intelligence services against the growth of end-to-end encryption.
Speaking at a roundtable organised by the NSPCC to discuss the “next steps to securing child protection within end-to-end encryption”, Patel will warn that end-to-end encryption could deprive law enforcement of millions of reports of activities that could put children at risk.
“Sadly, at a time when we need to be taking more action, Facebook is pursuing end-to-end encryption plans that place the good work and progress achieved so far in jeopardy,” she is expected to say.
“The offending will continue, the images of children being abused will proliferate – but the company intends to blind itself to this problem through end-to-end encryption which prevents all access to messaging content.”
The Home Office estimates that 12 million reports of potential child abuse could be lost if Facebook introduces end-to-end encryption on Facebook Messenger and Instagram, significantly increasing the risk of child exploitation or other serious harm.
The NSPCC will present research at the event – which will be attended by child protection, civil society and law enforcement experts from the UK, US, Canada, Ireland and Australia – to show that more than half of UK adults believe the ability to detect child abuse images is more important than the protection of privacy.
End-to-end encryption is widely used by internet messaging services such as Signal, Telegram, email services including Protonmail and mailbox.org, and Facebook’s own WhatsApp messaging service, to protect the privacy of personal data and messages.
Encryption poses threat to detection of child abuse
A report published by the NSPCC today, based on research from PA Consulting, argues that tech companies have prioritised the privacy of adults over their duty of care to children.
The NSPCC’s chief executive, Peter Wanless, argues that end-to-end encryption could “render useless” the technology used by social media companies to identify child abuse images and to detect grooming and sexual abuse in private messages.
“Private messaging is at the front line of child sexual abuse, but the current debate around end-to-end encryption risks leaving children unprotected where there is most harm,” he said.
Facebook’s proposals for end-to-end encryption are particularly high risk, the NSPCC says, because groomers can exploit the platform to contact children in large numbers and can groom and coerce them into sending images on encrypted chats and video calls.
“We need a coordinated response across society, but ultimately government must be a guardrail that protects child users if tech companies choose to put them at risk with dangerous design choices,” said Wanless.
Weakening encryption will put people at risk of crime
There is widespread concern that any attempt to weaken end-to-end encryption, for example by adding government-accessible “backdoors”, will damage the safety and security of ordinary people who are not suspected of any crime.
How technology can reduce risks of end-to-end encryption
Device solutions
Mobile phones or computers can be fitted with software that creates a digital signature of images and compares them against the signatures of harmful content stored in a database on the device before it is encrypted. The technology could be incorporated into operating systems. It is not clear how feasible updating the database would be. There are risks of users reverse-engineering or subverting the detection tools.
Server solutions
Software sends both the hashed signature of a user’s message and the encrypted message to a server. The server checks the hashed signature against a database of illegal images before releasing the encrypted message.
Server backdoor
A “backdoor” allows service providers or government bodies access to a server to decrypt and assess the content of specific communications. The method creates a vulnerable access point that malicious hackers could exploit, while reducing privacy.
Secure cloud
Technology companies could create a “secure enclave” on the cloud that can decrypt communications and check the content before re-encrypting it. It offers an equivalent level of privacy to end-to-end encryption unless the service is compromised.
Homomorphic encryption
An advanced technology known as homomorphic encryption allows calculations to be performed on encrypted data without decrypting it first. It is possible to create a hash signature of the images and match them with hashes of images on a service as the message is transmitted. The technology is currently too slow to be used practically.
Safety by design
Governments have been urging technology companies to develop services that prioritise the protection of children. One example is the social media company Tik Tok, which has removed access to messaging for under 16’s and blocks users from sending direct messages containing photographs or videos.
Source: End-to-end encryption – understanding the impacts for child safety online report by NSPCC based on research by PA Consulting.
End-to-end encryption has an important role in protecting financial transactions, helping people to avoid scams or blackmail, and allowing people to discuss their sexuality or religious beliefs in private.
Jim Killock, executive director of the Open Rights Group, which campaigns for privacy and free speech online, said restricting end-to-end encryption would expose ordinary people to greater risks on the internet.
“Everyday encryption isn’t just about privacy, it’s about your basic security. It’s about avoiding scams, avoiding blackmail, being able to use these products for financial transactions or business transactions,” he told Computer Weekly.
“It’s about being able to worry less about abusive partners, protecting people from domestic abuse,” he said. “Or being able to use communication services to explore their sexuality, their religious beliefs or any other number of things in a private space, securely, without risk.”
Facebook said end-to-end encryption protected people from having their private information misused.
