Tech world may face huge fines if it doesn't scrub CSAM from encrypted chats Tech companies could be fined $25 million (£18 million) – or ten percent of their global annual revenue – if they don't build suitable mechanisms to scan for child sex abuse material (CSAM) in end-to-end encrypted messages and an amended UK law is passed. The proposed update to the Online Safety bill [PDF], currently working …
"Moral Imperative" = "of highest importance"
Nobody can deny that preventing child (or indeed, any) sex abuse is a moral imperative.
Nobody can deny that allowing people to communicate privately is a moral imperative.
Home Secs job, like that of many politicians, is to balance dozens of moral imperatives against each other. That's why it's a hard job, and not one that should be assigned to fuckwits.
Incidentally, also...
Nobody can deny that children having a roof over their heads is a moral imperative
Nobody can deny that children having enough to eat is a moral imperative
etc
See if the current government gives a flying f**k about any of that
She's just making a blanket false claim "Brits will share child porn if we cannot spy on everyone" there. There is no moral imperitive for a fiction she created.
She's variously changed the tune from "Terrorists" to "National Security" now to "Pedos" as the reason for backdooring end-to-end encryption.
The best response to "Think of the children!" is "Jimmy Saville always did!"
The worst predators tend to operate in plain sight, usually posing as stalwart pillars of the community.
After all, you're NOT going to entrust your kids to the dirty raincoat brigade or a bunch of heavily tattooed gangbangers - but you probably won't think twice about letting them hang out at a church social group, etc
(Ironically, the heavily tattooed harley-riding gangbangers are likely to be extremely protective of kids, etc - as are almost all "screaming queens" I've known in my life)
"Ironically, the heavily tattooed harley-riding gangbangers are likely to be extremely protective of kids, etc"
Don't judge a book by it's cover and all that. Any large enough group of people, whether that be tatooed bikers, football fans, church social group , rotary club etc* is sure to contain a fair number of decent people, a few truly excellent dudes/dudettes, and a handful of obnoxious wankers.
*except parliament where the proportion of obnoxious wankers is rather higher
It's that they seem to keep getting it backwards.
"Masks are now a personal choice, we trust the public will do the right thing", loads of people stop wearing masks immediately, even when places ask them politely to keep doing so.
"If we don't spy on everyone, they will all immediately do <insert vile act here>", yet almost no one will do it, because they just won't.
They would simply demand access to the file before encryption via a backdoor to PGP (or your encryption of choice)
And the fact that you are attempting to bypass the government's right to all your data marked you out as an obvious evil-doer... lock him up, immediately!
"We, and other child safety and tech experts, believe that it is possible to implement end-to-end encryption in a way that preserves users' right to privacy, while ensuring children remain safe online." They believe this, but refuse to say what leads them to believe this. Open source implementations of E2E encryption have been around for ages, if it was possible then they could easily demonstrate it.
Indeed, Monitor everything everyone does so that scanning the actual communication being sent becomes moot, they'll already know everything.
You'd think they weren't already tapping all the telemetry sent to the OS mothership.
Edit: someone disagrees with the captains accurate summing up!
Actually, she hasn't got a clue what any of it really means at all...
They stopped trying to be rational when they kept getting the "this won't work" response, so now they just want to bully everybody into complience without having to provide a solution... "It's the LAW!"
Given the current debacle in parliament, how she has the cheek to talk about "moral imperative" I cannot fathom.
Client side encryption, plus not sending or receiving messages that are deemed illegal without further action, and a way for the user to check and send something they believe is marked incorrectly. Like a picture of the Virgin Mary and Baby Jesus that could easily be mistaken for something else.
>They believe this, but refuse to say what leads them to believe this.
Boxed ticked, parents can sleep whilst the children surf the web.
Which immediately identifies the flaw in this statement; the first part ie. end-to-end encryption, has any meaningful impact on children being safe online.
End-to-end encryption won't stop what happened at Disney's Club Penguin.
"Boxed ticked, parents can sleep whilst the children surf the web."
Problem #1: over 1/3 of detected sexual offenders are under the age of 18 and equally distributed between genders
Yes, really
Let's not forget Jamie Bolger. For all the outcry, the case type isn't _particularly_ unusual when you look at history, only becoming rarer more recently
> won't stop what happened at Disney's Club Penguin
Had no idea what that was, had to look it up on the BBC news website: Disney forces explicit Club Penguin clones offline. The original website was designed to specifically target children aged 6 to 14 - I wonder why The Walt Disney Company needs to keep on shutting these websites down *ponder*
Club Penguin - online: 2005-10-24, offline: 2017-03-30, was replaced by Club Penguin Island
Club Penguin Island - online: 2017-03-29, offline: 2018-12-20, created a vacuum (that was quickly filled by clones) when shutdown.
