back to article Tech world may face huge fines if it doesn't scrub CSAM from encrypted chats

Tech companies could be fined $25 million (£18 million) – or ten percent of their global annual revenue – if they don't build suitable mechanisms to scan for child sex abuse material (CSAM) in end-to-end encrypted messages and an amended UK law is passed. The proposed update to the Online Safety bill [PDF], currently working …

  1. Flocke Kroes Silver badge

    Re: Nobody can sensibly deny that this is a moral imperative

    Nice of the home secretary to openly admit that she thinks I am nobody. I am shocked at her honesty and fully expect her to be pressured by her peers into a prompt resignation.

    1. jmch Silver badge

      Re: Nobody can sensibly deny that this is a moral imperative

      "Moral Imperative" = "of highest importance"

      Nobody can deny that preventing child (or indeed, any) sex abuse is a moral imperative.

      Nobody can deny that allowing people to communicate privately is a moral imperative.

      Home Secs job, like that of many politicians, is to balance dozens of moral imperatives against each other. That's why it's a hard job, and not one that should be assigned to fuckwits.

      Incidentally, also...

      Nobody can deny that children having a roof over their heads is a moral imperative

      Nobody can deny that children having enough to eat is a moral imperative


      See if the current government gives a flying f**k about any of that

      1. Anonymous Coward
        Anonymous Coward

        Re: Nobody can sensibly deny that this is a moral imperative

        She's just making a blanket false claim "Brits will share child porn if we cannot spy on everyone" there. There is no moral imperitive for a fiction she created.

        She's variously changed the tune from "Terrorists" to "National Security" now to "Pedos" as the reason for backdooring end-to-end encryption.

        1. Alan Brown Silver badge

          Re: Nobody can sensibly deny that this is a moral imperative

          The best response to "Think of the children!" is "Jimmy Saville always did!"

          The worst predators tend to operate in plain sight, usually posing as stalwart pillars of the community.

          After all, you're NOT going to entrust your kids to the dirty raincoat brigade or a bunch of heavily tattooed gangbangers - but you probably won't think twice about letting them hang out at a church social group, etc

          (Ironically, the heavily tattooed harley-riding gangbangers are likely to be extremely protective of kids, etc - as are almost all "screaming queens" I've known in my life)

          1. jmch Silver badge

            Re: Nobody can sensibly deny that this is a moral imperative

            "Ironically, the heavily tattooed harley-riding gangbangers are likely to be extremely protective of kids, etc"

            Don't judge a book by it's cover and all that. Any large enough group of people, whether that be tatooed bikers, football fans, church social group , rotary club etc* is sure to contain a fair number of decent people, a few truly excellent dudes/dudettes, and a handful of obnoxious wankers.

            *except parliament where the proportion of obnoxious wankers is rather higher

        2. James 139

          Re: Nobody can sensibly deny that this is a moral imperative

          It's that they seem to keep getting it backwards.

          "Masks are now a personal choice, we trust the public will do the right thing", loads of people stop wearing masks immediately, even when places ask them politely to keep doing so.

          "If we don't spy on everyone, they will all immediately do <insert vile act here>", yet almost no one will do it, because they just won't.

    2. Anonymous Coward
      Anonymous Coward

      Re: Nobody can sensibly deny that this is a moral imperative

      Another "problem" of minuscule size that requires a nuclear weapon dropped from orbit as if "it's the only way".

  2. heyrick Silver badge

    Amusing article

    There's no mission creep here, we're only interested in dealing with THINK OF THE CHILDREN.

    And the article ends with two other potential targets, evidence of creep and how such a scheme could easily be expanded for "subversive" content.


  3. Anonymous Coward
    Anonymous Coward

    Irrelevant really though, isn't it ?

    Fucked if I'm letting "approved by Priti Patel" encryption handle anything of mine before I encrypt it myself.

    1. John69

      Re: Irrelevant really though, isn't it ?

      Exactly how widely that will be adopted is a question, but it will certainly be the MO of kiddie porn flingers.

    2. Trigonoceps occipitalis

      Re: Irrelevant really though, isn't it ?

      "We, and other child safety and tech experts, believe that it is possible to implement end-to-end encryption in a way that preserves users' right to privacy ... "

      Says Priti Patel BA Economics (University of Keele)

    3. bombastic bob Silver badge
      Big Brother

      Re: Irrelevant really though, isn't it ?

      what would happen if you use end-end encryption to send encrypted files? Just keep adding layers until "they" throw their hands in the air and give up.

      1. Anonymous Coward
        Anonymous Coward

        Re: Irrelevant really though, isn't it ?

        They would simply demand access to the file before encryption via a backdoor to PGP (or your encryption of choice)

        And the fact that you are attempting to bypass the government's right to all your data marked you out as an obvious evil-doer... lock him up, immediately!

  4. John69

    If they can do why do they not tell us how?

    "We, and other child safety and tech experts, believe that it is possible to implement end-to-end encryption in a way that preserves users' right to privacy, while ensuring children remain safe online." They believe this, but refuse to say what leads them to believe this. Open source implementations of E2E encryption have been around for ages, if it was possible then they could easily demonstrate it.

    1. Captain Hogwash

      Re: If they can do why do they not tell us how?

      Client side scanning prior to encryption is what she's talking about.

      1. Wellyboot Silver badge

        Re: If they can do why do they not tell us how?

        Indeed, Monitor everything everyone does so that scanning the actual communication being sent becomes moot, they'll already know everything.

        You'd think they weren't already tapping all the telemetry sent to the OS mothership.

        Edit: someone disagrees with the captains accurate summing up!

      2. ClockworkOwl
        Thumb Down

        Re: If they can do why do they not tell us how?

        Actually, she hasn't got a clue what any of it really means at all...

        They stopped trying to be rational when they kept getting the "this won't work" response, so now they just want to bully everybody into complience without having to provide a solution... "It's the LAW!"

        Given the current debacle in parliament, how she has the cheek to talk about "moral imperative" I cannot fathom.

      3. Flocke Kroes Silver badge

        Re: Client side scanning

        OK, lets try this. First I will need to gather collection images including CASM and have it tagged by cheap labour so I can train my AI. Next, to prove that I am forwarding only CASM to Priti Patel I have to publish my dataset.

