Cloud Hosting

Last week, a committee of lawmakers approved a draft law to advance further in the United States (US) Senate. Called the EARN IT bill, it brings in additional obligations for tech companies, which can if the law is enacted be criminally liable for child pornography on their services.

On the surface, the law makes sense. Child pornography, or child sexual abuse material (CSAM), has found avenues to exist and proliferate, first with the arrival of the internet and then with social media, and particularly, encrypted communications.

But security technologists have compared the debate around online CSAM and the evolving argument on how to combat it to false equivalences and pedophrasty. (Lebanese-American commentator Nassim Taleb describes pedophrasty as a narrative tool in which potential harms to children are cited to diminish opposing arguments by playing to human parental instincts).

This is because, at the heart of it, the solutions being advocated to combat CSAM have to do with weakening or incentivising the weakening of end-to-end encryption, the bedrock of privacy online.

End-to-end encryption, or E2EE, is what ensures the messages we send over WhatsApp are not readable by even the company that owns the application, or how secure emails can allow scientists and government officials to exchange top secret information.

The anti-encryption narrative

The child abuse threat plugs into what is now a decades-old debate around law enforcement in the digital age. When distilled, the heart of the debate boils down to a question of which is more important: privacy or safety? In recent years, several countries notably western countries and their allies have made a case for encryption to be weakened.

Five Eyes (plus India and Japan) 2020 joint statement: The most strident of these arguments was made in an October 2020 joint statement by countries that are part of the informal grouping called the Fives Eyes nations the US, the United Kingdom (UK), Canada, Australia and New Zealand with India and Japan as co-signatories. The statement disputed the criticism that weakening or tweaking end-to-end encryption will necessarily lead to risks to cyber security and privacy.

The UKs No Place to hide 2022 campaign: In January this year, the UK Home office funded a publicity blitz opposing ultra-secure messaging applications, particularly Facebooks plans to enforce E2EE on its Messenger application. Launching the campaign, a spokesperson said E2EE will amount to turning the lights off on the ability to identify child sex abusers online, the BBC reported at the time.

Indias 2021 IT Rules: In February, the government unveiled the new Information Technology rules for social media companies and online publishers. Among these was an obligation on communication services providers to allow for the identification of who sent a particular message for the first time a feature that will not be possible within the design of E2EE. The rules have since been suspended by multiple high courts, and among the first legal challenges to it came from WhatsApp, which likened the rules to effectively putting all users under a surveillance mechanism. The rules themselves followed a 2020 report by a parliamentary committee that wanted encryption to be broken in order to combat CSAM abuses.

The EARN IT act, while not explicitly attacking encryption, will in effect incentivise companies to build mechanisms that are outside of the E2EE paradigm, online advocacy groups have said, while adding that it will do little to combat the actual problem it is intended to.

Is E2EE absolutely indispensable?

To understand the role of encryption today is to revisit the events of 2013, when US National Security Agency contractor Edward Snowden blew the whistle on a planet-scale digital surveillance dragnet run by the US and the UK, which pored over all unencrypted internet traffic. This dragnet at the time allowed these countries to spy on anyone, irrespective of whether or not they were a threat, to peak into their communications as well as access their devices.

Within months, tech companies responded to begin a shift to encryption by default. The HTTPS (or a closed padlock) that you see at the top of your browser while you read this article is a direct outcome of that push. HTTPS implies your connection to the Hindustan Times website is encrypted, meaning anyone intercepting your network traffic will not be able to determine what you are reading.

Since then, E2EE has helped protect liberties and allowed essential functions like e-commerce to be carried out with better security. These are functions that are arguably improved by the current paradigm of encryption in the global internet. And experts point out that in its absence, there is a threat not just to the individual but to national security.

E2EE and CSAM rise: A tenuous connection?

In response to the No Place to Hide campaign, the UKs own data watchdog has said that encryption helps protect children more than it harms them. Stephen Bonner, the British Information Commissioners Office executive director for innovation and technology, told BBC that end-to-end encryption helped keep children safe online by not allowing "criminals and abusers to send them harmful content or access their pictures or location".

"The discussion on end-to-end encryption use is too unbalanced to make a wise and informed choice. There is too much focus on the costs without also weighing up the significant benefits," he said.

In Analysing the National Security Implications of Weakening Encryption, researchers at Indian policy thinktank Deepstrat framed the debate around E2EE not just as a matter of security versus privacy, but also one involving security versus security.

They account for the nature of modern devices and communication architectures, as well as the nature of cybersecurity threats.

Take some of the specific anti-encryption solutions to the CSAM problem that has been advocated recently. Client-side scanning, similar to what Apple attempted to do by scanning a fingerprint of images people store on their iPhones or Mac computers, will for example set the foundation for China model of surveillance, which can be theoretically tweaked to identify any content on anyones device.

Then there is the traceability requirement that India proposes. DeepStrats report identified its flaws as being fundamentally against the nature of E2EE and creating architectural vulnerabilities that can be exploited by bad actors. Another common idea, to create backdoors for law-enforcement agencies, poses a very significant risk that malicious hackers will find it and wield it, if not unaccounted state agents themselves in an abuse of power.

The risks are not merely theoretical: there is evidence and history. For example, in 2010, China-based hackers broke into Gmail, leveraging backdoors coded in to allow lawful interceptions. Prior to that, between 2004 and 2005, phones of the Greek prime minister and his aides were tapped when an unknown attacker found backdoors built by telecommunications company Ericsson to, again, allow for lawful interception.

Official misuses are bad enough, but it's the unofficial uses that worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don't, wrote security expert Bruce Schneier, in a 2020 opinion piece for CNN.

Tinkering with E2EE, thus, requires an appreciation of all that is at stake. There have been instances where tech companies have aided law enforcement in taking more offensive measures against child sex abusers, such as the revelations in 2020 when it came to light that Facebook spent money and resource to develop hacking tools to help the FBI catch a notorious abuser.

Indeed, such examples are uncomfortably few and far in between, and the threat from CSAM large. It may be time to look at the problem beyond being that of E2EE alone but of efforts by tech companies and governments alike.

In Perspective takes a deep dive into current issues, the visible and invisible factors at play, and their implications for our future

The views expressed are personal

Read more:
In Perspective | Online child safety and the dangers of false equivalence - Hindustan Times