It is trivial, you encrypt one copy of the E3E message with your private key and the recipients public key. And to comply with the law, you encrypt second copy of the E3E message with your private key and a personal GCHQ/CSAM/government public key, sending the a copy of the message (Which they would then get computers to automatically scan using neural networks trained with existing CSAM, and a human would only be allowed to access any messages with an actual court order issued by a judge). Of course this would only work if people had locked down devices that could only execute the government mandated E3E communication application(s) and had no ability to run any unsanctioned applications (no matter how trivial they may be to create - in case someone reading this post does exchange CSAM, I'm not going to explain how). The mentally damaged individuals who own and send CSAM to each other would obviously use the government mandated E3E communication application(s) because they are severely mentally damaged individuals ? Just like these people in the government who created the online safety bill.
Maybe the solution is to start simple, implement the application for governments to test first for say 50 years. If anyone in the government is caught not using the application, they can serve some jail time. And every message sent by everyone in government is decrypted and made publicly available after say 20 years.
Ok, i'll bite.
There is already a child abuse image content list available which includes hashes of child porn images. To be compliant, all you'd have to do pn the client end when somebody attaches or receives an encrypted image is to check the image hash against a list of known child porn hashes, and if a match is found then flag it up to the police.
That would be totally compliant with this law, it could only inconvenience people attaching images on the child abuse image content list to encrypted messages and it leaves end to end encryption intact.
In fact the only possible potential this has for scope creep that I can see would be the police asking if they could keep a list of hashes attached to messages so after they've raided a paedophile and got an extra few hundred/thousand images to go on the list that they could retrospectively check to pick up anybody else sharing the same material. Even if this was done, a list of MD5 hashes presents quite a limited threat to privacy, or freedom of expression.
Any solution is trivial to circumvent by pre-encrypting the image before you send it over an E2E channel.
The point is to be seen to obey the letter of the law to avoid fines.
This is all performative nonsense by a bunch of politicians that don't understand mathematics or engineering so I can't see anything other than a performative response.
Australia banned encryption that cannot be backdoored a while ago (basically telling engineers to 'nerd harder' when they said the mathematics would not allow it) but I have not seen anything to say this has ever been enforced - maybe I missed it?
Maybe somebody took a politician aside, smacked them across the head with a didgeridoo, and pointed out that not only does proper encryption not have back doors (kind of the point unless they want to try legislating new laws of mathematics), but actually enforcing their dumb law would essentially shut down online banking, purchasing, pretty much anything to do with money, and all the supposedly secure stuff on websites.
In other words, get a clue galah.
It ended just fine: the bill never got out of committee.
And they didn't "try legislating new laws of mathematics". There was a bill to "recognize a contribution" to mathematics. That said contribution (squaring the circle, of course) was rubbish was what ended up dooming the bill.
Now, it might have made it out of committee and to the floor had a Purdue professor not happened by and been invited to review it. And it might even have passed. Legislatures pass all sorts of rubbish no-effect bills like that: recognizing some personage of minor import, establishing State Whatever Day or Official State Nonsense, and so forth. These might be "laws" in a notional sense but have no real-world effect; they're just posturing.
(There are many discussions of foolish or odd laws. Unfortunately most of them are themselves rubbish, recounting anecdotes without any attempt at verifying them from primary sources. I recommend Underhill's The Emergency Sasquatch Ordinance as an exception to that unfortunate trend; he did the research and provides citations. Also he's a better writer than most of the others.)
The point is that if a law requires it to be done; that's a method of doing it.
Ok, it's trivial to circumvent through editing the files so the MD5 hashes are different each time or a number of other methods. It still complies with the law. If you kept a list of the MD5 hashes then when the police nicks a paedophile and goes through their stash of images then they get a bunch of new MD5 hashes which could be compared to the file sharing history, and you then have a list of other paedophiles who'd shared those files.
If I was a policeman I think i'd probably be happy with that.
While you probably couldn't prevent anybody from circumventing the checks if they are done on the client side, you could probably detect that the child porn filter has been disabled by various methods, I can think of a few off the top of my head. One suspects that the National Crime Agency would be just as happy with occasional lists of people detected circumventing it, as that has to be reasonable cause for a search warrant.
I don't think that either the police or politicians expect perfection, just some good faith efforts.
The Microsoft CSAM hash database doesn't use MD5 or any other cryptographic hash. It uses PhotoDNA hashes, which are intended to produce the same result under a variety of transformations.
That also reduces its precision and increases the false-positive rate, of course. You can't have it both ways. Nor is it proof against all transformations, and automating applying a series of transformations until you get a different PhotoDNA result is an obvious easy attack on the system.
There are other issues with using a large PhotoDNA hash database for client-side scanning, such as the size of the database and the computational requirements.
The whole idea is idiotic and typical political pandering.
To be compliant, all you'd have to do pn[sic] the client end when somebody attaches or receives an encrypted imagefile of any type is to check the imagefile of any type hash against a list of known child porn files we're looking for hashes, and if a match is found then flag it up to the police.
"available which includes hashes of child porn images"
The problem with a hash is that it is a mathematical equivalence. Is this picture the same as that picture?
Well, couldn't that essentially be broken by scaling the image, say, 5% either way? Or compressing it a little more? Or gently messing with the colours? It wouldn't take much ingenuity at all to batch convert a bunch of images from known matches to unknowns.