        Is any part of that legal?

        1. Spazturtle Silver badge

          Re: Client side scanning

          Microsoft already maintain a database full of neural hashes of CSAM which is the one everyone uses.

          1. Captain Hogwash

            Re: Client side scanning

            Although whether or not this is actually the kind of material they will be looking for is uncertain. Even if it is, other targets may exist for the next administration, or the next, or the next, etc.

            1. Anonymous Coward
              Anonymous Coward

              Re: Client side scanning

              It's not just 'the next administration'... you've also got other repressive regimes, hostile foreign entities, right the way down to hackers and, erm, faecebook and the like

          2. Richard 12 Silver badge

            Re: Client side scanning

            And is therefore utterly useless, because nobody has any idea what is actually in it.

      4. gnasher729 Silver badge

        Re: If they can do why do they not tell us how?

        Client side encryption, plus not sending or receiving messages that are deemed illegal without further action, and a way for the user to check and send something they believe is marked incorrectly. Like a picture of the Virgin Mary and Baby Jesus that could easily be mistaken for something else.

    2. Roland6 Silver badge

      Re: If they can do why do they not tell us how?

      >They believe this, but refuse to say what leads them to believe this.

      Boxed ticked, parents can sleep whilst the children surf the web.

      Which immediately identifies the flaw in this statement; the first part ie. end-to-end encryption, has any meaningful impact on children being safe online.

      End-to-end encryption won't stop what happened at Disney's Club Penguin.

      1. Alan Brown Silver badge

        Re: If they can do why do they not tell us how?

        "Boxed ticked, parents can sleep whilst the children surf the web."

        Problem #1: over 1/3 of detected sexual offenders are under the age of 18 and equally distributed between genders

        Yes, really

        Let's not forget Jamie Bolger. For all the outcry, the case type isn't _particularly_ unusual when you look at history, only becoming rarer more recently

      2. Bartholomew

        Re: If they can do why do they not tell us how?

        > won't stop what happened at Disney's Club Penguin

        Had no idea what that was, had to look it up on the BBC news website: Disney forces explicit Club Penguin clones offline. The original website was designed to specifically target children aged 6 to 14 - I wonder why The Walt Disney Company needs to keep on shutting these websites down *ponder*

        Club Penguin - online: 2005-10-24, offline: 2017-03-30, was replaced by Club Penguin Island

        Club Penguin Island - online: 2017-03-29, offline: 2018-12-20, created a vacuum (that was quickly filled by clones) when shutdown.

    3. Anonymous Coward
      Anonymous Coward

      Re: If they can do why do they not tell us how?

      It is trivial, you encrypt one copy of the E3E message with your private key and the recipients public key. And to comply with the law, you encrypt second copy of the E3E message with your private key and a personal GCHQ/CSAM/government public key, sending the a copy of the message (Which they would then get computers to automatically scan using neural networks trained with existing CSAM, and a human would only be allowed to access any messages with an actual court order issued by a judge). Of course this would only work if people had locked down devices that could only execute the government mandated E3E communication application(s) and had no ability to run any unsanctioned applications (no matter how trivial they may be to create - in case someone reading this post does exchange CSAM, I'm not going to explain how). The mentally damaged individuals who own and send CSAM to each other would obviously use the government mandated E3E communication application(s) because they are severely mentally damaged individuals ? Just like these people in the government who created the online safety bill.

      Maybe the solution is to start simple, implement the application for governments to test first for say 50 years. If anyone in the government is caught not using the application, they can serve some jail time. And every message sent by everyone in government is decrypted and made publicly available after say 20 years.

    4. Peter2 Silver badge

      Re: If they can do why do they not tell us how?

      Ok, i'll bite.

      There is already a child abuse image content list available which includes hashes of child porn images. To be compliant, all you'd have to do pn the client end when somebody attaches or receives an encrypted image is to check the image hash against a list of known child porn hashes, and if a match is found then flag it up to the police.

      That would be totally compliant with this law, it could only inconvenience people attaching images on the child abuse image content list to encrypted messages and it leaves end to end encryption intact.

      In fact the only possible potential this has for scope creep that I can see would be the police asking if they could keep a list of hashes attached to messages so after they've raided a paedophile and got an extra few hundred/thousand images to go on the list that they could retrospectively check to pick up anybody else sharing the same material. Even if this was done, a list of MD5 hashes presents quite a limited threat to privacy, or freedom of expression.

      1. Steve Graham

        Re: Ok, i'll bite.

        Trivial to circumvent. Try again.

        1. genghis_uk

          Re: Ok, i'll bite.

          Any solution is trivial to circumvent by pre-encrypting the image before you send it over an E2E channel.

          The point is to be seen to obey the letter of the law to avoid fines.

          This is all performative nonsense by a bunch of politicians that don't understand mathematics or engineering so I can't see anything other than a performative response.

          Australia banned encryption that cannot be backdoored a while ago (basically telling engineers to 'nerd harder' when they said the mathematics would not allow it) but I have not seen anything to say this has ever been enforced - maybe I missed it?

          1. heyrick Silver badge

            Re: Ok, i'll bite.

            Maybe somebody took a politician aside, smacked them across the head with a didgeridoo, and pointed out that not only does proper encryption not have back doors (kind of the point unless they want to try legislating new laws of mathematics), but actually enforcing their dumb law would essentially shut down online banking, purchasing, pretty much anything to do with money, and all the supposedly secure stuff on websites.

            In other words, get a clue galah.

            1. Someone Else Silver badge

              Re: Ok, i'll bite.

              [...] (kind of the point unless they want to try legislating new laws of mathematics), [...]

              Seems they tried that once in Indiana. It didn't end well....

              1. Michael Wojcik Silver badge

                Re: Ok, i'll bite.

                It ended just fine: the bill never got out of committee.

                And they didn't "try legislating new laws of mathematics". There was a bill to "recognize a contribution" to mathematics. That said contribution (squaring the circle, of course) was rubbish was what ended up dooming the bill.

