A global group of 14 celebrated cybersecurity specialists has called on the technology industry and governments to abandon the idea of scanning open content on mobiles and thus avoid the encryption that protects messages as they circulate between devices. Apple submitted a proposal in August to scan the contents of the world’s 1 billion iPhones for images of child pornography. Although their proposal was limited by several conditions that protected content from innocent users, the authors warn that the guarantees are insufficient and, above all, that a door opens that later will be difficult to close: “There are many ways in which client-side scanning [modo técnico de referirse al dispositivo final del usuario y que usa las siglas en inglés “CSS”] it can fail, it can be circumvented and it can lead to abuse, ”says the article, titled Bugs in our pockets and to which EL PAIS has had access in scoop along with other international media.
Apple withdrew its proposal on September 3 after hearing from “customers, influencers, researchers” and taking “additional time in the coming months to collect feedback and improve before launching these critical child safety features.” , the company said. For now there is no more news, as the company has responded to questions from this newspaper. “After looking at this technology – including Apple’s proposal -” the article says, “you see that the promise of limited mass surveillance technology is in many ways illusory.”
Among the signatories of the article are the Spanish engineer and professor at the Federal Polytechnic School of Lausane (Switzerland) Carmela Troncoso; legendary figures of cryptography whose last names have baptized widely used formulas, such as the Turing prizes (the equivalent of the Nobel Prize in Computing) Whitman Diffie or Ron Rivest; and other specialists who have spent years of meaningful work in this area such as Georgetown University professor Matt Blaze, Tufts University professor Susan Landau, Cambridge University professor Ross Anderson or the principal scientist of the Computer Laboratory of SRI International Peter Neumann.
The importance of the article is also based on how strange it is for a group of these characteristics to come together. It is the third time that some of its members have come together to ask governments or companies to stop trying to weaken the cryptography that protects the messages that millions of users exchange while circulating between devices. “Although in these years the battle has changed a bit,” Rivest tells EL PAÍS by videoconference. The first crypto wars they went between academics and US intelligence agencies to prevent them from even publishing or sharing invulnerable algorithms with foreigners. “Now it’s more of a police thing,” Rivest adds.
The border has been getting closer to the user’s mobile, which should be inviolable and inaccessible without judicial guarantees, according to Rivest, in the same way that it happens to enter a house without authorization. That is the feeling that this intrusion should give us, if it comes to fruition. “We live in two worlds: the real one and the digital one. In digital you need a representative to speak for you, because you cannot speak in bits. The mobile has become that, your avatar. The ability to say that my mobile is my avatar and I have control over what it says and does is something that is very important to me ”, he adds.
The article especially warns of the slippery slope that this new “dangerous technology” would allow. The report separately analyzes Apple’s proposal that, despite its caution, they continue to consider weak and at the mercy of authoritarian governments, something that Apple has shown on other occasions that it is not capable of stopping: “Apple has dedicated a greater effort of engineering and employee extraordinary technical talent to try to build a secure CSS system, but it has not produced a reliable and robust design, “says the text.
Apple’s proposal includes an algorithm that would “register” all photos with their own number. Apple would have access to a database of existing child pornography photos with their “license plates” created by organizations dedicated to this crime. If there are 30 matching license plates on a user’s phone, the system would notify an Apple employee who would review the content of the image itself. The holes and the now unimagined consequences of such a complex system are an exceedingly great risk for the signatories.
An endless battle
In 2015 these researchers they signed a document similar to face pressure from the US and UK governments who aspired to have private and solitary access to the encrypted communications they wanted. As is known, in any technology, building an access door for some implies that others can open it. The intention then was to weaken the encryption. “[Los gobiernos] they propose that stored information and communications be designed with exceptional access for law enforcement agencies ”, they said.
Now the objective is directly to go to the origin or end of our communications, where the photos or messages are open and vulnerable. “It crosses that line where the device would no longer be controlled by the user alone,” Rivest says. “For me that is a red line.” Those interested in weakening a mode of communication that will be increasingly widespread continue to try new paths: “All efforts go towards normalizing mass surveillance,” says Troncoso to this newspaper. “It is something that should not happen.”
The article values that the initial reason for the irruption of this technology is the fight against child pornography. The report sees it as a necessary excuse, impossible to ignore, but that will be impossible to remedy. “Then there will be enormous pressure to expand its reach,” says the text. “There is no denying that child pornography is terrible,” says Troncoso. “But when a solution is proposed, you have to see its repercussions. We do not say that it should not be treated, only that this is not the way. You cannot attack criminals by attacking the entire population, ”he says.
The debate about which is the greater evil includes other sectors of society, such as lawyers, who do not see a completely clear territory. “The issue that transcends this scenario is not that such practices improve the effectiveness in the fight against child pornography,” says Paco Pérez Bes, partner of Digital Law at Ecix Group, but that, if allowed, we would leave a company carry out practices that can affect fundamental rights, which is precisely what we are trying to protect ”, he adds.
The cybersecurity professor at the University of Granada Marga Robles, however, is more clear about what prevails. “When the need arises to reconcile two legal assets that may conflict, it is necessary to weigh the interests at stake: the protection of children in a context of special vulnerability precisely, among others, as a consequence of the capacities that technology offers must be considered a legal asset superior to privacy ”, he explains.
The challenge of technology to offer solutions to the unstoppable extension that has allowed crimes such as pedophilia is one of the great fronts of this war. “The technology is already doing something, like scanning the cloud,” Rivest says. “But you have to draw a line and say that technology cannot be a total tool for governments.”