The British government has backed a call by the country’s security services for client-side scanning for child sexual abuse material – aka Apple’s CSAM approach.
Home Secretary Priti Patel has written an op-ed in which she indicates government support for the stance, while also attacking Facebook’s plans to make all Messenger chats end-to-end encrypted by default …
Background
Apple’s CSAM scanning plans were first announced a year ago. Instead of scanning photos stored on iCloud, which is the approach taken by other companies with cloud storage services, the iPhone maker wanted a more privacy-respecting approach. This is based on what are known as “hashes” – unique digital signatures – of CSAM files, using client-side scanning (on the device, rather than in the cloud):
- Apple downloads the CSAM database hashes to your iPhone
- An on-device process looks for matches with hashes of your photos
- If fewer than 30* are found, no action is taken
- If 30+ matches are found, low-resolutions of your photos are manually examined by Apple
- If the photos are found to be innocent, no further action is taken
- If manual review confirms them as CSAM, law enforcement is informed
While the approach was indeed better than that of other companies, Apple’s plans quickly came under fire from cybersecurity experts, human rights organizations, governments, and Apple’s own employees. Four main concerns have been raised, explained here. Apple subsequently addressed the first two.
We argued that such a backlash was inevitable, given the years Apple has spent touting its privacy credentials. The company has put up huge billboards. It has run amusing ads. It has an entire privacy microsite. Its CEO talks about privacy in every interview and public appearance. The company attacks other tech giants over privacy. It fought the entire ad industry over a new privacy feature.
British government backs Apple’s CSAM approach
Last month, the UK’s NSA equivalent, GCHQ, wrote a white paper in partnership with the National CyberSecurity Centre. The paper argued that Apple-style client-side scanning offered the right balance of security and privacy.
Ian Levy, the NCSC’s technical director, and Crispin Robinson, the technical director of cryptanalysis – codebreaking – at GCHQ, said the technology could protect children and privacy at the same time.
“We’ve found no reason why client-side scanning techniques cannot be implemented safely in many of the situations one will encounter,” they wrote in a discussion paper published on Thursday, which the pair said was “not government policy”.
It appears that this is now government policy, as Patel has written an op-ed piece for The Telegraph in which she endorses this.
Some of our foremost cyber security experts have published a paper setting out a range of safeguarding options that could be implemented by companies to reduce the prevalence of child sexual abuse online while maintaining the privacy benefits of end-to-end encryption.
The piece represents a softening of previous statements by the British government, which have attacked end-to-end encryption as enabling child abusers and terrorists. Patel now argues that it would be irresponsible to launch a new E2E encryption service without such a system in place.
The specific target of her ire is Facebook.
Meta has recently announced that it is beginning to test end-to-end encryption on its platforms, which include Facebook and Instagram. The company plans to make end-to-end encryption the default system for all personal calls and messages next year.
But parents need to know that their kids will be safe online. The consequences of inadequate protections – especially for end-to-end encrypted social media platforms – would be catastrophic. A great many child predators use social media platforms such as Facebook to discover, target and sexually abuse children. These protections need to be in place before end-to-end encryption is rolled out around the world. Child safety must never be an afterthought.
Currently, users have the ability to start a Secret Message, which is E2E encrypted, but the default is for encryption to which Facebook holds the key.
Patel refers to the Online Safety Bill, which would enforce client-side scanning, as if it were certain to pass. The reality is that this legislation has now been put on hold, and there is no certainty that it will proceed.
If client-side scanning does become a legal requirement, it will put Apple right back in the spotlight. The Cupertino company has gone silent on the issue, seemingly hoping that it can quietly drop its plans to avoid the controversy.
FTC: We use income earning auto affiliate links. More.
Comments