End-to-end encryption: What happens next?

The Online Safety Bill (OSB) is still winding its way through parliament. But while much of the analysis so far has been on its provisions to force social media companies to remove “harmful” content, there’s an elephant lurking in the corner of the room. Clause 110 compels not only social media firms but also messaging app providers to identify and take down child sexual exploitation and abuse (CSEA) content.

There’s one big problem here. End-to-end encryption (E2EE), which makes message content impenetrable to providers like WhatsApp. It appears as if the government might be looking at client-side scanning as a solution. Experts I spoke to for an upcoming feature are unconvinced.

What’s client-side scanning?

Put simply, this “accredited technology” would require individuals to download software to their devices. It would run locally, scanning potentially for suspicious keywords and image content that matches a CSEA database, before a message is encrypted and sent. On paper, this preserves E2EE while allowing the authorities to police child abusers. In reality, it will fail on both counts for several reasons.

  • Researchers have already worked out it could generate too many false positives to be useful, and could be hacked in other ways
  • If client-side scanning were targeted by foreign governments or cyber-criminals, it would put private data potentially at risk
  • The bosses of several big-name messaging apps say they’d rather exit the UK than comply with the OSB, which would also make UK firms and consumers less secure
  • If client-side encryption comes into force, child abusers will simply gravitate to unpoliced apps, as criminals have in the past with services like EncroChat
  • There’s a concern that the technology could be used in the future to police other content types – government mission creep

Matthew Hodgson, CEO of secure messaging app Element, argued that the new provisions directly contradict the GDPR in undermining encryption.

“It undermines privacy and security for everyone because every secure communication app which happens to have abusive users could be obligated to incorporate a third-party scanning solution, which then means every single user is at risk of that scanning solution being exploited by an attacker to break their privacy,” he told me.

“Any business depending on E2EE for privacy may find themselves at a loss, given encryption vendors would be forced to stop providing their services in the UK, as it is literally impossible to preserve privacy whilst also adding a mechanism to let third parties exfiltrate user data.”

Corelight cyber security specialist, Matt Ellison, cautioned against government putting its faith in a “magic technical solution” that doesn’t exist – adding that Apple abandoned similar plans for client-side scanning after a privacy uproar.

“Ultimately the government is proposing to significantly weaken the security of almost the entire nation, for the ability to perform a lawful intercept of an individual suspected of a crime,” he told me.

“Should all vehicles be fitted with a remote kill switch, in case you are deemed to be committing a crime in your vehicle? Should all houses have the same door key type, with authorities maintaining a master key that could get into everyone’s house to gather evidence without you knowing, again, if you are under suspicion?”

Ellison argued that smartphones are much more than just a technically advanced mobile phone.

“The reality is that they are an intimate and highly integrated aspect of our lives and mass surveillance approaches such as this are a gross invasion of privacy and civil liberties.”

What should happen?

According to Hodgson, there are plenty of ways law enforcers could hunt down child abusers.

“These include investigation/infiltration of forums where abusers recruit or advertise, or by analysing communication metadata, or by educating users within apps, and in general, to be mindful of abuse,” he added.

“Blanket surveillance which undermines the privacy of everybody is not the answer.”

Ross Anderson, who wrote a paper on this challenging the conclusions of the NCSC technical director Ian levy, agreed that old-fashioned policing techniques are the answer, rather than technology solutions which promise much but deliver little. The debate between law enforcement/government on one side and encryption specialists/tech vendors on the other has been raging for years. Throughout, the former have argued that tech wizards simply need to apply themselves more diligently to the task in order to find an answer. The latter retort that E2EE can’t be broken without undermining security for everyone.

So where does that leave us? With Labour backing the bill, it will undoubtedly become law. But what of Clause 110? If it remains unchanged, it’s unlikely the government will enforce it. The best privacy and security advocates can hope for is that its most controversial provisions are never enforced. That’s what happened with the Investigatory Powers Act – which incidentally already gives the British government theoretical powers to force tech firms to break encryption. It will probably happen again.