Two senior technical directors of GCHQ, the UK’s cyber intelligence agency, have published a new paper analyzing how tech companies can protect children from online sexual abuse.
The impact of child sexual abuse can last a lifetime, even if the abuse takes place online. Research from the Independent Child Sexual Abuse Study found that survivors often face serious physical and mental health problems later in life.
One of the challenges in tackling this online abuse is the growing number of services offering end-to-end encryption, technology that often undermines existing security features many companies use to detect child sexual abuse material.
But without end-to-end encryption, any hacker or even lawful authority — and perhaps even messaging company employees — who have access to the service’s internal controls would be able to read those messages.
Read more: Danielle Armitage waives her anonymity to warn others of what happened to her when she was just 14
Image: Danielle Armitage was groomed and personally abused online
The new paper is written by Dr Ian Levy, technical director of the UK’s National Cyber Security Center (NCSC) – a part of GCHQ – and Crispin Robinson, technical director of cryptanalysis at GCHQ, both trained mathematicians and career intelligence officials whose work involves the sexual child abuse online.
They describe seven “harm archetypes” to frame the problem in new ways, from children being cared for by offenders to adults sharing indecent images of children in shock, noting how each of these harmful behaviors has a particular effect. technical profile that can be tackled in a specific way.
Child sexual abuse is a social problem
In particular, it recommends rethinking a recent controversial Apple proposal to preemptively scan all iPhones for Child Sexual Abuse Materials (CSAM) as a possible solution to some harm, if it were properly designed to protect against others.
One of the biggest fears of academics and security experts was that Apple’s system could be modified to search for non-CSAM images that could be of interest to government agencies. The company then postponed the proposal indefinitely.
While the 67-page document is not intended to represent UK government policies, the authors acknowledge that they hope to help develop policies to tackle online abuse worldwide.
It is being published as the government’s online safety law faces significant delays, in part due to criticism of its unscientific approach to defining the harm Internet users may experience online.
The paper was ready long before the bill’s delay was announced.
It comes as the government is proposing to include an amendment that would give regulators the power to force tech companies to stop child sexual abuse on their platforms.
dr. Levi and Mr. Robinson write, “Child sexual abuse is a social problem not created by the internet, and tackling it requires a response from all of society.
“However, online activity uniquely allows perpetrators to scale their activities, but also enables entirely new online harm, the effects of which are just as catastrophic for the victims,” they add.
“We hope this paper will help the debate on combating child sexual abuse on end-to-end encrypted services by clearly setting out for the first time the details and complexity of the issue.”
Read more: Record levels of child sexual abuse online in 2021, internet watchdog finds
‘Barriers to child protection are not technical’
The authors say the issue is “much more complex than other government needs, such as exceptional access,” citing a previous collaboration in 2018.
Then the pair wrote an article published in Lawfare, a popular American national security blog, calling for a “more informed” debate about end-to-end encryption and the “exceptional access” law enforcement may need to that end. services.
At the time, they suggested as a solution to secretly introduce another end to these messaging services so law enforcement officers could access the communications.
It was only a hypothetical proposal, but it turned out to be extremely controversial and has not been adopted by most platforms that offer end-to-end encryption.
It successfully spawned dozens of high-profile articles discussing the idea’s merits, from academia, civil society and industry — though most were critical and failed to solve the problem described.
The authors hope their new paper invites more constructive engagement.
Andy Burrows, head of online child safety policy at the NSPCC, described the paper as an “important and highly credible intervention” that “breaks the false binary formula that children’s fundamental right to online safety can only be achieved at the expense of privacy of adults.
“The report shows that it will be technically feasible to identify child abuse material and care in end-to-end encrypted products. It is clear that barriers to child protection are not technical, but are driven by technology companies that do not provide a balanced bill to their users. .
“The online safety law is an opportunity to tackle child abuse on an industrial scale. Despite the breathtaking suggestions that the law could ‘break’ encryption, it is clear that legislation can encourage companies to develop technical solutions and provide safer and more private online services. “