Child safety: Challenges in the online ecosystem
The increased popularity of digital spaces, especially among minors, has led to them being exposed to new forms of exploitation on troubling scales. These include “made to order” services that allow the perpetrator to apply filters relating to age, gender and race of the children while requesting Child Sexual Abuse Material (CSAM)[1], services that allow the perpetrator to view child sexual abuse via live stream and, in some cases, even direct it. These are issues that need urgent attention, especially when a third of the users of the internet are children.
There is unanimous agreement on the need to protect children in digital spaces and the need to mitigate the proliferation of CSAM online on a global scale. The most common solutions offered are focused on maximising security, while privacy takes a back seat. The narrative around the right to privacy primarily focuses on adults, while minors’ right to privacy is taken for granted. This focus must shift taking into account the rights of children that, similar to human rights are “interdependent, non-hierarchical and indivisible”.[2]
Law of the land: Indian and the American regime
In an attempt to curb the increased dissemination of CSAM online, the Indian Government has introduced various provisions in the Information Technology (Intermediary and Digital Media Ethics Code) Rules, 2021 (Rules)[3]. For instance, Rule 4(2) mandates that significant social media intermediaries must enable the identification of the first originator of information on a computer resource for a prescribed number of reasons, one of which is that of CSAM. They must also endeavour to engage in proactive monitoring of CSAM per Rule 4(4).
The United States EARN IT Act of 2020 also lays down best practices in order to curb the dissemination of CSAM.[4] It mandates the creation of “backdoors” in encrypted technology so as to allow law enforcement agencies (LEAs) to access communications. In several publications, Rianna Pfefferkorn, a leading Stanford based cybersecurity expert, has highlighted the dangers such legislation poses on individual privacy.[5]
Whether it be the “originator traceability” envisaged in the IT Rules of 2021 or the “backdoors” mandated in the EARN IT Act of 2020, both are the antithesis of user privacy and free speech as they compromise the security provided by end-to-end encryption. There is a global push towards weakening end-to-end encryption be it via the EARN IT Act of 2020, the Draft Council Resolution by the Council of European Union,[6] or the Five Eyes Communique[7]. However, there is little evidence to show that perpetrators have been caught or penalised specifically as a result of such decryption. On the contrary, Anand Venkatnarayanan explains how Governments are seeking extant surveillance by breaking end-to-end encryption behind the veneer of child safety, which is the definition of Pedophrastry.[8]
Flawed approach: Explained time and time again
It is important to note that perpetrators do everything they can to remain inconspicuous on these platforms. They may create their own encrypted platforms, or might begin using platforms that are already encrypted. Criminals and terrorists also tend to develop their own encrypted platforms or networks.[9] The technology will still be readily available on the internet, and the passing of such legislation will not be able to keep criminals from using it. If encryption is outlawed, only the outlaws will have encryption, while law-abiding citizens shall be rendered susceptible to attacks by hostile actors.
The granting of exceptional access to law enforcement agencies is challenging from a technological perspective. The deliberate introduction of a vulnerability (in this case the grant of exceptional access to LEA’s) in the system also makes it vulnerable to unauthorised access by hostile third parties,[10] including enemy States. There is also the danger of an abuse of such power by the State.[11] The chilling effect on one’s freedom of speech and expression and the dangers of surveillance has already been discussed by several. Limited use of technology like PhotoDNA on publicly available data or unencrypted data to tackle is one thing, but to conduct mass surveillance by scanning everything going on an encrypted chat is a clear violation of both free speech and user privacy.
The Telecom Regulatory Authority of India has already stated that the security architecture of end-to-end encrypted platforms should not be meddled with for now as the same may render the users susceptible to cyber vulnerabilities.[12] The Supreme Court, in K.S. Puttaswamy v. Union of India,[13] judgment highlighted that any measure infringing upon one’s right to privacy must be sanctioned by law, necessary, must have a legitimate aim and the extent of the same must be proportionate in nature. Dr Menaka Guruswamy[14], Senior Advocate – Supreme Court of India and Mr Kazim Rizvi[15] – Founding Director of The Dialogue, have already discussed at length as to why the traceability mandate fails to meet the Puttaswamy test laid down by the Supreme Court.
Way forward: Ensuring privacy and security of the child
CSAM must be tackled with all the strength of the State but not in the way that it harms the best interest of the child itself. A child’s privacy is equally important. If by breaking encryption or enforcing traceability, the security architecture of the services used by the child is weakened rendering him susceptible to abuse then there is no point of this measure. The child is still rendered unsafe. Our methods must keep the interest of the child at the centre of the debate.
The CyberPeace Foundation has recommended a few solutions that attempt to strike a balance between maintaining the child’s right to privacy and the need to intervene in cases as critical as the dissemination of CSAM.[16] These include establishing a standard operating procedure, a hash register, a mandatory “report CSAM button”, etc.
Further, the Carnegie Endowment in its Working Paper on Encryption Policy stated that absolutist positions disallow policymakers from developing a nuanced approach to tackle this issue. The two positions rejected were – access to encrypted communication should never be granted and we should not look for solutions under the same; and LEA’s cannot protect the public without access to all encrypted data.[17] Policies must be subject to the principles of law, enforcement utility, limitation, transparency, evaluation and oversight, auditability, focus and specificity and equity. This will ensure that there is greater granularity of debate and allow viable solutions to be developed.
It is equally important to build the capacity of the law enforcement agencies. The American Invest in Child Safety Act is a brilliant initiative which created a mandatory funding of 5 billion dollars along with 100 FBI agents and 65 more positions in the National Center for Missing and Exploited Children to tackle online sexual abuse.[18] This along with efforts to create community level awareness about child sexual abuse is key to tackling CSAM.