“End-to-end encryption is already the leading security technology used by many services to keep people safe from having their private information hacked and stolen. Its full roll-out on our messaging services is a long-term project and we are building strong safety measures into our plans,” a spokesman said.
Facebook removes profiles, pages and Instagram groups that share sexualised images of children or contain inappropriate comments. In 2019, Facebook’s WhatsApp encrypted messaging service removed around 250,000 suspect profiles.
The company began experiments this year with pop-up alerts to warn people who type in search terms associated with child exploitation or who share viral child exploitative content.
Patel will say Facebook’s removal of accounts does not go anywhere near far enough.
Online Safety Bill requires companies to take action
The NPSCC will argue at the meeting that the debate about end-to-end encryption should not be “an either-or argument skewed in favour of adult privacy” rather than the safety and privacy rights of children.
Wanless said the focus should be on the impact of end-to-end encryption on the ability of tech firms to detect and disrupt abuse at an early stage, rather than the ability of law enforcement to access communications.
The charity’s concerns have won ready backing from government ministers who have tacitly threatened sanctions against Facebook if it fails to address child abuse on its platforms.
The government announced in March plans to introduce an Online Safety Bill which will impose a statutory “duty of care” on social media companies.
The communications regulator Ofcom will have powers to fine companies up to £18m, or 10% of their global turnover, if they fail to take action against communications used for terrorism, the sale of drugs and weapons, and child sexual abuse.
There is nothing in the government’s interim codes of practice that explicitly bans encryption, however ministers argue having end-to-end encryption will not exempt tech companies such as Facebook from having a duty of care towards children.
Ofcom will also be able to order tech companies to implement technical fixes if there is no other practical way to solve the problem.
Investigatory Powers Bill allows backdoors
In March, culture secretary Oliver Dowden told a press briefing that the government was working with Facebook to resolve the issue, but was keeping “all options on the table”, including new legislation.
The government has powers to issues secret orders to the company that will force it to install a “permanent capability” for the intelligence services and law enforcement to remotely access messages sent on Facebook Messenger.
Technical capability notices (TCNs), which were introduced under the Investigatory Powers Act 2016, give the government powers to order companies to break their encryption, or introduce government-designed malware. Employees face a maximum sentence of five years in jail if they disclose the existence or content of such an order.
The Open Rights Group’s Killock said it would be possible for the government to issue TCNs against Facebook that would prevent it from offering end to end encryption for UK users.
The order could require, for example, Facebook to negotiate with the government before making any changes to Facebook Messenger that would make it harder for the state to read messages on the platform.
“That could all happen in secret. There’s no reason for any public disclosure. Facebook would have no choice but to keep those measures in place for UK users,” he said.
Lobbying by intelligence services
The intelligence community has reported a growing trend towards the use of encryption to protect communications, following the release of the Edward Snowden documents in 2013.
This has led to a decline in the proportion of electronic communications they have the ability to access, according to the 2015 review of government investigatory powers.
The UK and the US have capabilities to harvest and analyse bulk messages transmitted over the internet from submarine cables and have legal powers to obtain communications from internet and phone companies.
The home secretary has been the most vocal government minister to call for law enforcement and intelligence agencies to have access to encrypted communications offered by Facebook and other companies.
The campaign against end-to-end encryption has won ready backing from ministers and the intelligence communities of the Five Eyes nations – the UK, the US, New Zealand, Australia and Canada – along with other countries.
Statements issued in a series of communiqués over the years have focused on the impact encryption is having on the ability of the intelligence services and law enforcement agencies to police the most serious crimes of child abuse and terrorism.
However, limiting end-to-end encryption would also open up the communications of people who are suspected of no crime to harvesting and analysis by GCHQ and its US equivalent, the National Security Agency (NSA).
This has led to a polarisation in the debate between law enforcement and those who are concerned that weakening encryption will damage the safety and security of law-abiding citizens.
Ross Anderson, professor of security engineering at the University of Cambridge, said the intelligence and security agencies appear to want to collect communications traffic from people’s phones rather than from service providers and telecoms companies.
“Collection on the network is less effective now that lots of traffic is encrypted – thanks to the Snowden revelations – while collection at the server depends on either getting paperwork to target a specific user or on the service provider’s content filter throwing up something of interest,” he said.
The NSPCC said it was in the interest of technology firms to find a technical solution that allows them to continue to use technology to disrupt abuse “in an end-to-end encrypted world”.
In its report, the NSPCC puts forward technical solutions that could prevent the distribution of illegal content on social media while still preserving – at least to some degree – the privacy of users (see box: How technology can reduce risks of end-to-end encryption).
