Why encryption and online security go hand in hand
Today, October 21, is the first annual World Encryption Day. Organized by the Global Encryption Coalition, the day highlights both the urgent need for greater data security and online privacy, and the importance of encryption in protecting those interests. Amid devastating hacks and massive data breaches, there has never been a more urgent need to strengthen our data security and online privacy. Encryption is an essential tool to protect these interests.
Yet encryption is under constant threat from governments, both at home and abroad. To justify their demands that providers of messaging, social media, and other online services weaken their encryption, regulators often cite safety concerns, especially the safety of children. They describe encryption, and end-to-end encryption (E2EE) in particular, as something that opposes public safety. That’s because encryption “completely prevents” platforms and law enforcement from detecting harmful content, thereby impermissibly shielding those responsible from liability, or at least that’s the reasoning.
There is just one problem with this claim: it is not true. Last month, I published a draft paper analyzing the results of a survey I conducted this spring that asked online service providers about their trust and security practices. I have found that not only can vendors detect abuse on their platforms, even in end-to-end encrypted environments, but they even prefer detection techniques that do not require accessing the contents of the files. and user communications.
Survey on Trust and Security Approaches
The 14 online services included in my analysis vary in size from a few thousand to several billion users. Some services are end-to-end encrypted, others are not. Collectively, they cover a large portion, perhaps the majority, of Internet users around the world. The survey questions focused on twelve types of online abuse, ranging from child sexual abuse images (CSAI) and other child safety offenses such as grooming and courtship (which the study calls “child sexual exploitation,” or CSE for short), spam, phishing, malware, hate speech, etc.
The study distinguishes between techniques that require a provider to have the technical capacity to access the content of users’ files and communications at will, and those that do not. I call the first category “content dependent” and the other “content insensitive”. Content-dependent techniques include automated systems to analyze all content uploaded or transmitted to a service (to detect CSAI or potentially copyright infringing downloads, for example). Content-ignoring techniques include metadata-based tools (such as those to detect spam behavior) and user reports of abuse that the provider has not or could not have detected by itself. same (i.e. due to end-to-end encryption). And, no, allowing users to report abusive content doesn’t compromise end-to-end encryption, despite what investigative media ProPublica recently reported.
In recent years, the supposed impact of end-to-end encryption on online child safety surveys has served as a famous cause for calls from governments to break down the E2EE. But this impact has been overestimated. When government officials claim that end-to-end encryption “completely hampers” or “totally excludes” investigations, these statements reflect a misconception that content-dependent techniques are the only possible way to detect online abuse. This overlooks the availability, prevalence and effectiveness of content-ignoring approaches.
Every vendor I interviewed uses a combination of content-ignorant and content-dependent techniques to detect, prevent and mitigate abuse. All of them use some sort of abuse report; almost all of them have an in-app report function. In contrast, fewer vendors are using tools based on metadata, automated content analysis, or other techniques to detect abuse.
What approach do providers think works best against various types of abuse? Overall, the vendors I interviewed rated reporting users as the most useful way to detect nine of the twelve types of online abuse I asked about. There were three exceptions: CSAI, CSE, and spam.
Techniques providers find most useful in detecting each type of abuse
The usefulness of reporting user abuse has important ramifications for encryption policy. If vendors don’t find automated analysis very useful in detecting most types of abuse, then we can predict that the impact of end-to-end encryption on their trust and security efforts may be less than expected. Rather, E2EE’s impact on abuse detection will likely vary depending on the type of abuse involved.
The variance is due to a large difference between content-dependent and content-ignoring techniques. End-to-end encryption prevents outsiders (including the provider itself) from reading the content of a user’s file or message, which means it hinders tools that depend on the content of providers, but not those who ignore the content. Automated analysis is affected by E2EE, but it is not the best way to start detecting very many kinds of abuse, according to our participants. User reports, which is considered the most useful detection technique for most types of abuse, is fully compatible with end-to-end encryption. And as long as E2EE doesn’t prevent providers from finding harmful content, it shouldn’t hinder criminal investigations either, as there are well-established processes for investigators to obtain this data from providers (as shown in supplier transparency reports).
As noted, there are a few categories where reporting users was not considered the most useful means of detecting abuse: CSAI, CSE, and spam. For CSAI, the strong consensus among survey participants favors automated scanning, implying that this is the area where E2EE’s impact is greatest. However, CSAI is unique in this regard. For CSE and spam, the vendors I interviewed were ambivalent about what worked best: There was a link in rankings between content-dependent techniques and content-ignoring techniques. This suggests that E2EE affects CSE and spam detection less than CSAI.
Simply put, CSAI is just not like other types of online abuse, not even other types of child safety breaches. What works best against CSAI does not work best against other types of abuse, and vice versa. This means that you cannot build a trust and safety program – or pass laws – based solely on the demands of the fight against CSAI, as if it were the same problem requiring the same response. It’s not.
And yet, as I described earlier, regulators have made child safety the primary rationale behind their proposals to make encryption less effective. But end-to-end encryption cannot be reduced or disabled just for CSAI or other specific types of harmful content. Weakening an encryption design in the name of detecting a particular type of abuse also inevitably reduces the security, privacy, and integrity of all other information encrypted with that same design. The weakening of encryption thus poses enormous dangers for everyone, not only at the individual level, but also for the economy and national security.
Worse yet, my survey results indicate that weakening the encryption would not even produce a compensatory benefit commensurate with this damage. Since end-to-end encryption is not the best tool to tackle most types of online abuse outside of CSAI, weakening it is largely a problem. no sequence. My study shows that the repeated claim by officials that encryption totally hampers online damage investigations is simply not true. Their calls to weaken the encryption are ignorant at best and dangerously reckless at worst. Instead of blaming providers for encrypting their services, authorities concerned about online harm should first sit down with those providers’ trust and security teams to learn more about their efforts to protect their users. and their abilities to discover abusive and criminal content, even in the context of E2EE.
Encryption is vital to protecting our privacy and security, and there are ways to effectively combat online abuse that are compatible with encryption. Strong encryption is an improvement, not a hindrance, to our online and offline security. On this first World Encryption Day, I hope you will switch to using end-to-end encrypted services and encourage your loved ones to do the same.
Riana pfefferkorn is a researcher at the Stanford Internet Observatory and a member of the Global Encryption Coalition.