                Now, it might have made it out of committee and to the floor had a Purdue professor not happened by and been invited to review it. And it might even have passed. Legislatures pass all sorts of rubbish no-effect bills like that: recognizing some personage of minor import, establishing State Whatever Day or Official State Nonsense, and so forth. These might be "laws" in a notional sense but have no real-world effect; they're just posturing.

                (There are many discussions of foolish or odd laws. Unfortunately most of them are themselves rubbish, recounting anecdotes without any attempt at verifying them from primary sources. I recommend Underhill's The Emergency Sasquatch Ordinance as an exception to that unfortunate trend; he did the research and provides citations. Also he's a better writer than most of the others.)

        2. Roland6 Silver badge

          Re: Ok, i'll bite.

          >Trivial to circumvent.

          But good enough for this bunch of politicians to tick the box and move on.

        3. Peter2 Silver badge

          Re: Ok, i'll bite.

          The point is that if a law requires it to be done; that's a method of doing it.

          Ok, it's trivial to circumvent through editing the files so the MD5 hashes are different each time or a number of other methods. It still complies with the law. If you kept a list of the MD5 hashes then when the police nicks a paedophile and goes through their stash of images then they get a bunch of new MD5 hashes which could be compared to the file sharing history, and you then have a list of other paedophiles who'd shared those files.

          If I was a policeman I think i'd probably be happy with that.

          While you probably couldn't prevent anybody from circumventing the checks if they are done on the client side, you could probably detect that the child porn filter has been disabled by various methods, I can think of a few off the top of my head. One suspects that the National Crime Agency would be just as happy with occasional lists of people detected circumventing it, as that has to be reasonable cause for a search warrant.

          I don't think that either the police or politicians expect perfection, just some good faith efforts.

          1. Michael Wojcik Silver badge

            Re: Ok, i'll bite.

            The Microsoft CSAM hash database doesn't use MD5 or any other cryptographic hash. It uses PhotoDNA hashes, which are intended to produce the same result under a variety of transformations.

            That also reduces its precision and increases the false-positive rate, of course. You can't have it both ways. Nor is it proof against all transformations, and automating applying a series of transformations until you get a different PhotoDNA result is an obvious easy attack on the system.

            There are other issues with using a large PhotoDNA hash database for client-side scanning, such as the size of the database and the computational requirements.

            The whole idea is idiotic and typical political pandering.

      2. Captain Hogwash

        Re: If they can do why do they not tell us how?

        To be compliant, all you'd have to do pn[sic] the client end when somebody attaches or receives an encrypted imagefile of any type is to check the imagefile of any type hash against a list of known child porn files we're looking for hashes, and if a match is found then flag it up to the police.

      3. heyrick Silver badge

        Re: If they can do why do they not tell us how?

        "available which includes hashes of child porn images"

        The problem with a hash is that it is a mathematical equivalence. Is this picture the same as that picture?

        Well, couldn't that essentially be broken by scaling the image, say, 5% either way? Or compressing it a little more? Or gently messing with the colours? It wouldn't take much ingenuity at all to batch convert a bunch of images from known matches to unknowns.

        Plus, with only a result and no actual image to work with, how does one train a machine to be able to recognise such a thing in this case? It'll be like that judge who said that he couldn't define pornography, but he'd know it when he saw it. Well, we would have to teach a machine to know, and given the hysterical responses a lot of people have (not to mention the malignant behaviour of the police these days) we would have to teach it to be accurate and have a low rate of false positives, yet protect children by catching everything that is bad. In other words waffle-waffle-magic-waffle-done. There, that was easy, in government land.

        Meanwhile, in reality...

        1. Michael Wojcik Silver badge

          Re: If they can do why do they not tell us how?

          The problem with a hash is that it is a mathematical equivalence

          Aside from the special case of perfect hashes, no, it isn't. Lossy hash schemes (i.e., almost all of them) will, by definition, tolerate some change in the input. The hash currently used for this nonsense, PhotoDNA, is meant to tolerate things like scaling, compression, and relatively minor changes to color, cropping, and so forth.

          How well it does so is one question, but there are far more interesting ones, of course. Like how generating PhotoDNA hashes and comparing them against a large database could be implemented efficiently on client devices, for example. (It can't.) Or what guarantees people flagged by false positives would have against excessive response. (None, that's what they'd have.) Or how we could trust client applications that have any mechanism for reporting anything to "authorities" somewhere. (We can't.) Or how much effect this would have on the problem. (Very little.)

    5. Persona Silver badge

      Re: If they can do why do they not tell us how?

      believe that it is possible to implement end-to-end encryption in a way that preserves users' right to privacy

      They are probably envisaging a "trusted third party" in the middle doing the scanning with end-to-end encryption connecting both ends to the middle. This is fine as long as it is a "trusted third party" that could be relied on to rigidly and securely perform the required task and no more. Unfortunately it can't be relied on to do anything like that. The required level of security to protect the users right to privacy would make the trusted third party resemble an opaque box. Mission creep would then secretly extend the monitoring criteria turning it into a "untrustable third party" at which point you might as well rename it CESG monitoring point.

      1. Anonymous Coward
        Anonymous Coward

        Re: If they can do why do they not tell us how?

        The obvious choice to do the monitoring would be the pron merchant the the UK government was going to use to verify age for access to <cough> 'adult' sites. (they probably wouldn't need to worry about using hashes)

        Hmm, wonder what happened to that bit of legislation... sorry, 'box ticking'

      2. Michael Wojcik Silver badge

        Re: If they can do why do they not tell us how?

        That would make it not end-to-end encryption, so it fails to achieve their stated aim.

        Of course it would succeed at their actual aim, which is to outlaw end-to-end encryption.

  5. Anonymous Coward
    Anonymous Coward

    The way to attack -

    Come up with something so vile that nobody can question it, then destroy privacy in the name of stopping it. Once the capability is developed, it WILL be used to spy on any and all communications. While there is security to be had in anonimity, that only works until the powers that be decide to take an interest in you. All it takes to get someone interested is to cut the wrong person off in traffic.

  6. John70


    I suggest that testing should be done on ministers encrypted chats first.

