In this guest blog by John Carr OBE, a world leading expert on online safety for children, we learn about some key points on the issue of privacy and encryption.

Privacy & Encryption

Historically, if a matter was important or sensitive enough, there were generally ways of organizing one’s activities such as to afford one a great deal of confidence no unwanted entity was or could be eavesdropping or spying on you. It might be a hassle but it could be done.

You were aware that thanks to long-range directional microphones, hidden bugs or powerful cameras, it might be possible for others to know who you were with at any given time, for them to take down a verbatim record of what was discussed and make a detailed note of what happened. The people doing this would be unseen and unseeable. They might be working for your Government, someone else’s, a competitor or your lover’s husband or wife. Accordingly, you would proceed with caution. If it was important or sensitive enough.

You would know potentially any letter or package you sent through the post might be scanned or sniffed as it went through the sorting system, maybe it was even opened and examined if it displayed any sign it might contain contraband or if it was being sent to a sensitive address.

Ditto for a letter or package you received.  In certain circumstances it could have been opened and examined before being delivered and you would never be told or be able to tell. You also knew the phone attached to the wall in your house could be tapped.

No individual suspicion or evidence

Latterly when you go to an airport or other major transportation hub, or you enter a wide range of buildings, indiscriminately, without any grounds or evidence to justify any kind of individual suspicion, everybody’s handbag, briefcase or suitcase, even their body might be scanned looking for anything which might pose a threat to public safety or someone’s life e.g. a gun or a bomb. We all go along with it because we understand and accept the underlying purpose of this otherwise highly intrusive conduct, often carried out by Government employees or Government contractors.

As the analogue world fades…

But things are changing.

In the analogue world of yesteryear, terrorist outrages, crimes, frauds and scams of various kinds were still planned and executed. If the bad guys took the right precautions they might get away with it. Alternatively, through plodding police work, possibly involving a lot of shoe leather, or through subpoenas in civil cases, evidence could be secured to allow justice to follow its course.

There’s no way of proving or disproving this, but I like to think the scale and ease with which bad guys were able to do things was more limited because to try to ensure the authorities couldn’t find you after the event, there was a lot of friction. A lot of hassle.

The problem is though, as the analogue world fades away, technology has moved us to a point where, in many materially important ways, perhaps not in theory but in practice, at scale huge swathes of human behaviour are being or could be put completely beyond the possibility of any kind of scrutiny by anyone.

This is being done in the name of privacy and is a reaction to the discovery Government agencies and private enterprises had been overstepping the mark and grossly abusing our reasonable expectations of privacy by exploiting ambiguities or gaps in the law. Today we  refer to these phenomena respectively as the Surveillance State and Surveillance Capitalism.

A pendulum is swinging

The difficulty is though, a pendulum has been set in motion which, if left unchecked, will undermine the Rule of Law and with it the possibility of bringing to justice criminals, or individuals who have done us a civil wrong because the necessary evidence cannot be obtained, or to get it will take an inordinate amount of time and resources. This might not trouble many rich people or highly tech savvy individuals but it may well trouble the rest of us as the impotence of the justice system is writ large at our expense.

Justice delayed is justice denied. Justice denied in perpetuity is what we used to call oppression.

A modern problem looking for a modern solution

Nobody in my world is attacking or trying to weaken privacy. What we are trying to do is find modern ways which protect privacy without throwing children under the bus.

Part of the problem at the moment is arguments about privacy have been conflated with entirely distinct issues about encryption in general and end-to-end encryption (E2EE) in particular. Nobody I work with wants to break encryption or prohibit its use but I reject and resent the way in which, specifically, the definition of what constitutes E2EE has been broadened to include material that has not been encrypted.

Thus, people who advocate client-side scanning are portrayed as wanting to weaken or break encryption. That is simply a barefaced…….what is the word I’m looking for here? Actually what is happening is some people are trying to move the goalposts, awarding the same status to unencrypted material as they do to encrypted material. That is not acceptable.

Isn’t it the case that client-side scanning is a protective technology that can work in the public interest, sitting alongside and working with encryption?

Private entities have made decisions…

Private entities have decided to propagate E2EE on a mass scale with minimal friction either as part of a business strategy (in other words to make money), or because of their world view, in other words because they hold certain beliefs about how the world works or should work. This is a political agenda. Nothing wrong with that but we should know that’s what it is.

There is no law prohibiting anyone from propagating E2EE. But we should recognise that, like much that is connected with the digital world in general and the internet in particular, our law-making institutions are being out-paced by the speed at which the technology has developed. I hope we do not live to regret this, but in this instance I fear we might.

It is impossible to believe those who wrote what we now refer to as the main body of human rights law or our privacy laws ever anticipated the arrival of digital technologies in the way they have evolved in the past thirty years or so.

No law-making body has ever adopted an ordinance which says privacy is an abolute or superior right which stands above or separate from all others. It is one right among many. A balance must be struck. No law-maker ever intended privacy to become a barrier to justice.

Bad Governments must not be the pacesetter…

One of the more absurd arguments one hears about a number of possible technical solutions to the challenges we face concerns the way bad actors could misuse them.

I cannot think of a single digital technology which has not been or could not be misused by a bad actor.  It simply makes no sense to say

I know if we did x or y it would help keep children safer in my country but Mr Dictator in country z could use the same technology, maybe twist it a little bit and do bad things with it, so I refuse to  use x or y to protect children in my country.

That puts Mr Dictator in charge of child safety on the internet in your country and every other country. It makes no sense at all.

The answer to worries about the misuse of technology is to insist on a strong legal framework linked to strong, independent, trustworthy transparency mechanisms.

In countries where the Rule of Law is routinely honoured this will work. The Surveillance State was unmasked and companies’ bad behaviour was exposed. We changed our laws to change the equations in favour of the citizen.

Children cannot be pawns in a geo-political game of chess. We cannot solve the problems in one jurisdiction by insisting children in another pay the price.