How the NSPCC rigged its report on the dangers of end-to-end encryption
The NSPCC claims to have a delivered a ‘balanced’ report on the dangers of end-to-end encryption — but it was anything but ‘balanced’
Is Facebook making life easier for child abusers by introducing end-to-end encryption across all of its messaging services? That’s certainly the message that the UK’s Home Secretary and the National Society for the Prevention of Cruelty to Children (NSPCC) wanted to get out this week — and it worked, with even the more liberal end of the UK press, such as The Guardian, parroting the message without much question.
The NSPCC backed up its claims with a research paper, written by PA Consulting, entitled End-to-End Encryption — Understanding the impacts for child safety online.
The NSPCC claims the “balanced” report “collates the viewpoints of a broad range of stakeholders” so as to “raise understanding of the impact that ubiquitous end-to-end encryption would have on children’s online safety”.
In fact, as I will show, this hugely imbalanced report encapsulates a very narrow set of stakeholders, many of whom have long fought against end-to-end encryption or have a vested interest in doing so. The views of those who champion the security and privacy benefits of end-to-end encryption were either ignored or airbrushed out of the report.
The government’s war on encryption
Let’s be clear: the government hasn’t suddenly arrived at the conclusion that end-to-end encryption is a bad thing because of the NSPCC’s report. It has long opposed its use in apps such as WhatsApp, even if the argument that it’s aiding child abusers is a relatively recent development.
Back in 2017, the then Home Secretary, Amber Rudd, was railing against end-to-end encryption when WhatsApp was used to coordinate a terror attack on London. “We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,” she said at the time.
When the tech companies refused to break encryption for the benefit of the security services, the government changed tactics. In 2019, the new Home Secretary Priti Patel turned up the heat, claiming it wasn’t only terrorist who are benefitting from encrypted messaging, but paedophiles too — two groups guaranteed to grab the attention of the media.
And lest anyone think that Patel’s renewed broadside against Facebook’s encryption plans this week were the result of new evidence emerging from the NSPCC’s research paper, that again seems vanishingly unlikely — not least because her plans to attack Facebook at the NSPCC event were leaked weeks ago to Wired.
Indeed, it seems the NSPCC report was commissioned purely to justify its own opposition to end-to-end encryption — and that’s not my view. That’s the view of one of the experts consulted in the report.
Who did the NSPCC consult?
“This report aims to provide a balanced narrative based on viewpoints obtained from engagement with experts across the community, with a child-centred focus,” the introduction to the NSPCC report claims.
Now note the order of the organisations it claims are represented in the report:
“The NSPCC commissioned PA Consulting to collate the viewpoints of a broad range of stakeholders, representing civil society organisations, industry, law enforcement and governments, to identify potential mitigations and trade-offs that should be considered.”
It goes out of its way to stress that it’s been listening to civil rights groups, those most likely to back the privacy protections afforded by end-to-end encryption. Closer examination, however, suggests it was a token gesture.
In total, PA Consulting interviewed 16 organisations when gathering evidence for the report, although it names only 15 of them. Only one of them could be described as a ‘civil society organisation’; six are from industry; seven are either law-enforcement, government (including the Home Office itself), or bodies that work for the protection of children; and one falls into the ‘other’ camp.
Already the interviewees look heavily balanced in favour of government, law enforcement and child protection agencies who have all long expressed opposition to end-to-end encryption.
But now let’s look at that ‘industry column’. That includes the mysterious Vivace, which describes itself as “a consortium of the best and brightest in the security industry”, but its website refuses to disclose who these “best and brightest” might be. (Update: it emerges that Vivace is actually funded by the Home Office.)
The company didn’t reply to my email asking for their identities. However, a LinkedIn search for current Vivace staff suggests at least one of them works at the Home Office and that the chief executive, Simon Christoforato, has spent his career “engaging with key business stakeholders including UK MoD, Home Office, Other Government Depts,” according to his profile.
Thorn “builds technology to defend children from sexual abuse”, and has vociferously opposed the introduction of end-to-end encryption on its own blog.