    Seems to be plenty of perverts and sex pests in West Minister.

    1. Mishak Silver badge

      Re: Testing

      If we're lucky, that may lead them to conclude the "false-positive" rate is too high and scrap the whole idea.

  7. Neil Barnes Silver badge

    Way to go, Priti

    In the midst of a complete government melt-down, start to assume that you can legislate world-wide. Just keep believing six impossible things before breakfast...

    And don't let the door catch you on the arse on your way out.

    1. Wellyboot Silver badge

      Re: Way to go, Priti

      The name on the door might change, the attitudes within do not.

      When in power 'Think of the children', when in opposition 'Oppose Big Brother'.

      1. Flocke Kroes Silver badge

        Re: Way to go, Priti

        Mostly right, but opposition - no matter the colour - have consistently provided sufficient support for a surveillance state.

  8. Denarius

    Another Clipper Chip episode

    Of course no dodgy user would ever avoid official implementations of encrypted chat. {S} So eventually an open source coders comes up with multiple client side software. Said coders living in a country that does not support general snooping and remain anonymous for their own safety? Existing chat coders are in what legal position ? Next, support for complete packet analysis looking for the use of unapproved encryption data streams ? Its as if TLAs have plans for big Data retention and real time analytics and bought the right pollies. Regardless, asking Big tech to snoop is another Fox guarding Hen House scenario.

  9. sitta_europea Silver badge

    I do rather like the fox guarding henhouse analogy.

  10. Pascal Monett Silver badge

    So they've finally found another angle

    Seems that backdooring encryption has finally been dropped in the hallowed corridors of power.

    So now they just make a law to slap a fine on companies that don't subvert encryption. That's not backdooring, right ? So you can't complain anymore.

    Gotta hand it to 'em, they're persistent on this issue.

    Too bad they couldn't more persistent on some other things, like the economy.

    1. Anonymous Coward
      Anonymous Coward

      Re: So they've finally found another angle

      @Pascal. How right you are.

      But there is nothing original in her statement. She is just copying the E.U. and their recent announcement.

      However, the answer to all this bollocks is simple. Just use whatever comms app that our "esteemed" M.P.s are using. Currently, Signal after most of them dumped WhatsApp some reason.

      I am guessing it is something to do with Signal not making any money in this country so can't be held over a barrel like WhatsApp could be.


      P.S. Am rather surprised but Patel has also joined the "Stop doing a third rate impression of Trump and just fuck off now" gang.

      1. Alan Brown Silver badge

        Re: So they've finally found another angle

        wrt the PS: Nadine Doris said the quiet bit out loud - "Only the big donors matter"

        And they're coming to the view that the one with the bird-nest hairdo is now a liability. He's being moved from convenient idiot to convenient scapegoat but is refusing to go quietly

      2. Anonymous Coward
        Anonymous Coward

        Re: So they've finally found another angle

        > Am rather surprised but Patel has also joined the "Stop doing a third rate impression of Trump and just fuck off now" gang.

        Purely self-serving, as with pretty much all of the Tories who have resigned recently or told him to go. They tolerated Johnson- someone who was clearly never fit to be PM in the first place- for years so long as it suited them, but- as I and others predicted- were happy to stab him in the back as soon as (a) they decided he was more of a liability than an asset and (b) could see the way the wind was blowing.

        As someone who- following the 2017 Israel affair- made her comeback on the back of Johnson's success (*) and as part of his hard-right government, Patel's career prospects were tied far more tightly to his than some.

        But when things got this far, even someone in Patel's position can see that it was going to end much sooner rather than later and - purely from a point of view of her own self-interest- doesn't want to be too obviously on the losing side when the music stops.

        (*) See also; various mediocrities like Nadine Dorries who achieved their position primarily through loyalty to Johnson rather than any competence on their part and are less likely to remain in position under someone else.

        1. heyrick Silver badge

          Re: So they've finally found another angle

          "various mediocrities like"

          #include "full_list_of_mps.txt"

          Can't think of a single one of them who is competent to run a takeaway in a town that's seen better days, never mind run a country.

          1. Wellyboot Silver badge

            Re: So they've finally found another angle

            According to Wiki-p* Our dear home secs parents^ did exactly that, running corner shops in the 70s & 80s. By implication this meant she likely spent a chunk of the 80's behind a counter.

            *Yes, I know, wiki, pinch of salt etc...

            ^ Ex Ugandan, thousands moved here when booted out by Amin in early 70s. Many buying corner shops (Arkwright retired & Granville didn't want the shop) and creating the eternal stereotype.

  11. YetAnotherJoeBlow

    Yet again...

    I have been encrypting mail before I send it for several years now - all automated (meaning no mess, no fuss.) The feds do not think that this will become common? Remember more and more tech savvy kids are born every day.

    If crypto is banned, then encryption will be used more than ever - plus that horse already left the barn.

  12. Anonymous Coward
    Anonymous Coward

    Assumption Alert....Posturing Alert

    Quote: " However, it is possible for chat software developers to add a filter that automatically scans for certain illegal material before it's encrypted and sent or after it's received and decrypted."

    The assumption is that the encryption/decryption IS BEING DONE ONLY BY THE INTERNET SERVICE PROVIDER.

    But there are plenty of people out there who are technically competent to perform a PRIVATE ENCRYPTION BEFORE ANYTHING ENTERS A PUBLIC CHANNEL.

    So....per legislation, the service provider decrypts the service provider's own E2EE..............and just finds MORE ENCRYPTION!!!

    Do our incompetent law makers know nothing? Surely the answer is a resounding "Actually less than's all political posturing!".

    1. Anonymous Coward
      Anonymous Coward

      Re: Assumption Alert....Posturing Alert

      Of course the next step is obvious.............

      ..................just make the possession and/or use of encryption software completely illegal.

      Yup....back to the bad old days before HTTPS, before secure banking, before internet shopping..........

      But of course, our incompetent law makers really don't care about the facts.......remember, it's all political posturing!!!

