#NoPlaceToHide…for Stupid Ideas Like Backdooring End-To-End Encryption and Undermining Privacy

Posted on Jan 27, 2022 by Glyn Moody

Government attempts to weaken cryptography to allow general surveillance are not new: they date back at least to the 1993 Clipper chip. Similarly, claims that children will be harmed by strong cryptography also go back many years. When Apple strengthened encryption on its phone in 2014, the chief of detectives for Chicago’s police department said: “Apple will become the phone of choice for the pedophile.” Nonetheless, even against that background of constant attacks, the UK government’s attempt to use moral and emotional blackmail to weaken end-to-end (e2e) encryption is spectacular in its wrongheadedness.

As part of its #NoPlaceToHide campaign, it has launched a new site. Although not mentioned by name, the central concern is over Facebook’s plans to add e2e encryption to Messenger and Instagram, something that the UK’s Home Secretary described as “not acceptable“. Partly as result of UK government pressure, Facebook’s plans are currently on hold until 2023.

The overall message of the #NoPlaceToHide site is: “We’re telling social media platforms: don’t give child sex abusers a place to hide.” Looking at the logos on the home page, you might think that this campaign is an initiative from well-known UK organizations in this space. But right at the bottom of the page, in suitably small print, we read: “The campaign is funded by the UK Government and has been developed by a steering group of child safety organisations with support from M&C Saatchi. The steering group has not been paid to take part.”

An article on Rolling Stone revealed that the UK government is spending half a million pounds — around $650,000 — on an advertising campaign scaremongering about the “dangers” of e2e communications. Those crafting the campaign noted that most of the public have never heard of e2e encryption, which means “people can be easily swayed” on the issue. The following “PR stunt” is a sample of how the UK government intends to sway them:

“A glass box is installed in a public space,” the presentation notes. “Inside the box, there are two actors; one child and one adult. Both strangers. The child sits playing on their smart phone. At the other end of the box, we see an adult sat on a chair also on their phone, typing away.

“The adult occasionally looks over at the child, knowingly. Intermittently through the day, the ‘privacy glass’ will turn on and the previously transparent glass box will become opaque. Passers by won’t be able to see what’s happening inside. In other words, we create a sense of unease by hiding what the child and adult are doing online when their interaction can’t be seen.”

Paul Bernal, Professor of Information Technology Law at UEA Law School, has written an explanation of why children need both encryption and anonymity

The reason that kids need anonymity and encryption is a fundamental one. It’s because they need privacy, and in the current state of the internet anonymity and encryption are key protectors of privacy. More fundamentally than that, we need to remember that everyone needs privacy. This is especially true for children — because privacy is about power. We need privacy from those who have power over us — an employee needs privacy from their employer, a citizen from their government, everyone needs privacy from criminals, terrorists and so forth. For children this is especially intense, because so many kinds of people have power over children. By their nature, they’re more vulnerable — which is why we have the instinct to wish to protect them. We need to understand, though, what that protection could and should really mean.

Embarrassingly for the UK government, its own privacy expert, the Information Commissioner’s Office, agrees with Bernal, writing that “E2EE serves an important role both in safeguarding our privacy and online safety. It strengthens children’s online safety by not allowing criminals and abusers to send them harmful content or access their pictures or location.”

Jim Killock, Executive Director from Open Rights Group, believes the scaremongering campaign aims to soften up public opinion prior to amendments to the UK’s Online Safety Bill that would allow the government to install backdoors in e2e encrypted messaging apps. He’s probably right, even though the #NoPlaceToHide says: “We are not opposed to end-to-end encryption, as long as it is implemented in a way that does not put children at risk.” This is the same old demand for digital magic beans that will somehow preserve full-strength e2e encryption, but also allow the authorities to access what is encrypted. In fact, this call is even worse than previous ones, because it phrased in a way to make the demand sound reasonable, and any refusal to comply sound unreasonable.

It’s not the only dubious aspect of the new site. Twice we are told “an estimated 14 million reports of suspected child sexual abuse online could be lost each year” if e2e encryption is brought in. But the security expert Alec Muffett has dug a little deeper, and found a number of serious problems with the claim. First, 14 million seems to be a global figure, not a purely UK one. Secondly, many reports are duplicates; the true figure of new and malicious abuse is probably around 350,000, maybe as few as 1900, according to Muffett. Too many, to be sure, but a rather different situation from the one portrayed by the UK government. Moreover, even with strong e2e encryption in place, there are various workarounds that can be used to obtain information needed by law enforcement. Fortunately, on the Internet, there is #NoPlaceToHide for blatantly misleading, manipulative campaigns which can be investigated and exposed by people working from the facts, not just playing on understandably strong emotions.

Featured image by Mikhail Vasilyev.