Each day we use services that rely on the safety, security and privacy offered by encryption — our bank accounts, passports and online purchases (with reputable businesses) all use a type of encryption to protect personal and private data. Doctors send personal medical files to other practitioners, encrypted. Business owners buy encryption software to help safeguard valuable customer information and to transfer sensitive files. Often without us noticing, our personal and work lives are supported by this technology.
To date, the legal use of encryption has been ostensibly positive. But encryption has a long history of being used to hide illegal activity including fraud, data theft and child sexual abuse. In 2020, encryption is a controversial issue in online safety, as its latest iteration, end-to-end encryption (E2EE), has stormed to the fore.
The risks can’t be ignored
End-to-end encryption (E2EE) is a method of secure communication that allows only the people communicating with each other to read the messages, images or files being exchanged.
Popular examples of interactive services that use E2EE are WhatsApp, Signal, Skype and Telegram — all cross-platform messaging and VoIP voice call services.
Encryption in its modern form has been used for more than 40 years, primarily to keep data and transactions secure and to prevent data breaches and hacking. It allows legitimate, positive and safe communication where this may not otherwise be possible.
However there are significant risks:
- Encryption can result in serious harms by hiding or exacerbating criminal activities, including online child sexual abuse. Technologies that detect illegal material by proactively scanning, monitoring and filtering user content currently do not work on systems that use E2EE. Because of this, E2EE can facilitate the production, exchange and proliferation of this material, perpetuating the abuse and exposing survivors to ongoing trauma.
- There is currently a drift towards E2EE by major social media platforms. If rolled out, this will make investigations into serious online child sexual abuse significantly more difficult. It will create digital hiding places and platforms may claim they are absolved of responsibility for safety, because they cannot act on what they cannot see.
- Notably, E2EE is just one type of encryption and others have different capabilities and applications, but none are foolproof. How online services and platforms use encryption is not transparent, so it is not clear what proactive and preventative steps can and should be taken to safeguard and protect users.
Global calls for change
For the broad range of organisations working in technology and online safety, E2EE is probably one of the hottest topics under debate. It is adding to the worldwide calls for significant changes in how the digital world is governed and regulated.
In the United States last week, Attorney General William P. Barr flagged that it may be time for sweeping changes to Section 230 of federal law — which for many has long spared tech companies from liability for content posted by their users. Under consideration is whether the ‘safeguards that helped to incubate the internet have become hindrances, preventing law enforcement and aggrieved users from obtaining justice when people are harmed’.
In addition, the National Centre for Missing and Exploited Children issued a plea in an open letter, calling on the technology industry across the globe to find solutions that enhance consumer privacy while prioritising child safety.
At home in Australia, Detective Inspector Jon Rouse of the Australian Centre to Combat Child Exploitation (ACCCE) and I penned an op-ed for the Australian in August of last year as a siren call for what this might mean in our collective fight to stem the tide of child online exploitation. Our federal government has undertaken a broad review of legislation, consulting on a proposed Online Safety Act.
This is a significant and tumultuous time, one in which the many and varied voices in this space will need to be heard and approaches debated, in order to reach an effective, balanced approach that best meets the needs of users, industry and governments.
At eSafety we recognise that E2EE needs detailed consideration to minimise the potential for harm across communication channels, and to ensure there is a balance between security, privacy and safety. That balance is the key.
We know there are a number of solutions that would ensure illegal activity online can be addressed, without weakening encryption and still allowing lawful access to information needed in serious criminal investigations.
- using certain types of encryption that allow proactive tools to function
- implementing proactive detection tools at transmission, rather than on receipt
- moving AI and proactive technical tools to the device level.
We call on industry to:
- commit to, and focus on, detecting illegal content through greater investment in suitable and robust approaches to encryption
- build in these protections from the design stage, instead of retrofitting them once harm has been done — Safety by Design
- provide greater transparency before further encryption is introduced, including information about how services will manage risks and fight against illegal content online.
Overall, we recognise that solutions need to be multi-faceted and require true collaboration between industry, government and the general public to be effective.
While there is much to be done, the raging debates are a positive sign of movement toward settling well-considered, balanced outcomes.
Updates will be published when available.