One possible solution is to use software on phones or computers to create digital signatures – or hashes – of images that people upload to messaging services and to compare them against a database of signatures of illegal content.
Anderson said there was a danger that such filters could also provide intelligence agencies with a backdoor into people’s mobile phones, allowing them to access messages, voice calls or remotely turn on a mobile phone’s microphone to listen in to a conversation.
UK leads lobby against encryption
20 January 2021: Home secretary Priti Patel meets with Facebook “to discuss Facebook encryption proposals and other relevant issues”.
3 April 2021: Facebook’s head of safety tells The Telegraph that Facebook would not encrypt its Facebook Messenger before 2022 at the earliest.
11 October 2020: Home secretary Priti Patel and US attorney general William Barr sign a statement calling for technology companies to enable law enforcement to have lawful access to content in a readable and usable format. They argue that end-to-end encryption undermines the ability of tech companies to police illegal content.
June 2020: Priti Patel warns a meeting of ministers from the Five Eyes countries that the threat of terrorism and online child abuse would increase if Facebook and similar companies continue with plans for end-to-end encryption.
4 October 2019: Home secretary Priti Patel, US attorney general William Barr and Australian minister for home affairs Peter Dutton sign an open letter to Facebook CEO Mark Zuckerberg, urging him to suspend plans for end-to-end encryption and saying Facebook should ensure that encryption does not increase the risk of harm, or prevent the lawful access to communications content.
30 July 2019: The home affairs ministers and attorneys general of the UK, US, Australia, New Zealand and Canada issue a communique calling for tech companies to provide government with lawful access to encrypted services.
6 March 2019 Facebook CEO Mark Zuckerberg announces plans for end-to-end encryption for messaging, declaring that the “future is private”.
November 2018 Ian Levy, technical director of the National Cyber Security Centre, a part of GCHQ, argued that technology companies could use “virtual crocodile clips” to allow intelligence agencies to listed to targeted encrypted communications. “You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication,” he wrote in an influential essay.
28-29 August 2018: Ministers from Australia, Canada, New Zealand, the UK and the US warn that the inability of intelligence and law enforcement to lawfully access encrypted data and communications poses challenges to law enforcement agencies.
21 February 2018: Then home secretary Amber Rudd meets with Apple to discuss encryption.
31 July 2017: Amber Rudd warns in an op-ed in The Telegraph that the inability to gain lack of access to “encrypted data is limiting the ability to stop terrorist attacks and bring criminals to justice”. She says it is not about creating “backdoors” in encryption but there were opportunities in the trade-offs tech companies make between usability and security.
23 June 2017: Then home secretary and culture secretary Karen Bradley meets with Sheryl Sandberg, chief operating officer of Facebook, to discuss progress on an industry-led forum to tackle terrorist content online, end-to-end encryption and working with law enforcement.
23 February 2015: Mike Rogers, director-general of the US National Security Agency, uses a cyber security conference to defend government plans to access data held by US technology companies, arguing that “backdoors” would not fatally compromise encryption or be harmful to privacy. Alex Stamos, Yahoo’s chief information security officer, criticises Rogers, comparing the plan to “drilling holes in a windshield”. Rogers refuses to say whether Yahoo should create backdoors for Russia and China if they created similar laws.
13 February 2015: Apple’s chief executive, Tim Cook, warns of “dire consequences” if government attempts to weaken encryption lead to the sacrifice of privacy. “We still live in a world where all people are not treated equally. Too many people do not feel free to practice their religion or express their opinion or love who they choose,” he said.
January 2015: Then prime minister David Cameron, speaking in the wake of terrorist attacks in Paris, says a future government would give Britain’s intelligence agencies legal powers to break into the encrypted communications of suspected terrorists.
16 October 2014: FBI director James Comey gives a speech at the Brookings Institute saying he’s no longer seeking a “backdoor” to encrypted systems, but rather a “frontdoor”. The proposal is widely criticised.
September 2014: Europol reports in its Internet organised crime threat assessment (IOCTA) that “law enforcement needs to be equipped with the tools and techniques necessary to address the increase in and further sophistication of encryption and anonymisation”.
Read more on Hackers and cybercrime prevention
-
Crime agency criticises Meta as European police chiefs call for curbs on end-to-end encryption
-
Parliament passes sweeping Online Safety Bill but tech companies still concerned over encryption
-
Braverman puts pressure on Meta to pause end-to-end encryption plans
-
UK minister fails to reassure tech companies over encryption risk