(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


End-to-End Encryption and Client-Side Scanning: Notes for @CameronWilson of Crikey magazine; relevant also to #OnlineSafetyBill

2023-07-04 11:53:26+00:00

Cam Wilson messaged me asking for some commentary on regulation proposals in Australia; this text is what I sent; 2+ articles have been written since, but they are all paywalled

I worked on internet security & privacy for over 30 years, and now I’ve chucked work to raise a family, so with a 2yo daughter to look out for I feel well-qualified to have an opinion.

If you look at (e.g.) US statistics of child abuse, more than 90% of it comes from within the victim’s centre of trust: family, neighbours, school, church, directly acquainted, etc. See: https://www.nationalcac.org/wp-content/uploads/2018/02/CSA-Perpetrators.pdf via: https://www.childwelfare.gov/topics/can/people/

…but the issue of child abuse has been latched onto by politicians who want to be seen as”tough”, so they are diverting attention, funding, and public debate towards “tech” as being the problem to solve. This is quicker and cheaper than attempting to address the actual societal problems of abuse, and it is doomed to fail — so (a) they avoid having to attempt something (“fixing society”) that is hard, complex and expensive, so when it fails (b) they can reuse the excuse to do something else… like crack down even further upon privacy.

This is doubly regrettable because if they invested in teaching people how to identify abuse, how to avoid being caught up in abuse, how to report abuse, how to identify gradually falling for grooming and sextortion and phishing and scams — treating the problem as a public health issue like skin cancer or drug abuse — then that would cut the problem off at the knees; but instead their approach guarantees it will flourish enough that they can try to “treat” it by demanding surveillance capabilities and inhibiting communication.

To bolster their argument for surveillance they cite huge numbers of “reports” of abuse imagery, in the process entirely (and understandably) failing to note that somewhere between 70% and 97% of the reported images are non-malicious or stale duplicates — images which are offensive to share, and which are likely to hurt the victims by still being in circulation, but which do not represent a child at active risk. More on this, at https://alecmuffett.com/article/15902

So we’ve got pols who want to be seen to be “tough” and to “protect children” and they are approaching this by ignoring 90% of the problem, avoiding teaching the people, and focusing instead on “tech” because it’s a populist win, and their proposed solution is to put CCTV-like spyware into everyone’s phones, ripe to be repurposed to state surveillance in the near future. Why do this? Because of their fear of the “Going Dark” problem:

They have had wiretap capability for ~100 years now, and they can’t face permitting people to ever have a conversation over a distance without the ability to listen in. Historically phonecalls are (or: were) ephemeral, and phone wiretaps were ripe for (and frequently) abused; but WhatsApp (and other) conversations are long-lived and may be mined for years after the fact — so it’s better that the ability to read messenger conversations is shrink-wrapped down to the actual recipients and nobody else, simply to reduce the scope for data theft. This is what end-to-end encryption (E2EE) provides, and having somewhat accepted that E2EE is inevitable, they now want instead to place wiretaps directly in people’s phones. Hence “client side scanning”, CSS.

The European Council is also pursuing client-side scanning, and even their own legal team says that the EU proposal for CSS is disproportionate and breaks human rights; see screenshots and thread of the analysis at: https://twitter.com/AlecMuffett/status/1655593946687365121 [if you read nothing else, read the PDF at https://aeur.eu/f/6ql]

To answer your direct question: no countries (excepting China, but few liberal democracies want to overtly use China as an exemplar) have mandated CSS, and frankly they are all looking at each other, waiting for one to take the totalitarian plunge into the pool of general surveillance so that they have someone to point at and say “they are leading the way!” which somehow will make it okay to surveil people and infringe human rights.

Also: exactly how messy this kind of surveillance would become, is only just beginning to become apparent:

the two (more?) people in the USA who have permanently lost access to Google because they shared images of their naked kids with doctors

this (archived) Reddit thread, of parents dealing with kids using selfies the same way that previous generations use mirrors

And here’s the latest report from the IWF, the UK’s agency for dealing with child abuse imagery: https://annualreport2022.iwf.org.uk/trends-and-data/reports-analysis/ — it’s interesting to note stuff like:

So what we’ve got is a big bump in CSAM report numbers, intentionally inflated with reports from the public containing duplicates and non-illegal content, where the actual substantial growth in illegal content is self-generated imagery which may of course horrifically include “grooming” but there’s likely a huge and unrecognised portion attributable to kids unwisely goofing around with cameras and not thinking-through the consequences… and somehow this is all a “tech” issue which will be solved with “more surveillance”.

I don’t think that argument stands up against “helping kids make wiser choices for their own long-term health”; and re: my kid: I want her to grow up in a world where she has robust online privacy, free from state surveillance, i.e. that privacy which CSS would be denying her.

So I will be teaching her how to keep safe and also how to keep conversations private, because clearly the state will not be doing that.
[END]

[1] URL: https://alecmuffett.com/article/80274
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.