Mass Surveillance
The Case for Encryption
Spying on private messages has long been on the security services’ wish list. In swapping a counter-terrorism argument for one of stopping child sexual abuse material (CSAM), they’ve made headway in their mission.
If abusers can flaunt the law by using end-to-end encryption, it follows that this technology enables one of the most heinous crimes in society. A compelling argument in its simplicity, but is that the full story?
0
0
Out with the bath water
Simple solutions create complex problems. In breaking encryption, the security of everyone’s private messages goes down the drain. And through the hole in our cybersecurity, surveillance organisations, scammers and hackers alike can creep.
0
One proposition is that everyone’s private messaging apps get a surveillance patch. Every photo sent by parents will be subjected to tech that can produce false positives for CSAM. Every phone given a security weakness that opens the curtains for abusers to rear window your children and subject them to sexploitation.
0
The claim that you can trade privacy for crime prevention is fool’s gold. As the ICO’s Stephen Bonner remarked, encryption “strengthens children’s online safety by not allowing criminals and abusers to send them harmful content or access their pictures or location.”
0
Privacy is security. Now imagine cooking soup in a sieve.
What’s end-to-end encryption?
00
End-to-end encryption means that what you send on a messaging app appears as scrambled code while it’s in digital transit. Only the person you’re talking to has the key to decipher it on receipt. That’s all your messages, photos, videos, voice-notes, location pins and links for their eyes only.
0
0
0
0
Schrödinger’s chat
What’s client-side scanning?
0
Client-side scanning is software on your smartphone that algorithmically checks what you’re sending against a database of prohibited content according to approximate ‘digital fingerprints’. If the alogrithm finds a match, it’ll remove or report it. Find out more in our briefing.
The Online Safety Act introduced powers for Ofcom to force private messaging providers to install monitoring technology; a measure that’s now undergoing consultation. Advocates claim that client-side scanning can at once check everybody’s messages, while somehow preserving end-to-end encryption and therefore privacy. With Schrödinger’s chat, you’ve got nothing to worry about.
0
The idea that this doesn’t break encryption is refuted in an open letter from 80 civil society organisations, academics and cyber experts. The letter warns that this technology would make people vulnerable to hacking – if every message is being scanned in an encrypted environment, the ‘end-to-end’ bit of that equation is compromised.
0
0
“You can’t have encryption that has a back door for only the so-called “good guys” that isn’t then exploited in some ways by the bad guys.”
– Meredith Whittaker, President of Signal
0
0
The scale of the deployment means this is a 24/7 mass surveillance tool and a reckless cybersecurity hazard. Legal advice to the Council of Europe warned that message scanning is disproportionate to address CSAM and therefore could be unlawful. The proposal on the table would “apply without distinction to all the persons using that specific service, without those persons being, even indirectly, in a situation liable to give rise to criminal prosecution”. This will reset the relationship between citizen and the State to one of suspicion.
0
But in making the haystack bigger, will it be easier to find the needle?
A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal. Google has an automated tool to detect abusive images of children. But the system can get it wrong, and the consequences are serious.
0
0
More, more, more. How do you like it?
Putting aside the consensus of experts and pretend that monitoring the private communications of an entire population doesn’t jeopardise privacy and security on a gigantic scale. You also have to pretend that the technology solves the problem it claims to address.
0
A research paper from GCHQ and the National Cybersecurity Centre (NCSC) admits that it’s relatively easy to create “benign images that generate false positives” in message scanning software. The Swiss Federal Police have indicated that as much as 90 per cent of child sexual abuse material that is reported by automated systems is not illegal. That’s a lot of ‘benign images’ resulting in less than benign consequences for many innocent people.
0
0
“There are 10 billion text messages sent every day in Europe, which would produce one billion false alarms. Europe’s 1.6 million police officers would have to scan 625 of them every day. Such a system would be simply unworkable.”
– Ross Anderson and Sam Gilbert
0
0
This prospect of overwhelming law enforcement will likely be answered with yet more AI, as automated decision-making sweeps through the public sector. Notwithstanding the security weakness in everyone’s pocket for criminals to exploit in a new frontier of cybercrime, we’re placing hope in a solution that’ll put injustice on steroids.
0
In the end, as Meredith Whittaker says, “encryption is either protecting everyone or it is broken for everyone.” In the case of Podchasov v. Russia, the European Court of Human Rights ruled that when law enforcement agencies weaken encryption, it can lead to the general and indiscriminate surveillance of all users, which violates everyone’s rights to privacy.
0
If the remedy is worse than the disease, you have to question whether the security services are more concerned with building a mass surveillance apparatus than identifying child sexual abuse material.
