By Pedro Lourenço, researcher at the IP.rec
In the wake of the current phase of anti-encryption policies, we are seeing the emergence of “opaque” communication efforts that seek to terrorize the population with the threat of the dangers posed by encryption, especially for children. These are advertising campaigns that lack transparency, are based on misleading arguments and endorse measures that put Internet users’ privacy and freedom of expression at risk – without any guarantee that they would increase the safety of young people or anyone else. Governments and civil society organizations are involved in this conspiracy that threatens any possibility of a fair debate on encryption.
The insufficiency of the pulpit
While cryptography researchers and defenders have to resort to activist communication tactics, digital platforms and forums and scientific events to make themselves heard, anti-encryption – or pro-security, in their own terms – agents usually have more “illustrious” pulpits at their disposal: legislative plenums, official pronouncements from executive bodies and law enforcement agencies, as well as being treated as central and practically unquestionable sources in press stories. They are also primarily responsible for disclosing or omitting the data that justifies their positions and actions.
In the critical moments of the crypto wars of the 20th century, the defenders of online privacy, security and freedom closed ranks and managed to prevent further damage. But the pulpits continued to be occupied almost exclusively by official state agents, where they could continue to deliver their narratives of “threats hidden in the shadows thanks to cryptography”.
The implementation of encryption has brought an exponential increase in the security of banking transactions, international trade and the civil service. States’ own security activities were strengthened by the possibility of establishing communications and storing files without the chance of third-party interference and espionage. The adoption of encryption that really worried governments was the one made by rival states and ordinary people, in this case through open source software. It was on these uses of the technology that the biggest attacks were launched – with export restrictions, attempts to impose weak encryption and backdoors, and so on.
But the widespread adoption of cryptography by the population, which so worried state forces, came up against a more fundamental problem: only a small portion of the population owned personal computers, and in this small group, few had the interest and expertise to operate the available programs.
Anti-encryption and the response to it in the last decades of the 20th century involved “only” cypherpunks, civil liberties activists, technology experts, law enforcement agents and a handful of politicians and businessmen. Although they were the protagonists of the clashes that defined the Internet as we know it today, they represented a tiny group of actors in relation to the population as a whole. The scenario continued like this until the 21st century, when two tectonic forces collided and caused an eruption in the crypto wars, strongly impacting the entire globalized society: on the one hand, the massive espionage resulting from the “war on terror” and, on the other, the spread of the Internet, mobile devices and, above all, digital platforms and big techs.
The game has changed. Speeches from monopolized pulpits, which were once enough to overpower the voices of digital activists, were unable to stand up to a large computerized population and technology corporations that are increasingly influential in people’s daily lives. It was necessary to find a new way of continuing to say that encryption is a threat, and that new way was through less measured preaching about the horrors that were coming thanks to it.
“The end is near”
Apocalyptic histrionics are nothing new among society’s reactionary mobs. In the United States, every step taken by the black population towards winning civil rights has been accompanied by protests and racist attacks. The same can be seen in various countries around the world, in the reactions to important advances for women – such as the rights to divorce and legal abortion – and for the LGBTQIA+ community – who fought for the right to freely enter spaces and for their unions and families to be legal. In Brazil, newspapers campaigned against the end of slavery, shouting about the economic tragedy this would unleash. In 1964, conservative sections of the middle class, fearing a “communist threat”, took to the streets in the Marches of the Family with God for Freedom, fueling the establishment of the Military Dictatorship. Today, many of these reactionary protests are still taking place. They are even gaining momentum: at the gates of health centers where abortions are performed; in schools and cultural spaces, against supposed “doctrinal education” and “gender ideologies”; and even openly neo-Nazi demonstrations.
Extremism against human rights has shaped the actions of politicians, personalities and civil society organizations. Its primer contaminates the public debate in often insidious, less “noisy” ways. Faced with the disputes that emerge in the field of digital technologies – especially when they are related to child protection and privacy – groups and public agents with little knowledge of digital rights have resorted to both traditional and loud protests, as well as more discreet and sneaky strategies, such as sensationalist campaigns and speeches made “in the shadows”.
It is no coincidence that the latest wave of anti-encryption campaigns is taking place at the same time as disinformation tactics are repeatedly proving their effectiveness around the world. They share many factors in common: the potential for sensationalist and threatening information to go viral, the interwoven networks through which it is possible to hide the backstage of media content, the deliberate use of lies as a political tool.
