Earlier this week the EU’s Belgian Presidency pulled a vote on child protection. There was not enough support in the room to allow it to go through in an acceptable form.

The way the matter was reported in Politico and elsewhere it was the clauses on encryption which were a key (but not the only) reason for the climbdown. Germany and Poland were named as the principal countries opposed to the Belgian proposal.

This was one of the headlines

“The controversial regulation would allow citizens’ encrypted messages to be scanned…”

The entire debate on encryption has been bedevilled by the suggestion we must choose between protecting our privacy or protecting our children. There is no middle or other way.

That is a lie. But it has been an incredibly effective lie.

In the beginning

Strong encryption tools for use online have been available to the public since Phil Zimmerman first released PGP in the early to mid 1990s. In a  conversation on BBC TV between Zimmerman and myself, when asked if he had any qualms about releasing PGP in the way he did, given it would be available to groups who could use it to plan, coordinate and execute criminal acts then hide the evidence, Zimmerman uttered these immortal words

“Since the end of the Second World War as far as I can see the (US) Federal Government has done as much harm to the people of America as the Mafia.”

It’s hard to know how to engage in an intelligent conversation with someone who cannot distinguish between organized crime and a democratically elected government accountable through the courts and the ballot box.

PGP was very clunky so didn’t really take off in the mass market.

Scale changes everything

When strong encryption tools were only used by a relatively small number of people and businesses, they posed a threat to children and others but did not also amount to a material or long-term major threat to the wider functioning of society. However, when these same strong encryption technologies become indiscriminately available at scale they do.

Very large numbers of children in particular get drawn into the ambit of harm that strong encryption can facilitate. This is not a matter of speculation or guesswork. In 2023 NCMEC received 36 million reports of child sexual abuse material that had been found on a range of online platforms. 1.4 million came from Google. 17.8 million came from Facebook, 11.4 million from Instagram. How many came from Apple? 267 (that is not a typo).  In every previous year for which numbers are available Apple registered the same miserable absence. Why? Strong encryption. Apple acknowledged they had a problem. They came up with an elegant, privacy-preserving solution but then they abandoned it. Shame. Shame.

The Rule of Law is threatened

The large scale proliferation of strong encryption creates dangers for all of us who believe in a rules-based world, for those of us who recognise and accept the central importance of the Rule of Law to the functioning of liberal democracies.

The idea of the Rule of Law implies at least the possibility the law can be enforced.  Yet with certain forms of strong encryption a court can issue subpoenas until the cows come home but companies or organizations deploying those forms simply cannot honour them. The possibility of collecting evidence to present to a civil or criminal tribunal just disappears. Even if the public purse could manage it, and even if we went full Stasi, simply recruiting additional humans to work on these issues, police officers or others, will not meet the needs of the moment.

Technology has created a new problem and a big part of the answer, in turn, must be technological.

Nobody ever voted for what we now have

Lest we forget, no national or international legislative or Treaty-making body has ever said privacy is an absolute right. It is only one right among many. Yet we are now faced with a situation where private entities – companies in search of profit or geeks in not-for-profits with a particular view of the world in general and politics specifically- have elevated privacy beyond all other rights. For practical purposes they have put privacy beyond the reach of and therefore outside the Rule of Law.

Between a rock and a hard place

There is no doubt various Governments’ security and law enforcement agencies and online businesses have more than once overstepped the mark by illegally or unethically deploying technical tools to abuse citizens’  and consumers’ reasonable expectation of privacy.

But at least in the liberal democracies the very fact such excess was identified and corrected proves part of the value of liberal democracy. Yet Meredith Whitaker, President of Signal, would have us believe the greater deployment of strong encryption will lead to a better world. It won’t. It will make it worse.

Whitaker says

“encryption is deeply threatening to power”.

She does not say

“encryption is deeply enabling of crime and will undermine the Rule of Law in the liberal democracies”.

Thus, faced with one type of threat – abuse by state agencies and big business – the President of Signal chooses to create a vast new space where a whole legion of other problems are given the room and encouragment to grow.

It does not have to be like that

Systems could be developed which allow strong encryption tools to continue to be used but without threatening the Rule of Law. Apple came up with one (see above).

Could those systems be misused? Almost certainly. Nobody has ever developed a piece of software that could not be misused by someone who tried hard enough. Strong encryption tools are themselves further evidence of this.

To protect ourselves from potential misuse of those systems, in order to be sure state agencies or businesses do not revert to bad old ways, we can devise strong supervisory, audit and transparency regimes which will reassure the public and the courts nothing untoward is going on.

Businesses and agencies which value the Rule of Law will embrace and support that. The Mafia and paedophiles won’t.

And in totalitarian states?

But what about North Korea and any number of other countries which routinely do not honour international human rights standards? It is difficult to take seriously the idea that the only thing, or even a moderately important thing which stands between the citizens of North Korea or wherever and the sunny uplands of liberty is the existence of strong encryption tools.  We are asked to believe the brave warriors on the West Coast will ride to the rescue. It’s insulting.

“Yes Frau Schmidt and Pani Karbowksi, we know we could do more to protect your children  from online evils but we refuse to do so because we are worried it will help Kim Jong Un hang on to power and carry on oppressing his people.”

This is all about money and political choices

Let us be clear:  Big Tech likes strong encryption because it helps them make more money. It helps them avoid certain kinds of bad publicity which can also feedback into the money loop but avoiding bad publicity is anyway, for them, a desirable end in itself.  The privacy lobby likes strong encryption because ultimately they think like Phil Zimmerman.

But public opinion is massively on our side

When you look at any polling on the priority attaching to protecting children as against the protection of absolute privacy the protection of children wins hands down every time. In a 2023 survey conducted in 15 EU Member States 81% of respondents supported moves to oblige online service providers to detect, report and remove child sexual abuse online. In a 2021 survey in 8 EU Member States similar high levels of support were also recorded.

Unfortunately that public sentiment has not yet found a way to channel itself into the world of democratic politics. By contrast the well-funded industry groups and privacy bodies have managed to capture the headlines time after time with their apocalyptic hyperbole.  Shamelessly they play on, exploit and magnify an underlying mistrust of all forms of officialdom and Big Tech. And unfortunately headlines are very often what drive politicians.

“A reasonable way has been found to protect children while also preserving our privacy” doesn’t have the same, clickbait, eye-catching-shock-horror potential of “chat control” with all its scary and oppressive undertones.

That’s what we must change.