    2. Anonymous Coward
      Anonymous Coward

      Re: Assumption Alert....Posturing Alert

      And then there's the problem if the private encryption utilises Diffie/ that there is no persistent key stored anywhere.....the sender and the recipient can calculate the keys as needed, then throw them away. In the example below, the D/H token is a decimal string 2484 digits long -- approximately 8192 bits! Good luck decrypting the <TEXT> message!!!!


























































    3. Jamie Jones Silver badge

      Re: Assumption Alert....Posturing Alert

      I do DECLARE that YOU ARE Bob POSTING anonymously, and I CLAIM MY 5 pounds.

      NOT SAYING how I KNOW.

    4. Alan Brown Silver badge

      Re: Assumption Alert....Posturing Alert

      in addition, the rule of thumb for crypto is:

      "when you start using crypto, you encrypt EVERYTHING, including your laundry list, otherwise whatever's incrypted is obviously valuable and therefore worth targetting"

      (the corollary of this is to ONLY encrypt your laundry lists, causing much wasted effort to find your dirty socks)

  13. jmch Silver badge


    "Things like end-to-end encryption significantly reduce the ability for platforms to detect child sexual abuse,"

    ""The onus is on tech companies to develop or source technology to mitigate the risks, regardless of their design choices. "

    That means one of two things

    1) The onus is on tech companies to hold back the tide (these guys must have been sleeping in the King Canute history lesson)

    (more probably what they are really after) 2) - All your comms r belong to us

    eff off!!

    Happy I'm not subject to that jurisdiction, and lets see your economy crash and burn if that ever gets implemented

    1. DS999 Silver badge

      Re: WTF???

      "Things like end-to-end encryption significantly reduce the ability for platforms to detect child sexual abuse,"

      Things like envelopes significantly reduce the ability for the Royal Mail to detect child sexual abuse photos sent through the post


      "The onus is on tech companies to develop or source technology to mitigate the risks, regardless of their design choices. "

      The onus is on envelope suppliers to sell only transparent envelopes to mitigate the risks, regardless of their design choices.

      1. Ken Hagan Gold badge

        Re: WTF???

        And clothes make it easy to conceal a weapon, so all clothes should be see-through and MPs should lead by example.

        1. Someone Else Silver badge

          Re: WTF???

          But...but...but...the Emperor(s) already don't have any clothes, don't they?

        2. DS999 Silver badge


          That's not what I meant by "government transparency" at ALL!

  14. jmch Silver badge

    Intersting addendum

    "The Online Safety bill also attempts to tackle disinformation by getting social networks to filter out state-made interference, and reduce the distribution of stolen information for the purposes of undermining democracy"

    Presumably to filter out state-made interference from states that "Our state" decides to filter out. Of course any interference from "Our state" or our buddies is A-OK!

    Also "reduce the distribution of stolen information for the purposes of undermining democracy"???

    One of the pillars of democracy is transparency, and one of the best measures of how good a democracy functions is in how it's freedom of information acts are implemented ie how easily can journalists and citizens find out what the government is REALLY up to. "Stolen" government information that is leaked may very well undermine *the government*, but it doesn't undermine democracy (in fact, usually speaking, if it's uncovering the governments dirty little secrets it's usually strengthening democracy)

  15. elsergiovolador Silver badge

    Groundhog day

    In communist countries, back in the day, when you called someone over the phone, there would be an officer officially listening to the conversation. They would say "this conversation is monitored, carry on". They would make notes who called whom and a brief what it was about.

    Of course they didn't have enough agents, so it was at random or if you were a person of interest then almost always.

    It's not hard to imagine that government will require providers to install a black box, where government will be performing its own filtering and detection without telling what is being looked for.

    In a few years time, they will also develop conversation anomaly detection, where you may be flagged as e.g. potential agent of change and would have your social credit score lowered and people you associate with would get a warning that their score will be reduced if they continue to contact you.

    In my opinion, anyone suggesting implementation of these things should be removed from power.

    1. OhForF' Silver badge

      Re: Groundhog day

      >It's not hard to imagine that government will require providers to install a black box<

      Personally i am convinced that these black boxes have been working for years already.

      As more communication starts to use End to End encryption those black boxes are no longer effective.

      Thus new black boxes either in the communication apps or in the operating systems are necessary to allow filtering for whatever the snoops are interested in.

      The problem is how to convince the masses to go along with this as more people become aware of the issue and won't buy the argument that security or children basic rights are some kind of "super fundamental right" trumping everything else including our right to privacy.

      Politicians keep trying to use the same arguments (mainly terrorism and child abuse) to justify mass surveillance but won't give up until they manage to get it installed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Groundhog day

        I can tell the black boxes exist. You can research with this info - just after 9-11 there was a couple articles on techs commenting concerns about (for a fun term) installing black boxes, taps at telco hubs. I forgot the name of one of the companies, but there was some talk about why Rudy Giuliani had invested in the company - that it was either for insider trading or for the NSA - I expect both, but yes they do exist.

        Always expect there is no privacy when on the internet - not here, there, china, or anywhere.

  16. Anonymous Coward
    Anonymous Coward

    There are plenty out there that have..

    Committed actual offences against children. Shall we not start by dealing with them properly first? Something that will make a real impact on people's lives right now.

    1. Anonymous Coward
      Anonymous Coward

      Re: There are plenty out there that have..

      like the recent Maxwell trial where they protected all of the customers, or the Hunter B that has images on the web of him with minors. The laws are for little people like you and me, not for the wealthy and powerful.

  17. The man with a spanner

    If I were kiddie porn peddler...

    ..I would make damn sure that I encrypted my 'product' before I sent it over the public network, thus rendering the whole law completely useless, whilst the rest of us suffer the consequences.

    Similarly if I were a terrorist.

    1. Marty McFly Silver badge

      Re: If I were kiddie porn peddler...

      Encryption is math and the genie cannot be put back in the bottle.

      The only thing this law will do is monitor law abiding citizens using government approved apps. No threat actor worthy of their pending crimes will use those apps.

      "Let's bomb parliament with kiddie porn. We can use GovChat to plan it!"

      <That is sarcasm for those without humor>

      (Been looking for an opportunity to use this icon)

    2. DS999 Silver badge

      Re: If I were kiddie porn peddler...