If the anti-encryption speeches made officially by state agents and representatives of civil society organizations often lack ethical and scientific commitment, those promoted in opaque and sensationalist campaigns are completely unethical. Some of them are even illegal. From the pulpits or in the shadows, the scaremongering against digital privacy has turned to the threat of the moment: the adoption of encryption by the big technology companies, which would represent, for the followers of Going Dark, a risk to children’s safety.
UK government vs. Meta
Since the Online Safety Act (OSA) came into force in the UK at the end of 2023, digital services and platforms have had a duty to take stronger measures in the face of Internet threats, especially to protect children and teenagers online. The toughest parts of the law focus on publicly available content, which must be more closely monitored for child sexual abuse material (CSAM), grooming, fraudulent communications and other threatening, harmful and sensitive content.
The OSA imposes controversial measures for monitoring public content, with the potential to threaten users’ freedom of expression and privacy. But during the passage of the law, the points that generated the most tension between the government and digital freedom and security activists concerned the monitoring of private communications, especially those with end-to-end encryption. There were fears of the imposition of surveillance techniques that could undermine the use of encryption, such as client-side scanning and hash detection. Ultimately, the approved text of the law brought in a provision that could require messaging platforms to use “accredited technology” to identify specific types of content. However, there is currently no accredited technology. In this way, encrypted communications were spared from further breaches, but not before becoming the war material for a British government attack on Meta.
While the OSA was finishing its passage through Parliament in September, the government launched an aggressive communications campaign targeting Meta, pressuring the company to rethink its plans to implement end-to-end encryption on Facebook Messenger and Instagram. At the press conference where the campaign was launched, Interior Ministry officials used graphics to describe the types of CSAM that were at risk of circulating on the net if Meta implemented encryption.
In a campaign video, a victim of child sexual abuse directly asks Mark Zuckerberg, creator of Facebook and CEO of Meta, not to go ahead with his plans. Together with the Internet Watch Foundation – an organization aimed at protecting children and adolescents from sexual abuse on the Internet and which adopts anti-encryption positions – the government produced a guide for parents to advise them on the best way to protect their children if Meta adopted end-to-end encryption.
The then Secretary of State for Home Affairs Suella Braverman, who was at the forefront of the campaign, criticized Meta’s decision harshly on several occasions. She set out her concerns in a letter to the company, also signed by technology experts, police officers, child abuse survivors and child and adolescent protection organizations. On the BBC Breakfast morning show, Braverman said that Messenger and Instagram direct messages were the preferred platforms for online pedophiles. Asked by the BBC why, even with the powers granted by the OSA, it was necessary to ask Meta to stop implementing encryption, the Secretary replied:
“We now have wide-ranging powers contained in this new legislation that allow us, through Ofcom, the [UK communications] regulator, to instruct companies to take the necessary measures in specific circumstances. But I prefer to work constructively with these social media companies. They play a valuable role in our lives.” [emphasis added].
The same BBC article featured Meta’s response, in which the company states that “As we implement end-to-end encryption, we expect to continue to provide more reports to law enforcement than our peers, due to our industry-leading work to keep people safe.” In December, Meta implemented end-to-end encryption by default for personal messages and calls on Messenger and Facebook.
European Commission microtargeting
In November and December 2023, Noyb (European Center for Digital Rights), an organization committed to fighting for the right to digital privacy, filed complaints against the European Commission’s Directorate-General for Migration and Home Affairs and X for using illegal microtargeting to gather supporters for the Chat Control proposal.
Microtargeting is a marketing strategy that consists of identifying specific characteristics of individuals – such as age, gender, habits and location – and then promoting specific persuasion campaigns to the selected target audiences. Microtargeting originated in political campaigns, when candidates developed strategies to win the votes of different demographic groups of voters.
The practice had already been adopted by consumer marketing, and following the consolidation of digital platforms and data capitalism, it has become one of the most widely used tactics in digital marketing. Microtargeting is based on a series of unethical or even criminal processes in some countries, such as the abusive collection and processing of data, the production of profiling and its use to feed harmful habits of consumption, thought and action – and here we highlight its use in political processes with the aim of stirring up extremism and spreading disinformation.
Chat Control is a legislative proposal by the European Commission aimed at combating the circulation of child sexual abuse material on the Internet. The initial text of the law provided for security agencies to access any private digital content of users, including those that could be protected by encryption. In November 2023, the European Parliament voted for encryption to remain inviolable, reinforcing a position in favor of the privacy and security of the population. This is precisely what the microtargeting campaign tried to prevent.
In September, the European Commission’s Directorate-General for Migration and Home Affairs ran a sensationalist campaign with misleading data for X users in the Netherlands. In segmenting the action, the Commission targeted users based on their political positions and religious beliefs, directing the communication towards people more aligned with right-wing conservatism. The ads were shown to people interested in keywords such as Qatargate, brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia and Giorgia Meloni.