Plus, with only a result and no actual image to work with, how does one train a machine to be able to recognise such a thing in this case? It'll be like that judge who said that he couldn't define pornography, but he'd know it when he saw it. Well, we would have to teach a machine to know, and given the hysterical responses a lot of people have (not to mention the malignant behaviour of the police these days) we would have to teach it to be accurate and have a low rate of false positives, yet protect children by catching everything that is bad. In other words waffle-waffle-magic-waffle-done. There, that was easy, in government land.
Meanwhile, in reality...
The problem with a hash is that it is a mathematical equivalence
Aside from the special case of perfect hashes, no, it isn't. Lossy hash schemes (i.e., almost all of them) will, by definition, tolerate some change in the input. The hash currently used for this nonsense, PhotoDNA, is meant to tolerate things like scaling, compression, and relatively minor changes to color, cropping, and so forth.
How well it does so is one question, but there are far more interesting ones, of course. Like how generating PhotoDNA hashes and comparing them against a large database could be implemented efficiently on client devices, for example. (It can't.) Or what guarantees people flagged by false positives would have against excessive response. (None, that's what they'd have.) Or how we could trust client applications that have any mechanism for reporting anything to "authorities" somewhere. (We can't.) Or how much effect this would have on the problem. (Very little.)
believe that it is possible to implement end-to-end encryption in a way that preserves users' right to privacy
They are probably envisaging a "trusted third party" in the middle doing the scanning with end-to-end encryption connecting both ends to the middle. This is fine as long as it is a "trusted third party" that could be relied on to rigidly and securely perform the required task and no more. Unfortunately it can't be relied on to do anything like that. The required level of security to protect the users right to privacy would make the trusted third party resemble an opaque box. Mission creep would then secretly extend the monitoring criteria turning it into a "untrustable third party" at which point you might as well rename it CESG monitoring point.
The obvious choice to do the monitoring would be the pron merchant the the UK government was going to use to verify age for access to <cough> 'adult' sites. (they probably wouldn't need to worry about using hashes)
Hmm, wonder what happened to that bit of legislation... sorry, 'box ticking'
Come up with something so vile that nobody can question it, then destroy privacy in the name of stopping it. Once the capability is developed, it WILL be used to spy on any and all communications. While there is security to be had in anonimity, that only works until the powers that be decide to take an interest in you. All it takes to get someone interested is to cut the wrong person off in traffic.
Of course no dodgy user would ever avoid official implementations of encrypted chat. {S} So eventually an open source coders comes up with multiple client side software. Said coders living in a country that does not support general snooping and remain anonymous for their own safety? Existing chat coders are in what legal position ? Next, support for complete packet analysis looking for the use of unapproved encryption data streams ? Its as if TLAs have plans for big Data retention and real time analytics and bought the right pollies. Regardless, asking Big tech to snoop is another Fox guarding Hen House scenario.
Seems that backdooring encryption has finally been dropped in the hallowed corridors of power.
So now they just make a law to slap a fine on companies that don't subvert encryption. That's not backdooring, right ? So you can't complain anymore.
Gotta hand it to 'em, they're persistent on this issue.
Too bad they couldn't more persistent on some other things, like the economy.
@Pascal. How right you are.
But there is nothing original in her statement. She is just copying the E.U. and their recent announcement.
However, the answer to all this bollocks is simple. Just use whatever comms app that our "esteemed" M.P.s are using. Currently, Signal after most of them dumped WhatsApp some reason.
I am guessing it is something to do with Signal not making any money in this country so can't be held over a barrel like WhatsApp could be.
Ishy
P.S. Am rather surprised but Patel has also joined the "Stop doing a third rate impression of Trump and just fuck off now" gang.
wrt the PS: Nadine Doris said the quiet bit out loud - "Only the big donors matter"
And they're coming to the view that the one with the bird-nest hairdo is now a liability. He's being moved from convenient idiot to convenient scapegoat but is refusing to go quietly
> Am rather surprised but Patel has also joined the "Stop doing a third rate impression of Trump and just fuck off now" gang.
Purely self-serving, as with pretty much all of the Tories who have resigned recently or told him to go. They tolerated Johnson- someone who was clearly never fit to be PM in the first place- for years so long as it suited them, but- as I and others predicted- were happy to stab him in the back as soon as (a) they decided he was more of a liability than an asset and (b) could see the way the wind was blowing.
As someone who- following the 2017 Israel affair- made her comeback on the back of Johnson's success (*) and as part of his hard-right government, Patel's career prospects were tied far more tightly to his than some.
But when things got this far, even someone in Patel's position can see that it was going to end much sooner rather than later and - purely from a point of view of her own self-interest- doesn't want to be too obviously on the losing side when the music stops.
(*) See also; various mediocrities like Nadine Dorries who achieved their position primarily through loyalty to Johnson rather than any competence on their part and are less likely to remain in position under someone else.
According to Wiki-p* Our dear home secs parents^ did exactly that, running corner shops in the 70s & 80s. By implication this meant she likely spent a chunk of the 80's behind a counter.
*Yes, I know, wiki, pinch of salt etc...