      What these schemes are targeted at are people who have photos they've collected from various sources on their computer/phone trading them with others, via encrypted chat like Telegram. Not people producing new content and selling it - these CSAM schemes don't work to detect newly created images AT ALL, because it isn't designed to. It has to be added to the database.

      These people are smart/dumb as any typical person is about tech. They know how to drag images out of their stash to attach to a message and hit send. Sure, encrypting them beforehand would be smart as far as reducing risk, but how many average computer/phone users do you know who could download an encryption app, convert the files, remember to attach those instead of the unencrypted version, hit send, send the decryption key in a separate message (preferably via a different app) then know how to reverse the process on the other end? Without being handheld by someone to walk them through it a few times?

      This isn't something they could ask their tech literate child or neighbor to help them with ("why do you want to encrypt photos before you send them?") they'd have to figure it out all on their own. Many won't, so as with most policing this would catch only the dumb criminals. The smarter ones can be caught, but that takes more work so most police don't bother because there are so many dumb ones they have their hands full just dealing with them.

      1. Richard 12 Silver badge

        Re: If I were kiddie porn peddler...

        And so it will not, cannot and will never protect a single child.

        It will simply encourage the police to ignore even more reports of actual in-progress child abuse, because investigating that kind of crime is difficult.

        Much easier to just automatically arrest a few dumb gobshites sharing ancient history - who will be more careful next time.

        Worst, it will encourage more child abuse to create new, untraceable material.

        In short, it's exactly the kind of idiotic bullying we've come to expect from Ms Patel.

        1. DS999 Silver badge

          Re: If I were kiddie porn peddler...

          Worst, it will encourage more child abuse to create new, untraceable material

          Hadn't really considered that angle but you could be right.

    3. Anonymous Coward
      Anonymous Coward

      Re: If I were kiddie porn peddler...

      How would you advertise your ware then? The truth is that there is a surfeit of digital pedo-leads and a deficit of budget to follow them up with prosecution.

  18. Anonymous Coward
    Anonymous Coward

    Securing comms

    2018: "The Five Eyes nations have told the tech industry to help spy agencies by creating lawful access solutions to encrypted services – and warned that governments can always legislate if they don't."

    Various people have been put in place to implement it. Pritti Patel in the UK, Peter Dutton in Australia etc:

    "Discussing the dangers of end-to-end encryption with close allies AG Barr and @PeterDutton_MP at the US @TheJusticeDept today. We can not let tech firms design platforms that give serious criminals & terrorists the advantage."

    Obviously "serious criminals and terrorists" didn't cut the crust, so she's switched to pedos as a way to bypass the privacy right.

    2019 we got the Ian Levy/Crispin Robinson proposal to give GCHQ a second key to all encrypted comms. Every time an encrypted session is created, GCHQ would get notified and a key so they can listen in. Oh fook off. You lot are more loyal to 5eyes that Britain. If Barr had told you to spy on Brits for Russia, you lot would have done it.

    Any whistleblower care to leak? I think Pritti simply did it anyway and all this lying crap is simply to give a legal basis for it. I bet she already backdoored end-to-end encryption, I bet her foreign "allies" are aware of it, and Brits are not, care to leak?

    1. Anonymous Coward
      Anonymous Coward

      Re: Securing comms


      Quote: "....proposal to give GCHQ a second key to all encrypted comms..."

      See above for comments from another AC.....encryption implementing Diffie/Helman doesn't have any persistently stored key.......the key is calculated as needed then thrown away.

      D/H was first published in 1976. It amazes me that the current discussion about encryption continues to bang on about persistent/published keys (as in PGP, for example).....when the D/H process allows for:

      - no persistent keys and no key exchange

      - the only public messages include D/H tokens...which tell the listener nothing about the keys

      - the encryption algorithm cannot be determined (it could be IDEA, RSA, AES, samba, chacha....or other)

      .....and all of these benefits are available to anyone who can read the D/H spec and then program using gcc and gmp!

  19. sreynolds

    It always starts with the kiddies....

    So if my Ts and Cs say you have to be an adult ie. over 13 or over 16 or over 18 or over 25 or ask your guardian if you are a woman in Saudi Arabia to use this app then the onus is on the parents for allowing them to use an app for adults?

    If you don't mind me asking, what are the parents doing allowing kiddies under 15 to access the internet full stop?

    1. Mark #255

      Re: It always starts with the kiddies....

      If you don't mind me asking, what are the parents doing allowing kiddies under 15 to access the internet full stop?

      In case it escaped your attention, for large swathes of 2020 and some of 2021, a significant proportion of schoolchildren needed internet access to log into their lessons.

      1. sreynolds

        Re: It always starts with the kiddies....

        So is this the equivalent of kiddie scissors for the internet?

        I wouldn't give a kiddie a plasma cutter and wouldn't let them anywhere acetylene so why don't they politicians cut through the bulls shit and admit the that the problem is that "tech" targets children, and they do so knowingly yet wont admit it. Just find Facebook and Google, or the metabet.

        1. Roland6 Silver badge

          Re: It always starts with the kiddies....

          >I wouldn't give a kiddie a plasma cutter and wouldn't let them anywhere acetylene

          FYI, at secondary school (age 11~13) we were taught to use the acetylene torches in our metalwork classes and using them subsequently without direct teacher supervision... The steam boiler I made, still works...

  20. Panicnow

    Time to dust down the old typewriter

    Or maybe my Amstrad PCW, Hmm can I source floppy disks?

  21. Panicnow

    Spyware on your computer

    So basically they want to make it LAW to put spyware on to everyone's computer.

    I've always assumed that was the case with MS WIndows and Apple iOS, which is why I use Linux.

  22. amanfromMars 1 Silver badge

    Sneaky Priti Patel and Her Handlers go All Full Monty Snake Oil Salesperson-like??

    The present disgraceful Conservative government's proposal that tech companies could be fined by Ofcom to the tune of $25 million (£18 million) – or ten percent of their global annual revenue depending on which is higher, should it prove impossible for the tech companies to comply with an absurd request, is then simply a stealth tax raising exercise to raise funds for government spending. Nothing more, nothing less.