The campaign’s use of personal data on political and religious beliefs violates the European Commission’s own General Data Protection Regulation. It is also prohibited by X’s advertising guidelines, but even so, the ads were able to be boosted to impact thousands of people – they are still on the platform.
In its complaint to the European Data Protection Supervisor, Noyb highlights the Commission’s attempt to influence public opinion in the Netherlands with the aim of undermining the national government’s position in the EU Council. This would constitute a threat to the legislative process and, consequently, to democracy.
Heat Initiative vs. Apple
In 2021, Apple made public its controversial intention to scan files uploaded to iCloud for CSAM material. The content would be analyzed while still on the iPhones, before being uploaded to the cloud and encrypted, a practice known as client-side scanning. Faced with criticism from computer scientists, cryptography experts and civil and digital rights defenders, who pointed out that the measure would make iPhones more vulnerable and open up dangerous surveillance possibilities, Apple backed down from the proposal. But the idea continued to haunt the company.
In early 2023, a child safety advocacy group was founded which, as its first significant action, launched a major campaign against Apple’s privacy measures. This is the Heat Initiative, a non-profit organization that is almost completely opaque in its structure and funding.
Heat reverberates the Going Dark discourse, claiming that Apple enables sexual exploitation by allowing pedophiles to use iCloud encryption to hide CSAM and personal data. Journalist Sam Biddle published an investigation into the organization in The Intercept, and brought a description of the campaign it launched that gives an idea of the resources Heat has access to:
“When Apple launched its new iPhone in September, the Heat Initiative seized the occasion, running a full-page ad in the New York Times, using trucks with digital billboards and even renting a plane to fly over Apple’s headquarters with a message. The message on the billboard seemed simple: “Dear Apple, detect child sexual abuse in iCloud” – Apple’s cloud storage system, which today employs a series of powerful encryption technologies designed to prevent hackers, spies and Tim Cook from knowing anything about your private files.”
In the story, Sam points out that Heat is funded by a billion-dollar philanthropic network, the Hopewell Fund, through which the super-rich can secretly exercise their generosity and political will. The Fund, aligned with the Democratic Party, usually supports progressive agendas, but through labyrinthine and opaque operating practices that closely resemble those of right-wing and far-right funders. Matthew Green, a cryptographer at Johns Hopkins University, told the report:
“I’m not comfortable with anonymous rich people with unknown agendas promoting these massive invasions of our privacy. […] There are huge implications for national security as well as consumer privacy against companies. There are many unsavory reasons for people to promote this technology that have nothing to do with protecting children.”
The Heat Initiative is run by Sarah Gardner, a former member of Thorn, an organization founded by actor Ashton Kutcher that works against child trafficking. Thorn has already been the target of investigations and criticism for its partnerships and for providing surveillance and facial recognition technologies to the police, which target not only child trafficking, but also adults involved in consensual sex work. On Heat’s website, there is little information available about its team, work and sources of funding. In interviews, Sarah Gardner and Kevin Liao, Heat’s spokespeople, refused to answer or evaded questions about the organization’s operations and funding.
In a reaction to the Heat Initiative’s offensive, Apple has made public an email sent to the company by Sarah Gardner, in which she asks the company to “detect, report and remove child sexual abuse images and videos from iCloud”, and the response sent to her by Erik Neuenschwander, Apple’s Director of User Privacy. In the statement, Erik argues that:
“Analyzing the private data stored in each user’s iCloud would create new threat vectors that data thieves could find and exploit. […] It would also increase the potential for a slippery slope of unintended consequences. Searching one type of content, for example, opens the door to mass surveillance and could create the desire to search other encrypted messaging systems for all types of content.”
Turn on the lights
The insecurity of children and adolescents in digital environments, the use of the Internet to commit crimes and spread violence, the dissemination of misinformation and the encouragement of harmful behavior – all of these topics are fundamental issues of today that must be debated by society as a whole. The role that cryptography can play in each of these problems – either as an enabler or as a tool to solve them – deserves to be carefully analyzed in the light of scientificity and respect for human rights, especially those that safeguard privacy, free expression and security.
Anti-encryption speeches delivered in an opaque and sensationalist manner distance themselves from the democratic foundations of the public sphere. They establish a debate on unequal terms and undermine the actions of the very critics of cryptographic technologies who are trying to act in a reasoned, fair and dialogical way. Any effectively democratic discussion on cryptographic policies can only be held in public and open to the participation of all interested parties, because there is no possible dialog with those who crawl in the shadows articulating conspiracies.