Should encryption be curbed to combat child abuse?
For nine years, Chris Hughes has fought a battle very few people ever see.
He oversees a team of 21 analysts in Cambridge who locate, identify and remove child sexual abuse material (CSAM) from the internet.
The Internet Watch Foundation (IWF) is funded by the global tech industry.
It manually reviews online reports of suspected criminal content sent in by the public. Mr Hughes sees upsetting material every day.
When content is verified, analysts create unique “digital fingerprints” of each photo or video, then send it to law enforcement and tech firms. They also search for material online.
Occasionally, there are harrowing situations racing to track down victims from live streaming video.
Reports jumped during the pandemic, he says: “Over the recent May bank holiday weekend, we had more than 2,000 reports.”
In 2020, IWF received 300,000 reports and 153,000 were verified to be new CSAM content.
Police say more child predators can now be found on messaging apps, rather than on the dark web. Many don’t even encrypt their web traffic.
Many authorities are concerned that Facebook wants to introduce end-to-end encryption on messages sent over Messenger and Instagram Direct.
End-to-end encryption is a privacy feature that makes it impossible for anyone except the sender and recipient to read messages sent online.
Authorities are concerned, saying this will make it much harder to apprehend suspects and detect child predators.
Facebook says using such technology will protect users’ privacy.
But the US, UK and Australia have repeatedly objected to the idea since 2019, saying it will jeopardise work to combat child abuse.
Australia has also demanded the tech industry hand over public encryption keys – backdoors to their networks – to authorities. Firms, both abroad and in Australia, refused.
Enabling backdoors would be bad, says Jenny Afia, head of Schillings’ legal team: “Any legally-enforced weakening of the encryption algorithm, or vulnerability placed within the software…would potentially allow criminals to exploit [it].
“It is worth bearing in mind that having end-to-end encryption in place has already prevented a lot of crime.”
Netsweeper in Canada catalogues the internet to help schools and internet service providers block harmful content.
It sees a quarter of the world’s internet traffic and is in 37% of British schools, scanning 100 million new URLs daily. Up to 300 URLs are reported to IWF daily.
“To date, governments have left the large tech companies alone – probably because they didn’t understand them as much as they do now,” says Netsweeper’s chief executive Perry Roach.
“But if we don’t enable law enforcement with sophisticated tools, it will allow criminals, scammers, paedophiles and terrorists to move across the internet undetected.”
Software engineer Brian Bason founded US firm Bark after giving his sons their first mobile phones.
Bark uses AI neural networks to analyse text messages and social media in milliseconds for bullying, online predation, child abuse, signs of depression and suicidal ideas.
Children have to agree to hand over their login credentials, but only relevant sections of messages are sent in alerts to parents and schools.
Bark has informed the FBI of nearly a thousand child predators over the last five years.
“The reality is end-to-end encryption will drastically reduce the amount of CSAM material reported to authorities,” Mr Bason tells the BBC. “To me, the trade-off is not worth it.”
Perhaps these firms disagree because their business models rely on having unfettered access to data pipelines.
However, former UK and US intelligence agency staff tell the BBC there are other successful methods investigators can use if end-to-end encryption is introduced, like phishing, where users are tricked into visiting fake websites and handing over login credentials.
Internet giants should use machine learning to detect child predator behaviour on the device or server, they add, which wouldn’t break encryption, as it occurs only after the message has been decrypted.
Thorn, a US foundation that develops software to combat child exploitation, identifies eight child victims and 215 pieces of child abuse material per day.
Sarah Gardner, VP of external affairs at Thorn, suggests using “homomorphic encryption” – a form of encryption that lets users perform computations on encrypted data, without first decrypting it.
Another option would be to invest in better solutions, she adds.
Edinburgh-based Cyan Forensics, which uses statistical sampling to scan suspects’ devices for CSAM content in just 10 minutes, agrees.
“End-to-end encryption is here already and it’s neither good nor bad,” says Cyan Forensics’ co-founder and chief executive Ian Stevenson.
“However, there is a dire need for broader protocols to ensure the safety of children online.”
Former detective constable Alan McConnell, who worked on more than a hundred child sex abuse cases, left Police Scotland to teach Cyan about the problems the police face.
As a result of his work, a major UK police force used Cyan’s software to detect CSAM material on an ex-offender’s computer in March. The individual was found to have surreptitiously installed cameras at a club used by children.
However, a senior German prosecutor says his biggest problem is getting tech firms to play ball.
“We’re addressing all the big tech firms – please help us,” says Markus Hartmann, director of North Rhine-Westphalia’s central cybercrime department.
“You hear they have these big teams fighting digital crimes, and I wonder, why don’t they file any complaints with law enforcement?”
His unit recently busted a child pornography ring, charging 65 suspects and rescuing a 13-year-old child.
They were aided by Microsoft, which scanned its database of Skype users to locate the suspects’ IP addresses.
Mr Hartmann is surprisingly in favour of encryption.
“If you break encryption, put in backdoors or ban it, then you’re doing more harm than good… and I doubt the guys we are really going after, will not be able to get around it,” he says.
“Even as a prosecutor, I could set up my own end-to-end encrypted network in two days, routed through public libraries.”
Source: BBC