Encryption: Choosing Safety over Privacy, Vice Versa or Both Together

The encryption debate is being fought along the issue of Child Rights. So it is time for the experts to consider broader implications and make informed choices. 

The Encryption Debate

In January 2020, a letter put together by NSPCC – a leading child protection organization in the UK was circulated by noted online safety expert Mr. John Carr as part of a signature campaign. The letter, directly addressed to Facebook CEO Mark Zuckerberg, concerns itself with the company’s announcements in 2019 of a phased implementation of end-to-end encryption across its messaging platforms. These announcements were divisive on arrival.

Those opposed to the move, like the signatories of the letter, primarily argued that Facebook’s actions prioritized its own interests while providing refuge to some of the worst actors and rogue elements on the internet. These include individuals and cartels committing acts of grooming and sexual abuse of children and those dealing with the production and circulation of child sexual abuse imagery. Anti-terrorism and anti-privacy groups also had a set of bad actors who they thought would benefit from the move and joined child rights groups in strongly opposing it.  Most governments who had always been trying to regulate their way around encryption joined in this condemnation.

Those who supported Facebook’s proposal also unanimously agreed that the move was largely self-serving on part of the tech giant. However they expressed concern regarding dwindling civil liberties across the world, increasing crackdowns on free speech & dissent as well as the rise of invasive surveillance mechanisms. They expressed support for end-to-end encryption as an essential safeguard against any mal-intentions of the surveillance ecosystem in which both states as well as tech giants are complicit. 

Requesting You to Understand the Chronologies

On 25^th January 2020, a few days after NSPCC letter was circulated for signatures, the adhoc committee of Rajya Sabha MPs in India led by Jairam Ramesh submitted its report on curbing online child pornography. One of its recommendations was that messaging apps must weaken its encryption thereby allowing access to law enforcement.

On 6^th February, the NSPCC letter was released publicly with the support of over 100 child rights organizations.

Around 13^th February, Indian government issued guidelines that tech companies must grant full unprecedented access to user data to government agencies upon request. This was a follow up to the announcement on December 2018, where 10 agencies were given carte blanche access to monitor any citizen’s internet traffic with little to no oversight & accountability.

On 20^th February, India’s Prime Minister & Union Home Minister at the All India Conference of Director Generals /Inspector Generals of Police-2019, in the light of civil disobedience following amendments to the national citizenship act, recommended that WhatsApp groups of college students be infiltrated & surveiled. It feels appropriate to mention that just a month ago, minor students & teachers in a school in Bidar, Karnataka had been booked for sedition for a school play against the Citizenship Amendment Act.

In March 2020, a series of articles published by Huffington Post, India under the hash tag #SurveillanceNation, reveals the burgeoning of an invasive surveillance state. Based on broad swathes of data collected during the Aadhaar linking drive and the updation of the Socio – Economic Caste Census 2011, the government of India has created a 360 degree database with information on every single Indian. It is an all-encompassing, auto-updating, searchable database to track when a citizen moves between cities, changes jobs, buys new property, when a member of a family is born, dies or gets married and moves to their spouse’s home in real time.

The series also mentions how the Telangana government already has a system which live -tracks residents of the state. This was the logical endpoint to the Telangana police exercises where they would sweep marginalized neighborhoods and electronically profile youth and other individuals from the communities. The details on each citizen are reported to be ‘granular’. Neighboring Andhra Pradesh also maintains a publicly available, geo –tagged, online dashboard, searchable by religion and caste to identify the homes of 5,166,698 families across 13 districts.

This is currently the known but for all purposes ‘undeclared’ status of the surveillance ecosystem of the Indian state, which, if you remember 2017, had declared privacy to be the fundamental right of every citizen.

Evolving Considerations

Consider the above chronology and the implications it has on all children, their development and their future.

The debate is far from over and must be treated as such. It remains an active question that deserves an evolving and expansive consideration.

Each one of these events has had some press coverage and advocacy around them at the time. Opinions were weighed and then all of us, more or less, moved on.

But when one is called upon to pick a side on a tricky issue with valid & urgent positions on both sides and a mercenary tech giant in between, it is time to ponder over a larger narrative and beyond the reflex of a knee-jerk.

