Tech companies are set to move forward with controversial technology that scans users’ phones for child abuse images, tech officials from GCHQ and the UK’s National Cybersecurity Center have said.
So-called “client-side scanning” would involve service providers such as Facebook or Apple building software that monitors communications for suspicious activity without the need to share message content with a centralized server.
Ian Levy, technical director of the NCSC, and Crispin Robinson, technical director of cryptanalysis – decoding – at GCHQ, said the technology could protect children and privacy at the same time.
“We have found no reason why client-side analysis techniques cannot be safely implemented in many situations that will be encountered,” they wrote in a working paper released Thursday, which the pair said was “not government policy”.
They argued that opposition to proposals for client-side scanning – the most famous being a now indefinitely suspended Apple plan to scan photos before they are uploaded to Apple’s image-sharing service business – was based on specific defects, which could be corrected in practice.
They suggested, for example, requiring the involvement of multiple child protection NGOs, to guard against any individual government using the detection device to spy on civilians; and using encryption to ensure the platform never sees the footage passed to humans for moderation, instead involving only those same NGOs.
“Details matter when talking about this topic,” Levy and Robinson wrote. “Discussing the subject in generalities, using ambiguous language or hyperbole, will almost certainly lead to a bad outcome.”
The document has been well received by child protection groups. Andy Burrows, head of child online safety policy at the NSPCC, said it was an “important and highly credible intervention” that “breaks the false binary that children’s fundamental right to safety online can only be achieved at the expense of adult privacy”. .
“It is clear that legislation can incentivize businesses to develop technical solutions and provide safer and more private online services,” he added.
But critics say the proposals undermine the benefits of end-to-end encryption and the focus should instead be on non-technical solutions to child abuse. Alec Muffett, a cryptography expert who led Facebook’s effort to encrypt Messenger, said the paper “blindly ignores the risks that their proposals will endanger the privacy of billions of people around the world.”
Muffett said: “It’s bizarre that they define abuse as a ‘society problem’ when they only demand technological solutions. Perhaps it would be more effective to use their funding to adopt harm reduction approaches, hiring more social workers to implement them? »
Levy and Robinson’s working paper isn’t the first time the pair have ventured into controversial policy areas. In 2018, they advocated for a so-called “shadow protocol” solution to encryption, where GCHQ could silently add itself as an alternate recipient of messages sent to and from a target device.
“It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call,” they wrote. “This type of solution seems no more intrusive than the virtual alligator clips that our democratically elected representatives and our judicial system allow today.”