^ Ex Ugandan, thousands moved here when booted out by Amin in early 70s. Many buying corner shops (Arkwright retired & Granville didn't want the shop) and creating the eternal stereotype.
I have been encrypting mail before I send it for several years now - all automated (meaning no mess, no fuss.) The feds do not think that this will become common? Remember more and more tech savvy kids are born every day.
If crypto is banned, then encryption will be used more than ever - plus that horse already left the barn.
Quote: " However, it is possible for chat software developers to add a filter that automatically scans for certain illegal material before it's encrypted and sent or after it's received and decrypted."
The assumption is that the encryption/decryption IS BEING DONE ONLY BY THE INTERNET SERVICE PROVIDER.
But there are plenty of people out there who are technically competent to perform a PRIVATE ENCRYPTION BEFORE ANYTHING ENTERS A PUBLIC CHANNEL.
So....per legislation, the service provider decrypts the service provider's own E2EE..............and just finds MORE ENCRYPTION!!!
Do our incompetent law makers know nothing? Surely the answer is a resounding "Actually less than nothing....it's all political posturing!".
Of course the next step is obvious.............
..................just make the possession and/or use of encryption software completely illegal.
Yup....back to the bad old days before HTTPS, before secure banking, before internet shopping..........
But of course, our incompetent law makers really don't care about the facts.......remember, it's all political posturing!!!
And then there's the problem if the private encryption utilises Diffie/Helman.....so that there is no persistent key stored anywhere.....the sender and the recipient can calculate the keys as needed, then throw them away. In the example below, the D/H token is a decimal string 2484 digits long -- approximately 8192 bits! Good luck decrypting the <TEXT> message!!!!
*
<MESSAGE>
<SENDER_REF>HOWIEB</SENDER_REF>
<SENDER_TOKEN>4371012078889959387014138314628350221042274955819597008258890917373642895335
0375509608624232715052975752126989428478416991142526807710714335019457280591
9962340451118394054174081568040691878423318442766015830996499358485599984276
6416942844030010522273262747886690515765838051163508193574385648882819367907
0765736182019777289091984705505040015539701846821505819041356272592149537414
5599284837359724402962565307914527390133557356393354680650013067989550170538
8844023274428842491073886088340214971654871549498071612005673727046029380461
4197198724963648359924717087115411424556149394679077598137814370988610539900
6577610357824113268424882198615435707576576078144348343398159341075660487201
7236394225052383884935890642112722875974578374138124307546325610991951959982
4149716163795731729622799589064527968443465478555343484291715625139166532785
8770211248496637981486822038381575518934970873889194016091271371613735110799
9063883603439672118017187716754208004018118491960518013412443885104276858502
1732682152934949671521372709002062241001658276045347419767555875250417368389
4522517081223809749829476130439781246084749139443669575580217965040060452908
7900301682024835789969436611383669069393682558564584600628945641224180853605
6298814830544040466195672925675570448245072528444876119528494293222835045715
2395076889863748761758331732622483885193032634522978144270241411023208159345
0071202817434879747818080206932392810631463566074745762614381333242276269667
3189194090666852659358730217614499883287632679771324319242334326965782411472
1385683937770702350573805682097633617788354233598681485304404689710798046027
0001975294712729317092938112116388977801677701183016342735348445227463527184
8378936807325267031825351032345567193716010607314425325663138174428909705536
5897106540403343924371403706185005130920920237807645181194806824339056415506
2576906937024993068034855390332991654861486631434510106900313224106778946001
3469541756233272083549227147686993355690923162358587402703514667908578295611
0399413602400154994944610204793733803472947657140882492756154905588559959490
4950863647867928811776929592909210119418514207478275576819662446203032801789
8405085637380140402072697270375441624809150996094014412259681921600183325577
8703167635925663587607929917566790997116023453746285061559481816801778181380
9718604360097629155060890990265606559295360347124039629009720153149666608816
8494319564086953263910365821214828843000669301307400289556253182736918658911
23423560052517355190322768101948710
</SENDER_TOKEN>
<RECIPIENT_REF>THOMASB</RECIPIENT_REF>
<TEXT>LJime9tQf7fMBniMj36eAMbdfHXsGrilkVEnSlBqEg67jkt68rA03Uh8G5LkcVwqNNcYz3V/HPIE
iWk7ri11OsGIwi6m/gr2c8bGdh/apJj0GKV1Mj/7DVVTt1V1vD6z3Q3pg0UvHAXmT+fy4lxL4d9R
TSQPkDJ+u6VXlKkhFhA+y7x0A5S23K3LAF7Qjn5NbdRHrNB+hwTuoNTntjzeW+bNw7Q/Ld42j0KB
oVxhO9D0iuDnShA6zJlSYFPR0Op0o+EDzRklJxShiRMD/vblMrGyyMOzbchoGEWltovy/0OBx3iK
gHMlZhJ65UC2kJ25bIXLaeU6gvsQIg1kVM3O1y3LnyZcvkF6T5PnqO5P9KM5tj0hN2aSO2rDtCOZ
+Wch9h2LI5ipm28OQG3ciFUa7Ey5jb8XpR8MSV+bACKxmPR08EpEkasGAL+xr1iAD7uwoh261RR+
