We need to keep up with the times

Posted on September 27, 2018 by John Carr

A while ago I had my DNA analysed by a well known family history company. I did it partly out of curiosity and partly because I have been doing quite a lot of research into, er, my family’s history. I thought it would be  interesting to see if the science matched the folk lore. By and large it did. Not entirely, and the bits where it didn’t were fascinating.

Because I agreed  to it, the company was able to use my DNA profile to connect me with hundreds of people who  appeared to be relations.  Almost all of them were in the USA, deriving from both sides of my genetic inheritance, Polish and Irish.   Most were quite distantly related: 4th, 5th and 6th cousins. I had never heard of any of them so the fascination was low key and nerdy. If I was planning to write a full family history going back as far as the Ark it would be useful, but I’m not so it isn’t.

Even so, I thought it semi-magical the way one simple, inexpensive little test, which I commissioned and paid for myself, could unlock so much information. Then I learned that DNA databases of the kind I had subscribed to were being used to solve cold cases – unsolved murders and rapes where the murderer or rapist had left some DNA at the scene but at the time either the technology did not exist to extract it or there was nothing in any of the then available DNA databases to provide a potential match.

Eventually someone had the bright idea of uploading information from the suspected murderer’s or rapist’s DNA sequence to one or more of these family history websites. They did not get a hit pointing directly to the murderer or rapist but they did find links to persons likely to be related. By identifying a family member the police finally zoomed in on someone who became a suspect. Following an investigation they were able to  make an arrest and secure a conviction.

I think this is completely brilliant. What’s not to like? People voluntarily provide information about themselves which allows the police to do what they are supposed to do i.e. identify suspects and investigate any potential connection with the victim.  I’m guessing that DNA evidence alone would never be sufficient to convict anyone, particularly in ancient cold cases, but it gave the police the vital initial clue that allowed them to start putting together a larger dossier to present to the court.

But objections are arising. These were neatly summed up by a Professor Murphy, author of “Inside the Cell: The Dark Side of Forensic DNA.”

You shouldn’t have fewer civil rights because you’re related to someone who broke the law

That is a neat sound bite because it looks so eminently reasonable. But when you break it down there is a lot less to it than at first meets the eye.  Does anyone seriously believe that any legal instrument was ever intended to make it harder  for the police to catch murderers or rapists using published data that was freely given?  How can that infringe anybody’s rights? Is Professor Murphy really saying

“If you are thinking of engaging in criminal behaviour,  you would be well advised to notify all your known relatives of your intentions. Ask them not to delve into their family history or at least, if they do, tell them not to publish any DNA data that could be interrogated by any arm of the state.”

More succinctly

“Relax guys, we are not going to allow advances in technology to help law enforcement find you.”

Hashes and PhotoDNA

Here’s another example: I am hearing on several grapevines that on both sides of the Atlantic a fight is developing over the use of hashes. Hashes, you will know, are a digital fingerprint of an image which, in this case, has already been confirmed as being an illegal child sex abuse image. The hashes cannot be reverse engineered to recreate the image.

Nobody should be in possession of a child sex abuse image. The emergence of Micrososft’s PhotoDNA technology has completely transformed the way in which the internet industry has been able to locate and delete them. So far in 2018 the US-based National Center for Missing and Exploited Children has received reports of over 13 million and, overwhelmingly, these reports have come from companies like Facebook, Google and Twitter. The UK’s Internet Watch Foundation is also finding staggeringly large volumes using the same system. Proactive searching is impossible without hashes. Waiting for the public or sysadmins to report suspected images was, originally, the only mechanism we had available to us but advances in technology, as represented by PhotoDNA, have rendered that redundant.  We need to move on. Keep up with the times.

Yet, unbelievably, some privacy lawyers seemingly are suggesting that a hash can be thought of as being personal information and that any attempt to find a hash –  for example of a child being sexually abused – therefore requires a warrant or some prior judicial process and/or notification to the person thought to be in possession of the hash.

I am tempted to stop writing here and go lie down in a darkened room. Pretend the world is not going mad.

Aren’t hashes the least privacy-invading way of doing any sort of investigation? Don’t they take you only to the profiles of individuals where there is a reasonable suspicion that, wittingly or unwittingly, they have become involved in distributing illegal material? Isn’t that the point where a search might be needed or warrants obtained? In the meantime, or if that is not practical for whatever reason, at least the images can be removed from public view. Again, what’s not to like?

Internet security today depends on proactivity. Companies scan for spam, viruses and all kinds of unacceptable or illegal behaviour or content. They even prohibit it in their Ts&Cs. Is it being suggested companies cannot take reasonable and proportionate steps to enforce their own contracts? I would rather be discussing the culpability of those businesses who hide behind platform immunity, the ones who are not using hashes when they know, or ought to know, their systems are being or are likely to be misused in these ways.

The internet has facilitated a shaming explosion in the availability of child sex abuse material. By common consent it is beyond the capacity of every law enforcement agency in the world to address  the current volumes. While retaining a focus on trying to prevent child sex abuse in the first place, where we fail, technology provides the only way we can hope to get rid of these images. This is about respecting and honouring the dignity of the victims depicted and reducing the risk of new crimes being committed against children as yet unharmed.

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com
This entry was posted in Child abuse images, Location, Regulation, Self-regulation, Uncategorized. Bookmark the permalink.