Child Exploitation and the Future of Encryption

By Alan Z. Rozenshtein
Wednesday, October 2, 2019, 12:19 PM

On Sept. 28, the New York Times published a harrowing, in-depth investigative story on the prevalence of child pornography on the internet. The piece describes a staggering increase in the number of reports to the federal National Center for Missing & Exploited Children (NCMEC) flagging child sexual abuse imagery online from an already-high one million in 2014 to an almost unfathomable 18.4 million in 2018—an increase of almost 1,750 percent in just four years. The number of individual images reported is even higher because a single report often identifies multiple offending images. Of these reports, a full 12 million came from just one service, Facebook Messenger. Disproportionate as this number may seem, it is, as former Facebook chief security officer Alex Stamos noted, actually to Facebook’s credit: “companies that report the most [child exploitation materials] are not the worst actors, but the best,” because they are the ones doing the most to find and report harmful content, thus helping law enforcement investigate and prosecute those responsible.

But this vital stream of evidence may soon come to an end. The Times notes that, as part of a controversial effort to become more “privacy-focused,” Facebook is planning to deploy end-to-end encryption on Messenger as the service’s default setting (as is already the case with Facebook-owned WhatsApp). This kind of encryption (frequently also referred to as “strong encryption”) would make the content of messages inaccessible to third parties, including law enforcement and Facebook itself.

But whereas previous moves by technology giants to expand encryption have been met with universal acclaim by those in the technology community, Facebook’s encryption plan has received a decidedly ambivalent reaction. Casey Newton writes in the tech website The Verge that the fears around Messenger encryption are “straightforward and rational” and describes the issue as a “tough debate.” Ben Thompson, author of the popular Stratechery technology newsletter, asks, “[M]ight it be the case that Facebook’s decision to encrypt conversations is not both good for consumers and good for itself, but rather good for itself and actively bad for society?” This skepticism marks an important shift in the conversation about encryption and gives a preview of the future of the encryption debate.

The most recent round of major debate over encryption started in 2016, when the FBI unsuccessfully attempted to force Apple to help it decrypt the iPhone of one of the suspects in the San Bernardino terrorist attacks. That conversation centered on government access to encrypted data for the purposes of thwarting potential terror attacks and investigating terror suspects. But the counterterrorism argument for government access to encrypted communications was never particularly compelling. As I’ve argued previously,

Encryption can certainly make it harder for national-security and foreign-intelligence agencies to do their jobs, but its effect in those contexts is likely to be limited. The universe of national-security and foreign-intelligence targets is small relative to the resources and expertise of the federal government. With enough effort, the government’s “three-letter agencies” (like the FBI, the NSA, or the CIA) can likely hack their way into even the most sophisticated adversary’s systems (or, as occurred in the San Bernardino case, purchase third-party tools that do the same).

The recent debate over Facebook Messenger encryption moves the emphasis away from terrorism and toward crimes that encryption enables at scale. In the United States, this chiefly means child exploitation. But whereas child pornographers have in the past been dismissed by encryption supporters as one of the “Four Horsemen of the Infocalypse”—criminal boogeymen often used by law enforcement to argue against ubiquitous strong encryption—the sheer scale of the current child exploitation crisis makes the issue harder to dismiss. As the Times piece highlights, the numbers are frighteningly high. Law enforcement may well be enjoying a “golden age of surveillance” in certain areas, but child exploitation is not one of them.

And child exploitation is not the only area in which this dynamic is at work. Consider the current fears over the role of encryption in spreading social media misinformation that can foment violence. This is an issue of great concern to foreign governments, which are likely to lead the way in regulating encryption.

Of course, none of this means a magic solution will be found that provides encryption that is both secure from hackers and repressive governments and accessible to valid law enforcement. There’s certainly no viable third-party access proposal available now. Nor would mandating law enforcement access to all major platforms solve the child exploitation problem. Many who traffic in child exploitation materials would simply migrate to freely available encryption tools that will be almost impossible for governments to stamp out. This fraction of perpetrators would thus, as Susan Hennessey has noted, be “impervious to legislative efforts to establish exceptional access or standards for defaults.” (It’s important not to overstate this point: Many criminals are unsophisticated and would no doubt stick with the major commercial products, and the resources saved on now-easier cases could be redirected to the harder cases.) And no technological innovation will obviate the need for government resources and attention, which the Times points out is sadly and shamefully lacking in current efforts to fight child exploitation online.

Regardless of the overall challenges, the shift of the encryption debate promises one positive change: greater recognition of the reality of encryption’s role in facilitating child exploitation will put to rest tired arguments that the security and privacy benefits of encryption so vastly outweigh the costs that its broad use should go unquestioned. As Hennessey has noted, “Faced with [the] reality [that encryption is used to facilitate child exploitation], civil libertarians and privacy advocates have been loath to allow for any latitude, either in regulating encryption or in facilitating workarounds like lawful hacking. This absolutist strategy is … untenable over the long term.”

The Electronic Frontier Foundation (EFF), the leading digital civil-society organization, has long held the banner for the absolutist position. As recently as a week ago, the EFF criticized a recent Carnegie Endowment report as “deeply misguided” for having the temerity to even recognize that encryption poses real threats to law enforcement and to call for more research into practical solutions. But the Carnegie paper was absolutely correct. Technical research that tries to enable law enforcement access to encrypted data while minimizing the harms to information security is precisely what is required. And greater public acknowledgment of the reality of child exploitation may be the catalyst that gets the government to fund this research and the technology sector to more seriously attempt to find middle-ground solutions. What seems clear is that, even within the technology community, ubiquitous encryption that defeats government and technology companies alike may no longer be a straightforward issue with an obvious answer. Those who pretend otherwise will get left behind in the coming debate.