sdM28mTJcy9kUktFE+cQtjKnhoRyk4C7dBmYQA1I+fw0bRIvAOmAlohivkdMpk0fiOO/mKBfv/yA
Ws9DsdrlPK5D4QPKBP6HRhrePpg0/hZ+Pu/gvFWL1eBwrcCTGKVFpLkAAW53aLxEVrtwYM0Bn54o
p6wicdv8JzpIV9oSMIOUklpb2cZ41dtXmyT5r4zPCaiLFw43Od7k9KnoT7rIHLiBeOOva79hNjDr
CBU8nWxtKpUVrP67smrWVJMg7QFbjvqaPSb14nikqaDpWKL0r6H275VVjhsfxRSXbAYXeTMXF/aE
KqRtEZLySA6lyNR+PLJO0MzxskAhLEmB/IoCT/3dmuApoiE4xENrvCJPvFrnMSLRgEu3T0UEXj0m
fq7Xcvo3NMJv2yjQtsL1GBjrRJRnmqB2LjV10EbjUxsrmbgVEz1GJdqwxLQ437A1wah77gfWOiNV
at5/YyD5YtdvBch4wwZrgZPixYHWL4RtmRhHAnOv2nJ6aU0RFGcwQY7lSQDcEySXvU+6IOW/z492
fz4zj47H1ApVTAnOI+Cm//p8KkdpNvtrnrhcm1z1qWy+ayIYNc0BtSju0Ujmq2fKCu5hBewbTJjj
gN9hio2TsJoSfa0GFehFCJjPJuJ0nPK+NZIh6HzvuA6xYw/uTf5LFLa7kNAATboDiA2nFYnQt3d4
9Eb95RQg+pR56PqjVu3Um9D6xagvkXAHBg==
</TEXT>
</MESSAGE>
*
in addition, the rule of thumb for crypto is:
"when you start using crypto, you encrypt EVERYTHING, including your laundry list, otherwise whatever's incrypted is obviously valuable and therefore worth targetting"
(the corollary of this is to ONLY encrypt your laundry lists, causing much wasted effort to find your dirty socks)
"Things like end-to-end encryption significantly reduce the ability for platforms to detect child sexual abuse,"
""The onus is on tech companies to develop or source technology to mitigate the risks, regardless of their design choices. "
That means one of two things
1) The onus is on tech companies to hold back the tide (these guys must have been sleeping in the King Canute history lesson)
(more probably what they are really after) 2) - All your comms r belong to us
eff off!!
Happy I'm not subject to that jurisdiction, and lets see your economy crash and burn if that ever gets implemented
"Things like end-to-end encryption significantly reduce the ability for platforms to detect child sexual abuse,"
Things like envelopes significantly reduce the ability for the Royal Mail to detect child sexual abuse photos sent through the post
.
"The onus is on tech companies to develop or source technology to mitigate the risks, regardless of their design choices. "
The onus is on envelope suppliers to sell only transparent envelopes to mitigate the risks, regardless of their design choices.
"The Online Safety bill also attempts to tackle disinformation by getting social networks to filter out state-made interference, and reduce the distribution of stolen information for the purposes of undermining democracy"
Presumably to filter out state-made interference from states that "Our state" decides to filter out. Of course any interference from "Our state" or our buddies is A-OK!
Also "reduce the distribution of stolen information for the purposes of undermining democracy"???
One of the pillars of democracy is transparency, and one of the best measures of how good a democracy functions is in how it's freedom of information acts are implemented ie how easily can journalists and citizens find out what the government is REALLY up to. "Stolen" government information that is leaked may very well undermine *the government*, but it doesn't undermine democracy (in fact, usually speaking, if it's uncovering the governments dirty little secrets it's usually strengthening democracy)
In communist countries, back in the day, when you called someone over the phone, there would be an officer officially listening to the conversation. They would say "this conversation is monitored, carry on". They would make notes who called whom and a brief what it was about.
Of course they didn't have enough agents, so it was at random or if you were a person of interest then almost always.
It's not hard to imagine that government will require providers to install a black box, where government will be performing its own filtering and detection without telling what is being looked for.
In a few years time, they will also develop conversation anomaly detection, where you may be flagged as e.g. potential agent of change and would have your social credit score lowered and people you associate with would get a warning that their score will be reduced if they continue to contact you.
In my opinion, anyone suggesting implementation of these things should be removed from power.
>It's not hard to imagine that government will require providers to install a black box<
Personally i am convinced that these black boxes have been working for years already.
As more communication starts to use End to End encryption those black boxes are no longer effective.
Thus new black boxes either in the communication apps or in the operating systems are necessary to allow filtering for whatever the snoops are interested in.
The problem is how to convince the masses to go along with this as more people become aware of the issue and won't buy the argument that security or children basic rights are some kind of "super fundamental right" trumping everything else including our right to privacy.
Politicians keep trying to use the same arguments (mainly terrorism and child abuse) to justify mass surveillance but won't give up until they manage to get it installed.