– YouGov polling commissioned by Index on Censorship.
0
0
Firewall to oppression
“As a queer/trans individual it is utterly important to maintain the privacy of my communication, because the intersection of my queerness with my activism since 2011 is a golden recipe for a hyper-surveilled country such as Egypt.”
– Radwa Fouda
An open letter signed by ORG warned that at-risk people could be denied “a confidential lifeline” by undermining encrypted services, which will put them at “greater and sometimes mortal risk.” Truly private communications are vital “for victims of domestic abuse and for LGBTQ+ people in countries where they face harassment, victimisation and even the threat of execution.”
0
ORG spoke with Radwa Fouda about the importance of encryption as an activist and their work with the Center for Egyptian Women’s Legal Assistance (CEWLA). They warn that “policy will never catch up to the speed of tech” and framing the argument around a broad term like ‘criminal’ is “another thing that is let loose, so the state can better catch opposition and practice unmonitored mass surveillance.”
0
“LGBTIQ+ organizing and mobilization is not allowed by the Egyptian Government. Moreover, identities and sexualities such as non-conforming assigned-male-at-birth, gay men, trans women, are highly targeted as individuals by the police. Therefore, on different personal and political levels it is highly important to maintain the privacy of my communications as well as my community members.”
0
Radwa Fouda went on to tell ORG that “conducting academic and/or independent anthropological research mandates that researchers should keep the records of their interlocutors safe.”
0
Protecting sources is critical for research and journalism in democratic society, providing the necessary safety from retaliation for revealing abuses of power in the public interest. As Edward Snowden explained “It would have been impossible for me to whistleblow without encryption.”
“For the millions and millions of LGBTQ+ individuals around the world, digital spaces serve as lifelines to resources, support and community that many are not able to seek in the physical world. Encryption makes those lifelines possible.”
– Shae Gardner (Director of Policy), LGBT Tech
0
0
The Janus State
Breaking end-to-end encryption will result in a chilling effect on speaking truth to power. Snowden summed it up as “without secure end-to-end encryption, it is impossible to see how brave investigative journalism could happen at all.” It’s therefore unsurprising that the chief of Europol recently said that “anonymity is not a fundamental right.”
0
There is, however, rank hypocrisy in the assault on encryption. As Meredith Whittaker points out, “every military in the world uses Signal, every politician I’m aware of uses Signal. Every CEO I know uses Signal because anyone who has anything truly confidential to communicate recognises that storing that on a Meta database or in the clear on some Google server is not good practice.”
0
0
“End-to-end encryption exists, it works, and it makes sense. Tech companies know it and privacy campaigners know it. But so too do citizens. And, frankly, so too do policymakers.”
– Ciaran Martin, former Head of the National Cyber Security Centre
0
0
If it’s good enough for them, it’s good enough for us. Yet despite this the UK government has already used the Investigatory Powers Act to order Apple to create a backdoor to its encrypted services. In response, over 200 civil society groups and experts have called for the Home Office to drop its order as it “jeopardizes the security and privacy of millions, undermines the UK tech sector, and sets a dangerous precedent for global cybersecurity.” Apple have now withdrawn advanced data protection tools from the UK entirely, putting millions of people’s photos, legal documents and private information at risk of being hacked.
0
The government wants to be able to access anything and everything, anywhere, any time. Their ambition to undermine basic security is frightening, unaccountable and would make everyone less safe. WhatsApp, Signal and other services will be next in their sights. And both WhatsApp and Signal have said they’d rather withdraw services from the UK than comply with message scanning requirements. It’s all or nothing when it comes to security.
“The consensus among cybersecurity experts could not be clearer: there is no way to provide government access to end-to-end encrypted data without breaking end-to-end encryption, thus putting every user’s security and privacy at risk.”
– Joint letter from Global Encryption Coalition
0
0
Practice Safe Text
Privacy and security are indivisible in a digitalised society.
0
End-to-end encryption not only preserves the privacy of what you want to confide in friends or family; health, finances, legal claims, sexuality or abusive living situations. It also preserves the security of bank details, the code to your alarm or building, your address, where you’ll be and when.
0
You can’t scan communications without breaching privacy. You can’t introduce software that undermines encryption in a way that’s anything other than less secure than what we have now.
0
We must defend end-to-end encryption as the bulwark against oppression, abuse of power, cybercrime, algorithmic injustice and, yes, abusers.
PETITION: KEEP OUR APPLE DATA ENCRYPTED
Stop the Home Office from putting our security at risk by demanding a backdoor into Apple’s encrypted services
Take Action