    If they were genuine in their concerns, surely government with all of its contacts and expertise on call at vast public expense, would provide an appropriate app and have businesses duly mandated to install it. That has things sorted simply practically immediately and extremely effectively too ......... you know, in much the same way as they say China ensures that businesses are suitably controlled.

  23. katrinab Silver badge
    Paris Hilton

    Will it happen?

    This is Nadine Dorries's department, and she isn't going to be in charge much beyond today.

    No sensible Prime Minister would appoint her to a cabinet position.

    1. really_adf

      Re: Will it happen?

      No sensible Prime Minister would appoint [Nadine Dorries] to a cabinet position.

      I'm not sure that answers the question of whether it will happen.

    2. Infused

      Re: Will it happen?

      The Online Safety Bill's third reading is next week & despite the government implosion, if is likely to still become law.

    3. Infused

      Re: Will it happen?

      She's still Culture Secretary & the third reading of the Online Safety Bill is next week.

      1. jfollows

        Re: Will it happen?

        Not any more, it’s been shunted to next session now.

  24. Charlie Clark Silver badge


    Can't see much of this standing up to judicial review. It's going to be pretty easy to argue that, if the conversations do not take place on provider's servers, then they cannot be held responsible. Client-side scanning is probably the new hope, but seeing as this is essentially a backdoor, it's also likely to be declared illegal. Of course, people can opt in… but those might be the people of interest!

  25. steelpillow Silver badge

    You mean like on the dark web...

    ...which is by its nature encrypted, and where illegal apps are distributed and used without Nanny having a clue?

    These evil clowns living in the drains are already at home there.

    How hard can it be to add spook-free CSAM-ready messaging apps to the dark mix? You'll get your phone pwned and your ID stolen. That is, if you haven't already. Either way, it's better than having your life donated at Her Majesty's Pleasure, to the waiting list for a special paedo unit.

    [What we need here is a Reality Check icon. What do you think, Sherlock?]

  26. Snowy Silver badge

    Regulated user-to-user service

    <quote>The proposed update to the Online Safety bill [PDF], currently working its way through Parliament, states that British and foreign providers of a "regulated user-to-user service" must report child sexual exploitation and abuse (CSEA) content to the country's National Crime Agency.</quote>

    So this does not apply to unregulated user-to-user service?

    What is to stop the bad people from writing their own version of Android and messaging app?

    If they are doing bad things breaking another law is not going to bother them.

  27. aerogems Silver badge

    I appreciate the sentiment

    I think the vast majority of people would agree that child sex abuse is a Bad Thing(tm) and should be stamped out with extreme prejudice.... but this is not the way to do it.

  28. ColinPa

    We have your children

    I remember working on a bit world wide sports event where they provided email.

    The email was scanned for bad stuff. Eventually this was scrapped as the scanners would not detect "We have your children -so lose" and the skater called "la bomb" got no mail.

    Scanning images is more complex that this. The announcement needs to say how it will be scanned. If it is like Anti-Virus software will my phone get "updates" every couple of days as the parameters change?"

    1. thames

      Re: We have your children

      Microsoft keep a database of hashes of illegal images which are used by various police forces to automatically scan computers belonging to suspects. Automatic scanning is the only practical way of searching a PC hard drive given the enormous size of drives these days.

      Microsoft also provide a program to do the scanning. So far as I know, this is just more or less a re-implementation of the open source "findimagedupes" which can be found in many Linux repos. The original is written in Perl and has been around for decades.

      Essentially the algorithm breaks the image up into blocks. converts each to B/W, and does various other things so that just altering shade or colour balance or cropping it slightly doesn't throw the algorithm off. It then converts the whole thing to a hash.

      The default is to calculate all the hashes on the fly, but findimagedupes has an option to use a file of stored hashes in order to reduce the amount of work that has to be done on repeated comparisons.

      I've used findimagedupes on large data sets of legal images of various sorts. On a small data set it is remarkably effective. As the size of the data set increases however, so does the number of false matches. I haven't done a statistical analysis on it, but as the number of images to be compared increases the false match rate also seems to increase exponentially.

      The algorithmic match factors can be tweaked as parameters, with the default being a 95 per cent match. That seems to be the optimum between too many false matches and too many close misses.

      Some false matches are quite easily understood. Suppose for example you took a photo of yourself standing in front of a blank wall, and then turned around and took a second photo. The difference between your face and the back of your head is too small to really matter to the algorithm to avoid a match, regardless of how obvious it seems to you.

      However, some false matches are completely inexplicable. There may be no points of similarity at all but it still comes across as a match. I suspect these may simply be actual mathematical hash collisions.

      Overall findimagedupes is good if finding some matches is good enough for your purposes. Suppose for example you have a large collection of categorized WWII military photos and want to compare it to other similar but uncategorized collections so you can do a fast first pass sorting of these other collections based on near duplicates which may have been resized, slightly cropped, or otherwise altered. Some errors are acceptable in this sort of application as you are just looking for a starting point.

      The big problem with the current proposal is that the application is so different from what the police are currently doing (all they need is one true match to kick off a manual investigation of the rest of the images) that I don't see how the idea will work.

      To be useful for pre-scanning all messages, the false positive rate must be negligible or else the support system would be flooded with customer complaints. There must be hundreds of millions if not billions of images sent as messages each day. Even a tiny false positive percentage is a big number in absolute terms.

      If someone has developed some sort of magic technology to get around all of these problems, I haven't heard of it yet.

      Meanwhile for people who want to avoid the filters, all they would likely need to do is to put the images into an encrypted archive file before attaching it to the message, or even possibly just change the file extension from "jpg" to something else.

      1. Infused

        Re: We have your children

        The proposal may actually refer to client side scanning on your computer or phone, using perceptual hashes. So it'd be searching all your images on your hard drive. This is similar to the EU proposal for chat control. They want this plus detection of grooming conversations. Apparently they would accept 10% false positives.

  29. Abominator

    I get the intentions, but this is so baldy thought through.

    Let be clear. The government are talking about:

    1) Building in filters to detect and report child abuse

    2) Filters are normally models, typically AI based these days

    3) The models need training on validated data sets, which has to be the real thing to avoid biases. You can't just train it on legal porn.