Things to Ponder

Security & governance are factors most commonly cited by government agencies as reasons to break or weaken encryption. Claims made by the state and its agencies that they need data for better implementation may sound plausible but needs to be looked at critically.  Especially when time & again, all across the world, it has been investigated & proven that governments have invasive surveillance mechanisms & repositories of data already in place on all its citizens, irrespective of their backgrounds & proclivities.

India does not have a data protection law as of date. The agencies tasked with monitoring have little accountability. Such situations make the ecosystem ripe for tendencies of overreach & manipulation with nothing to counter it. If one wants to bring into place a provision for encryption weakening/breaking, child rights groups and concerned citizens should necessarily precede such demand with calls for a robust data protection system and accountability of monitoring agencies.

A structural problem with lawful access to encryption or a backdoor key created ‘only’ for the governments is that it would essentially create a vulnerability for everyone to exploit (as seen in the recent Pegasus scandal). If encryption is weakened it could put children in more danger as their sensitive information could be stolen and eavesdropped on by malicious attackers.

If users migrating towards encryption platforms is a concern, it might be a valuable exercise to ask users why they are choosing to migrate. Is it to indulge in illegal & extra-legal activities or because they found themselves vulnerable to crackdowns and the toxicity of avenues on the open internet? Many answers found here will equate privacy as something that goes together with security and not as something that stands in opposition.

Now if we really stick to the premise of ‘we need data to protect children online from rogues & bad actors’, let us consider the findings of the Global Threat Assessment study released by the WeProtect Coalition in 2019. The study lists socio-economic factors, displacement of communities and cultural factors as among the top 3 factors that contribute to the vulnerability of the child to online child sexual abuse. So before weakening encryption shouldn’t we be calling for a stronger welfare state & suggesting cultural solutions to the issue. Also, forgive our digression, if one has ever witnessed a police force & municipal body join forces to evict a slum, one can very well imagine the interaction of state systems across these 3 key factors and it is not encouraging.

The study also highlights that children are at the highest risk of in-person contact abuse by immediate family members. It further mentions that a staggering 67% of the child sexual abuse material they analyzed is suspected to be taken within a ‘home’ set-up. Thus, the groomer making the first contact with child in an online space seems to be a minority scenario. In such cases, strengthening instruments of autonomy and anonymity would seem to be in the interests of the child as it would help create conditions that enable reporting and disclosure.

Also, do consider that India has a tradition of discrimination that spirals through a system of gender, class & caste all across society. It is easier in this country to secure and harvest the data of a marginalized person than a rich person. For example, the more marginalized you are the more you validate your Aadhaar card, the more likely you are to give away your data for access to essential services & goods. Encryption will not go away. It will remain for the rich who can pay for it. It will only be the marginalized who are pushed further into the margins and have to make do with sub-standard services.

And pondering these questions does in no way take away from our support to the victim children and affected families. At WeProtect 2019, the institutions & organizations that supported anti-encryption made a call to action to bring forward victim’s voices and use their stories as a powerful medium for advocacy. We have heard those testimonies and they are nightmarish, wrenching,utterly heartbreaking and even stirring and inspiring. And yes, everybody from tech companies to states to NGOs need to do more for the issue to prevent it as well as respond to it. But passively giving more power to the state to investigate and prosecute as if tackling sexual offences against children is just a simple question of burning a few straw men is never a valid response.

Something far more holistic is required.

Things to Come

If this is a critical issue, let us steel ourselves and be critical about it. And examine it in larger contexts both global as well as local.

Children did not create issues on the internet. And they had no say in how the adults have further progressively exponentially messed it all up. And now it’s time for us to work out how not to make it infinitely worse and hand them over a surveillance state in lieu of a future.

And then to tell them that it was all for their benefit & well being.

Disclosure:

*Aarambh India got in touch with Mr. Carr regarding the NSPCC letter on email. We respect him, his work and his views and did not wish to make a public exchange on an issue that we were still getting our opinions around. After several rounds of correspondence, we have agreed to disagree respectfully.

*Facebook is one of Aarambh India’s current funders.