Crisp Thinking is a social-media monitoring company, who last year announced a partnership with INHOPE, “the global network combatting Child Sexual Abuse Material”, which works directly with law-enforcement agencies.
The list of interviewees is quite clearly loaded in favour of those in or close to government and law enforcement, with a vested interest in intercepting communications.
‘It was very obvious this wasn’t going to be neutral’
I’ve spoken to one of the organisations who were interviewed by PA Consulting. They’ve asked to remain anonymous, but their view is that the entire process was something of sham. They told me:
In our work, we try to be constructive wherever possible. I was contacted by PA Consulting for an interview last September or October. And I think during that interview it was very obvious from the start that this wasn’t going to be a neutral technical analysis of encryption and the impacts that it has on different policy objectives, like tackling child abuse online.
It was obviously very much driven out of the desire by the NSPCC, I think, speaking quite frankly, to have a strong evidence base to justify their opposition to the use of end-to-end encryption.
The representative from the organisation said that:
I gave my honest perspectives about why I thought encryption was important and why I had concerns about any attempts to weaken it.
Little of this appeared to be reflected in the draft report, which was circulated last October and November to all participants. The source we spoke to said they “sent quite a lot of comments and feedback on that draft”. They went on to add:
I think the way that the report is framed… it doesn’t in any way acknowledge there are other trade offs involved. If you start to weaken or remove end-to-end encryption, it’s only seen as an important thing to do to protect children online, it doesn’t recognise the other impacts that doing so would have on on people more generally or, in fact, children.
I thought it was unfair, in particular, in the way that it’s suggested that by encryption, there was nothing that anyone could ever do to tackle anything on the platform, except if somebody reported that they had seen it directly, which I don’t think is a fair representation. So I was in some way disappointed that the final report wasn’t modified from the draft, where I highlighted a lot of these sort of concerns and factual inaccuracy that I saw.
A spokesperson for PA Consulting said:
“The report reflects a balanced narrative and we stand by the integrity and veracity of our research. We sought and obtained the views of Government stakeholders in the UK, US, Australia and European Commission, alongside law enforcement, civil society organisations and industry, including social media platforms that are popular with children and young adults. Facebook was invited to participate and we discussed the report with them. Throughout the process, we were careful to reflect the views of all those who are considering how we can help children and young people to enjoy a safe and private experience online.”
The NSPCC declined to comment, other than to confirm that Facebook was approached to contribute to the report.
The notable omissions
Not only did the NSPCC/PA Consulting airbrush out those who backed end-to-end encryption, it actively failed to seek the full spectrum of opinion in the first place.
As we’ve seen, it only approached one civil liberties organisation in the first place, and with all due respect to Global Partners Digital, it’s far from the most well known. The Open Rights Group has been vociferous in its support for end-to-end encryption, for example, but it has confirmed to me that it wasn’t invited to contribute to the report. Where are Privacy International? Where are Big Brother Watch?
It’s not only civil rights groups that have been largely ignored, either. Even child welfare organisations with a different view on encryption were ignored. As The Open Rights Group pointed out this week, UNICEF has publicly stated that encryption both harms and benefits children:
There is no equivocating that child sexual abuse can and is facilitated by the internet and that end to-end encryption of digital communication platforms appears to have significant drawbacks for the global effort to end the sexual abuse and exploitation of children.
At the same time, end-to-end encryption by default on Facebook Messenger and other digital communication platforms means that every single person, whether child or adult, will be provided with a technological shield against violations of their right to privacy and freedom of expression.”
And there’s the key point. This is a complex matter, with strong arguments on both sides. End-to-end encryption does make it harder for law enforcement to catch paedophiles, without question, but it brings many other privacy and security benefits too.
The NSPCC is entitled to its view, of course. But what it’s not entitled to do is claim to have conducted a “balanced” review — lauded by the Home Secretary — when it clearly loaded the report with views from only one side of the argument.
We’re used to government cherry picking research to suit its needs. You’d hope a 130-year-old charity tasked with safeguarding children would be better than that.