Opinion The British government is preparing to launch a full-scale policy assault against Facebook as the company gears up to introduce end-to-end encryption across all of its services.
Yet the backlash has already begun, showing that officials face a tooth-and-nail fight against their attempt to derail the rollout of end-to-end encryption on the anti-social networking site and others in the Facebook estate.
Prominent in details briefed to the news media this week (including The Register) were accusations that Facebook harbours paedophiles, terrorists, and mobsters and that British police forces would effectively be blinded to the scale of criminality on the social networking platform, save for cases where crimes are reported.
It's a difficult and nuanced topic made no simpler or easier by the fact that government officials seem hellbent on painting it in black and white.
Government and law enforcement officials who briefed the press on condition of anonymity earlier this week* sought to paint a picture of the internet going dark if Facebook's plans for end-to-end encryption (E2EE) went forward, in terms familiar to anyone who remembers how Western nation states defended themselves from public upset after former NSA sysadmin Edward Snowden's 2013 revelations of illegal mass surveillance. The US National Centre for Missing and Exploited Children (NCMEC) generates around 20 million reports of child sexual abuse material (CSAM) every year, of which 70 per cent would be "lost" if E2E encryption were put in place, claimed British officials.
The government's long-signalled push to deter Facebook from implementing E2EE comes, inevitably, at a significant cost to taxpayers: London ad agency M&C Saatchi has been hired at an undisclosed cost by the Home Office to tell the public that Facebook (and WhatsApp) harbours criminals. The ad campaign will run online, in newspapers and on radio stations with the aim of turning public opinion against E2EE – and, presumably, driving home the message that encryption itself is something inherently bad.
Other announcements due this week, from notoriously anti-encryption Home Secretary Priti Patel and intergovernmental meetings, will explicitly condemn Facebook's contemplated rollout of E2EE.
Weighing it up
Unsurprisingly, given Facebook's 42 million UK users (in 2017, according to the London School of Economics, PDF) there are indeed some criminals, and certainly criminal abusers using the site. Around 100,000 individuals are reportedly on the Sex Offenders' Register at any one time, while government officials suggested to the press that potential child sex abuse offenders on Facebook are greatly in excess of that number.
Officials suggested that the greatest threat to child safety from Facebook is that abusers can discover a safe space that normalises the sharing of CSAM and helps encourage depraved newcomers onto the platform.
Looking at the drive from a prevention-is-better-than-cure perspective, implementing E2EE would disrupt the ability of Facebook itself to monitor chat conversations for concerning content; inherent in proper implementations of E2EE is the notion that the service provider cannot read the contents of messages. It would also disrupt the platform operators' ability to scan for hashes of known child sexual abuse material (CSAM), for example by comparing hashes of new image uploads to watchlists maintained by the Internet Watch Foundation or the US' National Centre for Missing and Exploited Children (NCMEC.)
These are not trivial concerns. If the current state of affairs helps catch and divert abusers, and those who may be sliding down the slippery slope towards creating and sharing CSAM, perhaps maintaining it has some merits that deserve an informed public discussion.
One consequence of E2EE on major social media platforms (and not just Facebook) may be an increased demand by government for weaponisable exploits against personal devices: that primarily means Android, iOS and Windows. It would also mean police forces having to make direct attempts to break into phones and computers in search of evidence, instead of having it brought to them on request by social media companies.
There are two ways of looking at that. One is to say that police and government ought to accept a new reality where they are constrained to operate within specific one-off warrants authorising hacking into a specified device. The last quarter of a century, where legislation controlling police searches of digital devices and cloud storage failed to keep pace with technology, is a blip against a long legal and historical tradition that kept police on a short leash when it came to searches and seizures.
On the other hand, officials talking to the press raised the spectre of vulnerability disclosure by governments drying up as frustrated law enforcement agencies hoarded vulns for their own use, out of public sight or legal control.
Yet, looking beyond the issue of paedophiles that British government officials want the public conversation to focus on, implementing end-to-end encryption (E2EE) also makes it far more difficult to implement population-scale mass surveillance of the type exposed by NSA whistleblower Edward Snowden in 2013.
Not only that, but in an era where hostile foreign countries actively hack large stores of personal data for their own purposes, placing encryption barriers in their way is no bad thing. So far, we don't know the implications of countries such as China and Russia sharing and dissecting Westerners' personal details, but doubtless it's nothing positive.
Officials were grave when The Register asked what their Plan B was if Facebook shrugs off the publicity blitz and implements E2EE anyway. One said we'll still hear the stories of children targeted by abusers, but not "in sufficient time that we can intervene." Rather than being proactive, we're told, police forces would end up being reactive, responding to reports instead of proactively patrolling what they see as the digital streets of the modern era.
Yet that focus may mean that crucial nuance and balance in this debate gets missed. While taxpayer-funded messaging bombards us with "think of the children" over the next few months, think instead of what else E2EE encryption brings – both its upsides and its downsides.
A poorly informed decision hastily reached on the basis of one-sided information is no decision worth making. ®
*Of those who spoke to journalists this week, about half have previously gone public and declared their opposition to end-to-end encryption.
Government officials routinely brief friendly news outlets under condition of anonymity, ruthlessly exploiting British political journalism's convention that official mouthpieces are never named and are usually referred to, obliquely, as "Whitehall sources". A true source – a whistleblower, or someone who tips off the media about wrongdoing – usually becomes a "person familiar with the matter" or isn't referred to in reporting at all.