Moreover, we must take more cooperative steps like building the meta-data analysis capabilities of the LEAs with support from Big Tech and academia. If end-to-end encryption is outlawed or weakened, the criminals will, as they have in the past, simply shift to unregulated end-to-end encrypted platforms or create their own platforms. Thereafter the LEAs would not even have access to the meta-data which regulated platforms provide.
The IT Rules of 2021 mandate originator traceability (tell me who the first sender is). This as the technical experts[19] and organisations[20] explain is incompatible with the very idea of end-to-end encryption. Accordingly, Rule 4(2) must not be implemented right away and a wider stakeholder consultation with technical experts must be conducted to better understand how such challenges must be tackled keeping the best interest of the child in mind.
† Programme Manager (Platform Regulation & Encryption) at The Dialogue.
†† Policy Research Associate at The Dialogue.
[1] United Nations, Office on Drugs and Crime (UNODC), “Study on the Effects of New Information Technologies on the Abuse and Exploitation of Children” (2015). <https://www.unodc.org/documents/Cybercrime/Study_on_the_Effects.pdf>.
[2] United Nations, UNICEF Office of Research – Innocenti, Florence, (2020), Encryption, Privacy and Children’s Right to Protection from Harm, Innocenti Working Papers No. 2020-2014. <https://www.unicef-irc.org/publications/pdf/Encryption_privacy_and_children’s_right_to_protection_from_harm.pdf>.
[3] <http://www.scconline.com/DocumentLink/8OCMsY3m>.
[4] Riana Pfefferkorn, The EARN IT Act is a Disaster Amid the COVID-19 Crisis, the Brookings Institution, (4-5-2020) <https://www.brookings.edu/techstream/the-earn-it-act-is-a-disaster-amid-the-covid-19-crisis/>.
[5] Riana Pfefferkorn, Client-side Scanning and Winnie-the-Pooh Redux (Plus Some Thoughts on Zoom), the Centre for Internet and Society, (11-5-2020, 4.16 p.m.) <http://cyberlaw.stanford.edu/blog/2020/05/client-side-scanning-and-winnie-pooh-redux-plus-some-thoughts-zoom>.
[6] Draft Council Resolution on Encryption by Council of EU, Security through Encryption and Security Despite Encryption <https://files.orf.at/vietnam2/files/fm4/202045/783284_fh_st12143-re01en20_783284.pdf>.
[7] The United States Department of Justice, Office of the Attorney General, Press Release No. 20-1,086, International Statement: End-to-End Encryption and Public Safety, (11-10-2020) <https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety>.
[8] Anand Venkatanarayanan, “The New Avatar of the Encryption Wars”, Hindustan Times, (4-2-2021 9.04 p.m. IST) <https://www.hindustantimes.com/opinion/the-new-avatar-of-the-encryption-wars-101612444931535.html>.
[9] Robert Graham, How Terrorists Use Encryption, CTC Sentinel, Vol. 9 Issue 6, CTCS 20 (June 2016) <https://www.ctc.usma.edu/how-terrorists-use-encryption>.
[10] Josephine Wolff, What Exactly are the NSA Hackers Trying to Accomplish?, Slate, (17-8-2016, 4.10 p.m.) <https://slate.com/technology/2016/08/what-exactly-are-the-shadow-brokers-trying-to-accomplish.html>.
[11] CBS News, Police Sometimes Misuse Confidential Work Databases for Personal Gain: AP, CBSN, (30-9-2016) <https://www.cbsnews.com/news/police-sometimes-misuse-confidential-work-databases-for-personal-gain-ap/>.
[12] Telecom Regulatory Authority of India, Recommendations on Regulatory Framework for Over-the-Top (OTT) Communication Services, (14-9-2020)
<https://www.trai.gov.in/sites/default/files/Recommendation_14092020_0.pdf>.
[13] (2018) 1 SCC 809< http://www.scconline.com/DocumentLink/nnXl4mu5>.
[14] Faye D’Souza and Menaka Guruswamy, Are the New Digital Regulations Unconstitutional? (26-2-2021)
<https://www.youtube.com/watch?v=bGFj-1dkffY&t=23s>.
[15] Kazim Rizvi and Shivam Singh, Does the Traceability Requirement Meet the Puttaswamy Test?, LiveLaw (15-3-2021) <https://www.livelaw.in/columns/the-puttaswamy-test-right-to-privacy-article-21-171181>.
[16] Cyber Peace Foundation, Technology Law and Policy Group, End (-to-End Encrypted) Child Sexual Abuse Material, (2020) ISBN: 978-93-5416-448-4, <https://www.cyberpeace.org/CyberPeace/Repository/End-to-end-Encrypted-CSAM-2.pdf>.
[17] The Carnegie Endowment for International Peace, Encryption Working Group, Moving the Encryption Policy Conversation Forward, (10-9-2019) <https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573#:~:text=Strong%20data%20encryption%20thwarts%20criminals,to%20move%20the%20debate%20forward>.
[18] Adi Robertson, New Bill would Put $5 Billion toward Fighting Online Child Abuse, The Verge, (6-5-2020) <https://www.theverge.com/2020/5/6/21249079/online-abuse-invest-child-safety-act-fbi-investigations-bill-wyden-eshoo>.
[19] The United States Department of Justice, Office of the Attorney General, Press Release No. 20-1,086, International Statement: End-to-End Encryption and Public Safety, (11-10-2020).
[20] Internet Society, Experts’ Workshop Series on Encryption in India, Traceability and Cybersecurity, (27-11-2020) <https://www.internetsociety.org/resources/doc/2020/traceability-and-cybersecurity-experts-workshop-series-on-encryption-in-india/>.
