UK Child Welfare Agency's Anti-Encryption 'Research' Ignored Everything It Didn't Want To Hear
from the when-'consulting'-just-means-'cherry-picking' dept
In late March, the UK’s National Society for the Prevention of Cruelty to Children (NSPCC) started injecting its anti-encryption views into the major papers via some press releases and statements claiming encryption was the “biggest threat to children online.” It also claimed its stance was supported by a soon-to-be-released report, which had gathered opinions and analysis from a number of stakeholders.
Its report debuted a few weeks later. Put together with the assistance of PA Consulting, the supposedly “balanced” report came to the conclusion the NSPCC arrived at earlier: end-to-end encryption is bad. That this wasn’t greeted with gasps of shock by readers and receptive journalists shows just how much the UK government’s disdain for encryption has gone mainstream. The NSPCC wasn’t saying anything new about encryption. It was simply saying what the UK government has been saying for years: it doesn’t care for encryption because it believes encryption aids criminals far more often than it protects innocent people, including the children the NSPCC claims to be so worried about.
The NSPCC presents its report as a research paper, but the list of stakeholders it actually chose to engage with guaranteed the report would result in the conclusions the child safety agency desired to see in print. As Barry Collins points out in his vetting of the report, the supposedly wide-ranging group of contributors was actually just a bunch of entities — many with ties to the UK government — which were already opposed to the deployment of end-to-end encryption by messaging platforms.
Here’s what the NSPCC said it was doing to compile this report:
“The NSPCC commissioned PA Consulting to collate the viewpoints of a broad range of stakeholders, representing civil society organisations, industry, law enforcement and governments, to identify potential mitigations and trade-offs that should be considered.”
And here’s what it actually did:
In total, PA Consulting interviewed 16 organisations when gathering evidence for the report, although it names only 15 of them. Only one of them could be described as a ‘civil society organisation’; six are from industry; seven are either law-enforcement, government (including the Home Office itself), or bodies that work for the protection of children; and one falls into the ‘other’ camp.
The industry members were apparently chosen for their willingness to echo the NSPCC’s narrative. Vivace says it’s a “consortium of the best and the brightest in the security industry.” Maybe that’s true, but it’s also funded by the UK Home Office, so it’s hardly an independent “consortium.”
Here are two of the other “industry” contributors:
Thorn “builds technology to defend children from sexual abuse”, and has vociferously opposed the introduction of end-to-end encryption on its own blog.
Crisp Thinking is a social-media monitoring company, who last year announced a partnership with INHOPE, “the global network combatting Child Sexual Abuse Material”, which works directly with law-enforcement agencies.
That leaves just a handful of contributors that aren’t already in favor of breaking encryption. And the single “civil society organisation” asked to contribute was Global Partners Digital. While Global Partners tends to be supportive of encryption and resistant to backdoors and other efforts to undermine user security, it’s hardly the most well-known of civil organizations when it comes to encryption policy and security research, as Barry Collins points out. Others like Privacy International, Big Brother Watch, and the Open Rights Group could have been asked for input, but weren’t.
Those who actually spoke out in favor of encryption were apparently sidelined by PA Consulting. One member contacted by the consulting firm summed up the experience this way:
In our work, we try to be constructive wherever possible. I was contacted by PA Consulting for an interview last September or October. And I think during that interview it was very obvious from the start that this wasn’t going to be a neutral technical analysis of encryption and the impacts that it has on different policy objectives, like tackling child abuse online.
It was obviously very much driven out of the desire by the NSPCC, I think, speaking quite frankly, to have a strong evidence base to justify their opposition to the use of end-to-end encryption.
The same went for comments going against NSPCC’s narrative when the draft was circulated to participants. Very little of what was said in opposition to the report’s slant made it into the final version.
If the UK government wants support for its anti-encryption efforts, it needs to do better than basically lying to people. The NSPCC has its duty to protect children. But it can’t do that job if encryption goes away. What protects adults (and, yes, criminals) also protects minors. Framing this disingenuous report as “research” is ridiculous. Undermining everyone’s security “for the children” is actually dangerous.