    The government is going to licence tech firms to hold child porn and train models against this? Whats to say this illegal content is then distributed illegally by the same tech firms.

    This is completely disgusting and I can't think of someone who would even want to work on such models. It would be a harrowing role.

  30. This post has been deleted by its author

  31. Anonymous Coward
    Anonymous Coward

    Never ending argument.

    Because it is a thing wanted by those that don't understand math

    Because math is not something that 'politics' can change.

    Because unbreakable encryption already exist, laws cannot undo time.

    The most evil thing in pandoras box was hope, to prolong suffering.

  32. Ken Moorhouse Silver badge

    Maybe this is the case already and I'm out of touch...

    From the government's perspective surely the better way to go is to supply the hash libraries to Computer Repair Shops who will be put under obligation to scan all customer hard drives that come in for repair? Some kind of law would then have to be passed in similar form to TV Retailers having to inform TV Licensing of TV sales.

    Maybe the likes of PC World might be already under such a scheme?

  33. tip pc Silver badge
    Big Brother

    You are all Guilty

    You are all guilty.

    the crime may not be defined as yet but you are guilty of it regardless.

  34. Anonymous Coward
    Anonymous Coward

    The thing about pedo spreaders is that they need to advertise their presence - otherwise they can't spread. From a 2019 NYT article "The Internet Is Overrun With Images of Child Sexual Abuse. What Went Wrong?"

    With so many reports of the abuse coming their way, law enforcement agencies across the country said they were often besieged. Some have managed their online workload by focusing on imagery depicting the youngest victims. “We go home and think, ‘Good grief, the fact that we have to prioritize by age is just really disturbing,’” said Detective Paula Meares, who has investigated child sex crimes for more than 10 years at the Los Angeles Police Department.

    So where is the bottleneck here? It seem to be bottleneck is the budget devoted to following through with the already overflowingly abundant digital evidence to make arrests and prosecute. Why is budget so insufficient? Doesn't hurt the bottom line of digital content owners?

    AFAIC Ceasar can have what is due unto him for his digital content, but this cynical twisting of the truth is very damaging to many parties, from the children who actually need help to businesses and UK government agencies using consumer communication software they believed to be be secure only to find it has been back-door-hacked by bad guys.

  35. Justthefacts Silver badge

    But this is already EU policy…,,

    This is already full EU law and policy. “Temporarily” they allowed companies not to comply:

    But it’s coming into force pretty damn soon. EU folks had 8 weeks public consultation to protest….the last day of which was, quite literally, yesterday.

    You know what the blocker was? Certain countries complained that the legislation would prevent “consensual sexual activities in which children may be involved and which can be regarded as the normal discovery of sexuality in the course of human development”. Clause 6.

    *17* out of the 28 EU member states define the age of consent *for sexual activity between a child and an adult* as 14 or 15 years old. Yes. You read that correctly. 14 years old.

    Remainers really don’t know what they voted for.

  36. Richard 12 Silver badge

    Almost everyone thinks everyone else thinks like them

    Given how incessant the "Everyone is a paedophile who will abuse children unless monitored all the time" wailing is from the Government.

    There's only one conclusion.

    Think of the children - Lock her up, right now!

  37. johnrobyclayton

    I am a bad actor - please help

    Can someone send me all of these hash databases and deep learning models that are being developed to identify bad files or content?

    For file hashes I can create innocuous files whose hashes collide with with bad file hashes, scatter them on social media, and tie up investigative resources.

    For deep learning models that identifies bad content I can create an adversarial deep learning model that can generate content that the supplied deep learning model identifies. I can let the government provide the training tool for automated generation of bad content.

    There are a lot of silly people that think that the range and options of information available can be constrained. It is disappointing really.

  38. 2sideways

    dangerous technology

    This is dangerous technology for human rights. For a file hash based solution consider this scenario

    There is an anti-government meme circulating and the government would like to know who is sharing it (or the government creates their own anti-government meme and seeds it to social media), then they add the file hash to the database. Now whenever it is shared the authorities get notified but no further action is taken (as would be the case with child sexual images) but the government gets a picture of who is sharing this image meme, what apps they are using and who is in their networks.

    Now while our government may not do this many repressive regimes might use it in this way. Once our government coerces technology companies into building this software it’s availability would be a gold mine to repressive governments.

    Once the technology exists for scanning images, why not text or other documents? And presumably unencrypted communications would also be scanned.

  39. Al fazed

    How will reading encrypted messages will keep children safe on line ?

    Children go on line without encryption.

    Stopping other people from sending illicit content does not protect children on line.

    This plan is another half baked attempt to improve something, which in doing will screw up so many more things, but that isn't a worry for these under-educated, part time, tech wrangling MP's........

    Humiliating that the UK doesn't have a better IT outlook.............


  40. Piro Silver badge

    It's not possible

    1) It's not possible to do it with secure end-to-end encryption without scanning client-side.

    2) That's not possible without mandating what effectively amounts to state-level spyware on every device.

    3) You would then have to mandate the types of devices that were allowed to be sold, to ensure compliance.

    1) Unreasonable.

    2) Extremely unreasonable.

    3) Monumentally unreasonable.

    I obviously understand and sympathise 100% with the need to remove horrendous material and stop abuse, but we're doing a terrible job in the real world of protecting children we know are at risk. Maybe the police should focus on that.

  41. Cliffwilliams44 Silver badge

    The new mantra of the Tyrants

    "We must protect the children (so we can trample on your rights)" is the 21st century mantra of the globalist tyrants!

  42. jfollows

    Plans dropped to pass the online safety bill next week

    The final stages of the bill were due to take place in the House of Commons on Wednesday July 21st. but will now be shunted to later in the year, meaning that a new prime minister, home secretary and culture secretary may kill it because they don't agree with the bill in its current form.

    Apparently it's Labour's "fault" for trying to get a no-confidence motion debated, resulting in the Conservatives calling their own debate on Monday 18th. July. This, in turn, caused the Northern Ireland protocol bill to be moved from Mon/Tue to Tue/Wed, and parliament goes into recess after that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like