There have been some recent calls for Meta to refrain from adding end to end encryption to the messaging functionality in some of their apps, in relation to safeguarding. It makes initial sense to consider the potential risk of harm to children and others through harmful online content or contact. How can agencies, schools and individuals protect people, including the young, from harmful content or contact when they are unable to identify the content due to encryption? How can criminal individuals be prosecuted when key evidence is inaccessible due to being encrypted? The challenge here however is establishing some of the possible implications of either weakening or removing encryption as like most things there is a balance and improvements in monitoring and detection through removed or weakened encryption will result in other less positive counter implications. I note that sticking with the current level of encryption, where technology moves on and where criminal skills and approaches continue to develop likely equates to a weakening over time meaning we can either continue to strengthen our approach or, by doing anything else, reducing or doing nothing, choose to effectively weaken encryption. So, what are the general implications should we choose to reduce or remove encryption, rather than seeking to strengthen it?
Increased vulnerability to cyber attacks
Encryption is a key tool used to protect data and information from unauthorized access. Weakening or removing encryption makes it easier for cybercriminals to break into systems and gain access to sensitive information which in turn puts individuals, including children, more at risk. At a time when individual privacy is such a hot topic anything which may reduce or put at risk this privacy is of concern.
Increased surveillance
Weakening encryption can also make it easier for governments and other organizations to monitor online activities and communications. Now it may be that this monitoring is done in our interests, in the interests of safeguarding for example, but there is the potential for data or monitoring solutions to be mis-used. It could be used for invasive monitoring and surveillance, to identify individuals based on beliefs or political beliefs for example. It may be used to challenge or silence views counter to the government or intelligence agencies. It may be that the data gathered allows for other data to be inferred where this then violates individual privacy and freedom of speech. Or it may be that these systems used correctly and ethically suffer data breaches resulting in the data or systems being misused for criminal or unethical purposes. Increased surveillance capability thorough weakened encryption has significant potential as a risk to individual privacy.
Loss of trust
Weakening encryption can erode public trust in online communication and commerce. This in turn can lead users to be less likely to trust systems the digital systems which we increasingly require in our day to day lives. The potential impact should we no longer be able to trust our online communications and collaboration platforms, our online banking, online shopping, etc would be very significant indeed. It may also lead individuals to seek to use systems in the darker recesses of the internet where these systems may be perceived as more secure and outside government monitoring or surveillance, but where other implications or risks may exist.
Negative impact on businesses
Related to the above, weakening encryption could also have a negative impact on businesses that rely on secure online communication and transactions. This includes e-commerce sites, financial institutions, and healthcare providers. If encryption is weakened or removed then users of online services are more at risk, plus the services themselves are also more at risk. Individual users may lose data and become subject to fraud or other cyber crimes while the breached organisation suffers reputational damage, legal claims for compensation plus the overall cost of recovery following a cyber incident. Basically, no-one wins, other than the cyber criminals that is.
Conclusion
The issue here is one of balance, the balance between individual privacy and protecting individuals from harm online, where providing privacy will provide the individuals who may cause harm with protection which means that harm is more likely. But where providing protection against online harm will weaken an individual’s privacy even where their motivations and actions are honest and good. Sadly, we cannot provide privacy online for some but not for others. Either privacy and security it built into systems, or it is not, as we have no way of identifying those who may or may not cause harm.
There is also an issue of pragmatism. If we reduce the privacy level of some services by not enabling end to end encryption for example, then users, and particularly those seeking to do harm, will simply move to those services which provide more security and provide end to end encryption. I have seen it myself in the unknown user who DMs an individual on a major social media platform, before, after a short series of messages, suggesting moving to an alternative “better” platform as they know this is better suited to protecting their privacy as the seek to go about their likely malicious aims.
Overall, there is no perfect answer here. I think technical security and privacy is key to the digital world we live in but also we need to keep individuals safe online. Sadly, these two requirements are largely at opposite ends of a continuum. I suspect a reduction in technical security would have wider implications on the world than increased security although I note it isn’t a zero-sum game. Personally, I think we need to err-towards greater encryption but while seeking to mitigate the safeguarding risk as much as reasonably possible by increased discussions, training and education regarding safety and risk online. Not a perfect answer, I know, but as I said, there is no perfect answer and anyway, we don’t live in a perfect world.
Technology and Learning