The use of end-to-end encryption by messaging services is putting children at risk, according to a new report from the Children’s Commissioner Office (CCO).
Around 90% of children aged 8-17 use services that offer end-to-end encryption, such as Whatsapp or Facebook Messenger, the report said. This includes a significant number of children under the apps’ recommended age limits.
The CCO report, entitled Access Denied, estimated that around a third of children have received messages that have made them feel uncomfortable through one of these messaging services.
It also pointed to a rise in the number of images and videos of child abuse being reported by tech companies. Facebook in particular has a problem with child abuse images, with recent figures showing that over 90% of the almost 70 million sex abuse images reported by US tech companies come from its services.
This includes a significant number of self-generated images, where children are coerced into producing and distributing the images themselves.
“Many people assume that this kind of content is confined to the dark web – but official figures show the staggering rate at which child abuse material is distributed across major messaging sites like Facebook Messenger, which are also popular among children,” Children’s Commissioner Anne Longfield stated in the report.
End-to-end encryption is one of the highest levels of security currently available on messaging apps. Messages are encrypted when at they are sent and only the recipient has the means to decrypt them.
This not only makes them largely immune to being intercepted mid-transit by cyberattackers, but it also means that the service provider cannot access the content mid-transit. This also means that authorities cannot access the content either.
The report claimed that moves to expand the use of end-to-end encryption will undermine attempts by law enforcement to prevent child abuse across messaging services.
Several services, including the popular messaging app Snapchat, are currently considering implementing end-to-end encryption.
“The CCO is concerned that a major shift to end-to-end encryption if implemented rashly and irresponsibly, could provide a convenient loophole for tech companies to side-step their duty of care to young and vulnerable users,” the report states.
- Leader Insights | The great privacy debate with Sorcha Lorimer, founder of Trace
- ICO working on new data-sharing code of practice for business
- HMRC reported 11 data breaches to the ICO in 2019/2020
The report called for online harms legislation to introduced to Parliament at the earliest opportunity. These regulations would need to set strong expectations for platforms to age verify their users, along with creating governmental powers to sanction companies that breach their duty of care.
“This should include GDPR-style fines, but extend to senior management liability and ISP-blocking in the most serious cases,” the report said. “Companies should also be required to issue notifications to their users when they are found to be in breach of the duty of care.”
In addition, the report also outlined four tests that tech companies must meet before outlining a new feature.
These include demonstrating how the platform will ensure child safety by design, not applying end-to-end encryption to children’s accounts, putting mechanisms in place to monitor for child sexual exploitation, and retaining the ability to scan for child sexual abuse material.
“Based on the detail made publicly available so far, the CCO does not believe that either Facebook or Snap’s end-to-end encryption plans satisfy all four conditions yet,” the report said.