I can tell the black boxes exist. You can research with this info - just after 9-11 there was a couple articles on techs commenting concerns about (for a fun term) installing black boxes, taps at telco hubs. I forgot the name of one of the companies, but there was some talk about why Rudy Giuliani had invested in the company - that it was either for insider trading or for the NSA - I expect both, but yes they do exist.
Always expect there is no privacy when on the internet - not here, there, china, or anywhere.
Encryption is math and the genie cannot be put back in the bottle.
The only thing this law will do is monitor law abiding citizens using government approved apps. No threat actor worthy of their pending crimes will use those apps.
"Let's bomb parliament with kiddie porn. We can use GovChat to plan it!"
<That is sarcasm for those without humor>
(Been looking for an opportunity to use this icon)
What these schemes are targeted at are people who have photos they've collected from various sources on their computer/phone trading them with others, via encrypted chat like Telegram. Not people producing new content and selling it - these CSAM schemes don't work to detect newly created images AT ALL, because it isn't designed to. It has to be added to the database.
These people are smart/dumb as any typical person is about tech. They know how to drag images out of their stash to attach to a message and hit send. Sure, encrypting them beforehand would be smart as far as reducing risk, but how many average computer/phone users do you know who could download an encryption app, convert the files, remember to attach those instead of the unencrypted version, hit send, send the decryption key in a separate message (preferably via a different app) then know how to reverse the process on the other end? Without being handheld by someone to walk them through it a few times?
This isn't something they could ask their tech literate child or neighbor to help them with ("why do you want to encrypt photos before you send them?") they'd have to figure it out all on their own. Many won't, so as with most policing this would catch only the dumb criminals. The smarter ones can be caught, but that takes more work so most police don't bother because there are so many dumb ones they have their hands full just dealing with them.
And so it will not, cannot and will never protect a single child.
It will simply encourage the police to ignore even more reports of actual in-progress child abuse, because investigating that kind of crime is difficult.
Much easier to just automatically arrest a few dumb gobshites sharing ancient history - who will be more careful next time.
Worst, it will encourage more child abuse to create new, untraceable material.
In short, it's exactly the kind of idiotic bullying we've come to expect from Ms Patel.
2018: "The Five Eyes nations have told the tech industry to help spy agencies by creating lawful access solutions to encrypted services – and warned that governments can always legislate if they don't."
https://www.theregister.com/2018/08/31/five_eyes_2018_meeting_encryption_terrorist_content/
Various people have been put in place to implement it. Pritti Patel in the UK, Peter Dutton in Australia etc:
https://twitter.com/pritipatel/status/1180195336490557442
"Discussing the dangers of end-to-end encryption with close allies AG Barr and @PeterDutton_MP at the US @TheJusticeDept today. We can not let tech firms design platforms that give serious criminals & terrorists the advantage."
Obviously "serious criminals and terrorists" didn't cut the crust, so she's switched to pedos as a way to bypass the privacy right.
2019 we got the Ian Levy/Crispin Robinson proposal to give GCHQ a second key to all encrypted comms. Every time an encrypted session is created, GCHQ would get notified and a key so they can listen in. Oh fook off. You lot are more loyal to 5eyes that Britain. If Barr had told you to spy on Brits for Russia, you lot would have done it.
https://www.securityweek.com/inside-gchqs-proposed-backdoor-end-end-encryption
Any whistleblower care to leak? I think Pritti simply did it anyway and all this lying crap is simply to give a legal basis for it. I bet she already backdoored end-to-end encryption, I bet her foreign "allies" are aware of it, and Brits are not, care to leak?
@AC
Quote: "....proposal to give GCHQ a second key to all encrypted comms..."
See above for comments from another AC.....encryption implementing Diffie/Helman doesn't have any persistently stored key.......the key is calculated as needed then thrown away.
D/H was first published in 1976. It amazes me that the current discussion about encryption continues to bang on about persistent/published keys (as in PGP, for example).....when the D/H process allows for:
- no persistent keys and no key exchange
- the only public messages include D/H tokens...which tell the listener nothing about the keys
- the encryption algorithm cannot be determined (it could be IDEA, RSA, AES, samba, chacha....or other)
.....and all of these benefits are available to anyone who can read the D/H spec and then program using gcc and gmp!
So if my Ts and Cs say you have to be an adult ie. over 13 or over 16 or over 18 or over 25 or ask your guardian if you are a woman in Saudi Arabia to use this app then the onus is on the parents for allowing them to use an app for adults?
If you don't mind me asking, what are the parents doing allowing kiddies under 15 to access the internet full stop?
If you don't mind me asking, what are the parents doing allowing kiddies under 15 to access the internet full stop?
In case it escaped your attention, for large swathes of 2020 and some of 2021, a significant proportion of schoolchildren needed internet access to log into their lessons.
So is this the equivalent of kiddie scissors for the internet?
I wouldn't give a kiddie a plasma cutter and wouldn't let them anywhere acetylene so why don't they politicians cut through the bulls shit and admit the that the problem is that "tech" targets children, and they do so knowingly yet wont admit it. Just find Facebook and Google, or the metabet.
