Ending end-to-end encryption doesn't make all children safer online
The Home Office campaign to persuade the public against end-to-end encryption is hitting the headlines for all the wrong reasons.
If you don’t know the story, the government has paid £534,000 to advertising agency M&C Saatchi to try and persuade the general public that increased security on internet communications by using end-to-end encryption is a bad idea.
The message is that if we make conversations truly private online then malicious activity like child sexual exploitation will be harder to spot and deal with.
I am not going to get into the online privacy debate here, as both sides have valid arguments. However, I do want to look at this in terms of two key areas 1) the prioritisation of this as an issue in the cyber security space and 2) the logic of the argument.
Prioritisation: Is this the best use of this money to make an impact in this area?
The gap in support for victims of cybercrime is colossal. Millions of victims in the UK every year fall victim to online fraud, cyber crime and online harm every year. Millions. The impact is huge in terms of mental health, personal safety, online confidence and financial loss.
The infrastructure to support them is woeful. The police are under-resourced and underskilled. Only a tiny fraction of cyber crimes get investigated. Most victims never hear back. There are lots of people in the police doing good work, but it isn't enough.
Other support systems like charities who help victims of domestic abuse, hate speech or stalking also struggle with the technical side of cybercrimes - quite rightly as they are not cybersecurity experts. The funding just isn’t there to add expensive cyber security experts to their ranks.
So with this massive issue in the support of cybercrime victims, how does a huge amount of money end up being funnelled into a marketing campaign to lower the average person’s security? It is very hard to get to a place where this makes sense.
Let’s take a step back and look at The Cyber Helpline. We are unique in that we are a team of cybersecurity experts who volunteer to help victims directly. Once they experience an issue we work with them until the issue is resolved. In our four years of operating we have helped over 10,000 victims. Each month we open around 650 new cases.
We currently have 60 volunteers. Each volunteer costs us almost exactly £500 to cover the costs of the tools, training, insurance, background checks etc they need to be able to effectively help victims. In our four years of operation we have not received one penny from the UK government to support our mission.
What could £534,000 achieve? If we received this kind of money we could pay for 1,068 volunteers for 12 months. Each of our volunteers typically helps at least 80 individuals and their families in a year. So, with a £534,000 investment in a helpline like us over 85,440 victims receive help. In fact, our chatbot helps around 70% of our victims - with 30% coming to our volunteers - so it would actually enable us to help 284,800 victims!
We are not the only organisation who comes into contact with victims of cybercrime. Money could be spent in a number of ways to improve the experience of reporting and getting help with a cybercrime.
Fundamentally, end-to-end encryption is a way to give everyone more privacy and security online. Data suggests that, for the majority of individuals, data privacy tools are used innocently and for general privacy. Privacy controls, like end-to-end encryption, are also key safeguards for journalists and whistleblowers around the world.
The prioritisation of this as a key issue just doesn’t make sense. There are changes we need to law, to the way internet platforms work and how law enforcement can collaborate with them, but removing end-to-end encryption is nowhere near the list of key things that could really make a difference.
Let’s also not forget that Article Eight of the Human Rights Act protects our right to private communications. There is also debate as to whether removal of end-to-end encryption for all uses would be legal, due to it being a disproportionate response.
Logic: Does this even make sense?
Does reducing all children’s online security & privacy make children safer? The answer is pretty obvious. There are so many ways to make advances with the issue of children being targeted online without putting everyone’s privacy at risk. To name just a few (and I am sure there are specialists out there who have better ideas):
Force online platforms to verify the identity of every user on their platform. Their real identity would not have to be publicly shared - and the platform may not be able to access it - but if that user is suspected of a crime then it can be released to the authorities.
Force online platforms by law to release the details of accounts carrying out malicious activities to local law enforcement and collaborate in investigations.
Age verify and ensure underage children are not using platforms against the terms and conditions.
For children between 13 and 18, force internet platforms to have the right safeguards in place such as education at account set up, strong privacy & security settings, alignment with the ICOs Charity Code and strong reporting and response mechanisms.
Stronger education of parents of platform users on the risks of the platforms - you could implement the information in the NSPCC’s NetAware app to support this process.
A system to display a warning on accounts that have a history of breaking the rules in terms of content and abusive online behaviour.
Improvements need to be made in the IPA 2016 process for requests for communications data from service providers, especially those that are international, to improve the process of obtaining warrants.
These requests should also have the appropriate safeguards in place to convince service providers to comply with such requests, as recommended in the 2015 Investigatory Powers Review, and the relationship with service providers and law enforcement should be built upon.
Enforcing data retention and data sharing policies among UK services, that is inline with the Data Retention Directive and GDPR, and encouraging amendments to the Budapest Convention on Cybercrime Act to reflect this.
Provide training to the police forces on submitting communications data requests, lessening the institution-wide assumption that requests for data will be denied.
If we had all of these things and more in place then I can imagine a need for a debate on lowering the privacy of other users as a potential further measure. Until we have those basic safeguards in place, lowering online privacy for everyone is reckless.
The current approach is like deciding to remove all seatbelts in cars because someone died as a result of a faulty seat belt. The bigger risk to the public is not having a seatbelt, the much smaller risk is a seatbelt going wrong.
The logic at play here just doesn’t chime with what we have seen on the ground in our 10,000 cases to date. People need more privacy and security online - not less. There are other ways to deal with the issue of malicious individuals online targeting children.
I hate that children are being abused online, but using my emotions on this issue to try and get me to reduce my own online privacy is unacceptable.