Encryption and the Rule of Law

Child abuse images, Encryption, Facebook, Internet governance, Privacy, Regulation, Self-regulation 6 Minutes

At last week’s Bletchley Park conference on Artificial Intelligence (AI) one of the most significant statements came from the British Prime Minister, Rishi Sunak. 

All the Big Tech companies and AI bodies present promised only to develop AI applications which would directly or indirectly serve the public interest. What else could they say? While welcoming their promises the Prime Minister nevertheless made clear AI developers cannot be left to

mark their own homework”   

Even Elon Musk agreed

“every game needs a referee”.

OK, tomorrow Musk could say the exact opposite, and why did nobody ask him why he had sacked so many compliance staff? Was it only because there was no referee? If it was it does rather underline the need for one.

No dissent registered

The key point is there appeared to be no dissent from the idea that external examination, checking and validation was necessary to keep everyone honest. 

Quite how the machinery to do this will work is another matter but as Dr Caitlin Bentley acknowledged  the declaration adopted was nevertheless a

 “milestone moment”. 

A definitive adios to the admittedly ludicrous “Declaration of the Independence of Cyberspace”. 

Turns out we need those weary giants of flesh and steel after all. 

If the importance of external examination, checking and validation catches on I can see how it should apply more widely, particularly in other areas which may present important challenges to our way of life.

Threats to the Rule of Law

An important part of the Rule of Law is the notion that, where necessary the law can be enforced with reasonable expedition and with equal access for all to a means of securing justice. Yet the Rule of Law will be severely undermined by the emergence of indiscriminately available strong encryption as expressed, for example, through the integration of End to End to End Encryption (E2EE) into mass messaging systems. 

Justice delayed is justice denied

What brought this thought to mind was reading about another Encro Chat  case. This was a network with over 60,000 users spread across more than 120 countries, planning and executing a vast amount of different kinds of typically very serious crimes, including crimes against children.

It was back in 2017 when the police, in this case initially in France, first became aware that these specially adapted, encrypted messaging systems were being extensively used by criminals. And they became aware of this not because of any smart, high-tech sleuthing, much more prosaically it was because they were finding certain devices in the possession of criminals being arrested for other matters. This set them off on a hunt.

In other words the cops got lucky. Luck doesn’t scale.

Scale and legal and technical complexity are what lie at the heart of the challenge of E2EE. What might previously have been serious but small scale could become serious and large scale.

Scale changes everything although in the end we judge the impact by looking at how individual cases play out in real life.

If you were a victim of a crime  or a civil wrong how would you feel about waiting year after year for justice knowing it was only because the police or your lawyers were having difficulty assembling the evidence because of encryption? 

Will we ever know how many cases are not  seriously pursued because of the difficulties presented by encryption? Courts are issuing orders, granting subpoenas and what have you to no avail. How many police or court officers are saying to people with a grievance

“We are very sorry but there is no genuine prospect of us making further headway with this case in the foreseeable future”.

Within police systems how does triage work? If difficulties with encryption appear upfront in a case does it go up the list or down? 

Are the cops staying quiet about the challenges they face in order to maintain at least the facade they can handle everything? Or in order not to further advertise to the criminal world how much easier their lives could be if even more of them started getting into encryption? Do some of the rules of evidence or legal principles developed in a pre-digital age need to be modernised to fit contemporary circumstances?

Justice never delivered is something else again

Up to now the Governments in the liberal democracies have followed the lead given by President Obama. They are not tackling the issue of encryption head on because of what they think are the advantages it brings. However, several years later we are now on the edge of a world in which strong encryption is everywhere. A world in which, in practice, maybe not in theory, privacy is being elevated to an absolute right, a right which trumps all others. 

No legal instrument ever written anywhere has said privacy is superior to any other right, but strong encryption can make that a reality (at least for now, maybe not forever, but that’s another issue, see next blogs).

I think it unlikely Obama’s line will be sustainable indefinitely. If people come to believe their Government, the courts and the police cannot keep them safe or deliver justice then what’s the point of having them?

“Encryption is the reason I cannot get justice? Deal with it. That’s why we vote for you guys. Don’t tell me a private company or organization is to blame because they decided to spread this encryption thing. Who’s running this country you or them?

Apple is denying justice to untold numbers

Here is another example of justice denied, probably permanently and on a very large scale.

In the four-year period 2019-2022 inclusive, approximately 100 million reports of child sexual abuse content were received by NCMEC. Roughly 80 million of these came from Meta and in the main were linked to their two major messaging Apps, Facebook Messenger and Instagram Direct. In the same period how many came from a company whose messaging, storage capacities and size are certainly equal to but are probably larger than Meta’s? I refer to Apple.

864 is the answer.  I have not missed any zeros or commas by mistake. Apple’s system is already encrypted. That’s why their numbers are so low. Unlike Meta they cannot see anything so they cannot report or act against anything.

These paltry numbers are an abomination. How much child sexual abuse has not been discovered because of Apple’s policy? How much pain is continuing, how many deaths are being concealed?  Shocking. Indefensible.

Transparency is the answer

In respect of companies or organizations which say they are providing E2EE, can we at least ask or insist they make abundantly clear they are doing so within what parameters?  Not all E2EE programmes work in the same way.  Some allow the provider to continue exploiting metadata for commercial purposes, and seemingly some don’t.  

If people have misgivings about deploying tools which would reduce the criminal abuse of E2EE,  rather than refusing to use them why not establish transparency mechanisms to minimise the chances of abuse?  

This may not work in North Korea but do we really want to live in a world where the safety of the rest of us is determined by how far Kim Jong Un is prepared to change his habits? That problem needs to be solved in other ways. Political ways. Ways that do not demand we sacrifice our children to paedophiles or our life savings to fraudsters. Kim Jong Un is a convenient cover for a multitude of undeclared sins. 

Let’s not cut off our noses to spite our faces

To the extent there is a genuine interest in having access to a more privacy respecting online environment, there is little doubt it has been at least in part stimulated by past excesses, including unlawful excesses by state actors. But in the liberal democracies we can and have corrected them. Through the ballot box and other  mechanisms, e.g. our courts and a free press, we at least have the possibility of addressing the behaviour of those whom we elect to govern us.

We don’t get a vote at company AGMs or a seat at the table of civil society bodies with a mission to spread E2EE. Thus, if we believe in the possibility of citizens being able to control the actions of the public bodies they elect, we must not make their job impossible. And if we don’t believe that then we have a whole other set of problems. These are very unlikely to be solved by, in effect, resorting to the law of the techno-jungle where it is everyone for themselves aided by private bodies whom we are apparently willing to trust to stand sentinel on our behalf. 

Nobody ever voted to allow a whole shadow world to be created which operates outside the bounds of the Rule of Law. And if such a proposition were explained and squarely put to people I am confident they would vote to reject it.

Unknown's avatar

Published by John Carr

John Carr is one of the world's leading authorities on children's and young people's use of the internet and digital technologies. He is a former Senior Technical Adviser to Bangkok-based global NGO ECPAT International and a former Secretary of the UK's Children's Charities' Coalition on Internet Safety. John has advised the Council of Europe, the UN (ITU), UNODC, the EU and UNICEF. A former member of Microsoft's Policy Board for Europe, the Middle East and Africa and a former Vice President of Mspace, he has also advised several of the world's largest technology companies on online child safety and ethical investors with shares in high tech businesses. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com and https://substack.com/@johnc1912

Published