>I wouldn't give a kiddie a plasma cutter and wouldn't let them anywhere acetylene
FYI, at secondary school (age 11~13) we were taught to use the acetylene torches in our metalwork classes and using them subsequently without direct teacher supervision... The steam boiler I made, still works...
The present disgraceful Conservative government's proposal that tech companies could be fined by Ofcom to the tune of $25 million (£18 million) – or ten percent of their global annual revenue depending on which is higher, should it prove impossible for the tech companies to comply with an absurd request, is then simply a stealth tax raising exercise to raise funds for government spending. Nothing more, nothing less.
If they were genuine in their concerns, surely government with all of its contacts and expertise on call at vast public expense, would provide an appropriate app and have businesses duly mandated to install it. That has things sorted simply practically immediately and extremely effectively too ......... you know, in much the same way as they say China ensures that businesses are suitably controlled.
Can't see much of this standing up to judicial review. It's going to be pretty easy to argue that, if the conversations do not take place on provider's servers, then they cannot be held responsible. Client-side scanning is probably the new hope, but seeing as this is essentially a backdoor, it's also likely to be declared illegal. Of course, people can opt in… but those might be the people of interest!
...which is by its nature encrypted, and where illegal apps are distributed and used without Nanny having a clue?
These evil clowns living in the drains are already at home there.
How hard can it be to add spook-free CSAM-ready messaging apps to the dark mix? You'll get your phone pwned and your ID stolen. That is, if you haven't already. Either way, it's better than having your life donated at Her Majesty's Pleasure, to the waiting list for a special paedo unit.
[What we need here is a Reality Check icon. What do you think, Sherlock?]
<quote>The proposed update to the Online Safety bill [PDF], currently working its way through Parliament, states that British and foreign providers of a "regulated user-to-user service" must report child sexual exploitation and abuse (CSEA) content to the country's National Crime Agency.</quote>
So this does not apply to unregulated user-to-user service?
What is to stop the bad people from writing their own version of Android and messaging app?
If they are doing bad things breaking another law is not going to bother them.
I remember working on a bit world wide sports event where they provided email.
The email was scanned for bad stuff. Eventually this was scrapped as the scanners would not detect "We have your children -so lose" and the skater called "la bomb" got no mail.
Scanning images is more complex that this. The announcement needs to say how it will be scanned. If it is like Anti-Virus software will my phone get "updates" every couple of days as the parameters change?"
Microsoft keep a database of hashes of illegal images which are used by various police forces to automatically scan computers belonging to suspects. Automatic scanning is the only practical way of searching a PC hard drive given the enormous size of drives these days.
Microsoft also provide a program to do the scanning. So far as I know, this is just more or less a re-implementation of the open source "findimagedupes" which can be found in many Linux repos. The original is written in Perl and has been around for decades.
Essentially the algorithm breaks the image up into blocks. converts each to B/W, and does various other things so that just altering shade or colour balance or cropping it slightly doesn't throw the algorithm off. It then converts the whole thing to a hash.
The default is to calculate all the hashes on the fly, but findimagedupes has an option to use a file of stored hashes in order to reduce the amount of work that has to be done on repeated comparisons.
I've used findimagedupes on large data sets of legal images of various sorts. On a small data set it is remarkably effective. As the size of the data set increases however, so does the number of false matches. I haven't done a statistical analysis on it, but as the number of images to be compared increases the false match rate also seems to increase exponentially.
The algorithmic match factors can be tweaked as parameters, with the default being a 95 per cent match. That seems to be the optimum between too many false matches and too many close misses.
Some false matches are quite easily understood. Suppose for example you took a photo of yourself standing in front of a blank wall, and then turned around and took a second photo. The difference between your face and the back of your head is too small to really matter to the algorithm to avoid a match, regardless of how obvious it seems to you.
However, some false matches are completely inexplicable. There may be no points of similarity at all but it still comes across as a match. I suspect these may simply be actual mathematical hash collisions.
Overall findimagedupes is good if finding some matches is good enough for your purposes. Suppose for example you have a large collection of categorized WWII military photos and want to compare it to other similar but uncategorized collections so you can do a fast first pass sorting of these other collections based on near duplicates which may have been resized, slightly cropped, or otherwise altered. Some errors are acceptable in this sort of application as you are just looking for a starting point.
The big problem with the current proposal is that the application is so different from what the police are currently doing (all they need is one true match to kick off a manual investigation of the rest of the images) that I don't see how the idea will work.
To be useful for pre-scanning all messages, the false positive rate must be negligible or else the support system would be flooded with customer complaints. There must be hundreds of millions if not billions of images sent as messages each day. Even a tiny false positive percentage is a big number in absolute terms.
If someone has developed some sort of magic technology to get around all of these problems, I haven't heard of it yet.
Meanwhile for people who want to avoid the filters, all they would likely need to do is to put the images into an encrypted archive file before attaching it to the message, or even possibly just change the file extension from "jpg" to something else.
The proposal may actually refer to client side scanning on your computer or phone, using perceptual hashes. So it'd be searching all your images on your hard drive. This is similar to the EU proposal for chat control. They want this plus detection of grooming conversations. Apparently they would accept 10% false positives.
I get the intentions, but this is so baldy thought through.
Let be clear. The government are talking about:
1) Building in filters to detect and report child abuse
2) Filters are normally models, typically AI based these days
3) The models need training on validated data sets, which has to be the real thing to avoid biases. You can't just train it on legal porn.
The government is going to licence tech firms to hold child porn and train models against this? Whats to say this illegal content is then distributed illegally by the same tech firms.
This is completely disgusting and I can't think of someone who would even want to work on such models. It would be a harrowing role.
This post has been deleted by its author
From the government's perspective surely the better way to go is to supply the hash libraries to Computer Repair Shops who will be put under obligation to scan all customer hard drives that come in for repair? Some kind of law would then have to be passed in similar form to TV Retailers having to inform TV Licensing of TV sales.
Maybe the likes of PC World might be already under such a scheme?
The thing about pedo spreaders is that they need to advertise their presence - otherwise they can't spread. From a 2019 NYT article "The Internet Is Overrun With Images of Child Sexual Abuse. What Went Wrong?"
With so many reports of the abuse coming their way, law enforcement agencies across the country said they were often besieged. Some have managed their online workload by focusing on imagery depicting the youngest victims. “We go home and think, ‘Good grief, the fact that we have to prioritize by age is just really disturbing,’” said Detective Paula Meares, who has investigated child sex crimes for more than 10 years at the Los Angeles Police Department.
So where is the bottleneck here? It seem to be bottleneck is the budget devoted to following through with the already overflowingly abundant digital evidence to make arrests and prosecute. Why is budget so insufficient? Doesn't hurt the bottom line of digital content owners?
AFAIC Ceasar can have what is due unto him for his digital content, but this cynical twisting of the truth is very damaging to many parties, from the children who actually need help to businesses and UK government agencies using consumer communication software they believed to be be secure only to find it has been back-door-hacked by bad guys.
This is already full EU law and policy. “Temporarily” they allowed companies not to comply:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32021R1232
But it’s coming into force pretty damn soon. EU folks had 8 weeks public consultation to protest….the last day of which was, quite literally, yesterday.
https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2976
You know what the blocker was? Certain countries complained that the legislation would prevent “consensual sexual activities in which children may be involved and which can be regarded as the normal discovery of sexuality in the course of human development”. Clause 6.
*17* out of the 28 EU member states define the age of consent *for sexual activity between a child and an adult* as 14 or 15 years old. Yes. You read that correctly. 14 years old.
https://fra.europa.eu/en/publication/2017/mapping-minimum-age-requirements/consent-sexual-activity-adult
Remainers really don’t know what they voted for.
Can someone send me all of these hash databases and deep learning models that are being developed to identify bad files or content?
For file hashes I can create innocuous files whose hashes collide with with bad file hashes, scatter them on social media, and tie up investigative resources.
For deep learning models that identifies bad content I can create an adversarial deep learning model that can generate content that the supplied deep learning model identifies. I can let the government provide the training tool for automated generation of bad content.
There are a lot of silly people that think that the range and options of information available can be constrained. It is disappointing really.
This is dangerous technology for human rights. For a file hash based solution consider this scenario
There is an anti-government meme circulating and the government would like to know who is sharing it (or the government creates their own anti-government meme and seeds it to social media), then they add the file hash to the database. Now whenever it is shared the authorities get notified but no further action is taken (as would be the case with child sexual images) but the government gets a picture of who is sharing this image meme, what apps they are using and who is in their networks.
Now while our government may not do this many repressive regimes might use it in this way. Once our government coerces technology companies into building this software it’s availability would be a gold mine to repressive governments.
Once the technology exists for scanning images, why not text or other documents? And presumably unencrypted communications would also be scanned.
How will reading encrypted messages will keep children safe on line ?
Children go on line without encryption.
Stopping other people from sending illicit content does not protect children on line.
This plan is another half baked attempt to improve something, which in doing will screw up so many more things, but that isn't a worry for these under-educated, part time, tech wrangling MP's........
Humiliating that the UK doesn't have a better IT outlook.............
ALF
1) It's not possible to do it with secure end-to-end encryption without scanning client-side.
2) That's not possible without mandating what effectively amounts to state-level spyware on every device.
3) You would then have to mandate the types of devices that were allowed to be sold, to ensure compliance.
1) Unreasonable.
2) Extremely unreasonable.
3) Monumentally unreasonable.
I obviously understand and sympathise 100% with the need to remove horrendous material and stop abuse, but we're doing a terrible job in the real world of protecting children we know are at risk. Maybe the police should focus on that.
The final stages of the bill were due to take place in the House of Commons on Wednesday July 21st. but will now be shunted to later in the year, meaning that a new prime minister, home secretary and culture secretary may kill it because they don't agree with the bill in its current form.
Apparently it's Labour's "fault" for trying to get a no-confidence motion debated, resulting in the Conservatives calling their own debate on Monday 18th. July. This, in turn, caused the Northern Ireland protocol bill to be moved from Mon/Tue to Tue/Wed, and parliament goes into recess after that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
