A firestorm emerged on Friday and raged during the weekend over Apple's new "
Expanded Protections for Children
," a series of measures across Apple's platforms aimed at cracking down on child sexual abuse material (CSAM). The new protections address three areas, including communications tools for parents and updates to Siri and search to help children and parents deal with unsafe situations.
[ Learn
what's next for encryption if the RSA algorithm is broken
| Get the latest from CSO by
signing up for our newsletters
. ]
The flashpoint for
cryptographers, cybersecurity specialists, and privacy advocates
is Apple's planned use of "new applications of cryptography to help limit the spread of CSAM online, while designing for user privacy." The plan is to scan users' photo libraries and then apply a new form of encryption to compare those photos to images from existing CSAM libraries.
The new cryptography applications in iOS and iPadOS would allow Apple to scan users' entire photo libraries hunting for known CSAM images uploaded from their devices to iCloud Photos and then report these instances to the National Center for Missing and Exploited Children (NCMEC). Apple
says
, "the hashing technology, called NeuralHash, analyzes an image and converts it to a unique number specific to that image," which allows systems "to perform on-device matching using a database of known CSAM image hashes provided by NCMEC and other child-safety organizations."
"This is a really bad idea," leading cryptographer Matthew Green
tweeted
at the start of a lengthy thread that sparked the now widespread uproar over Apple's plan. The problem is that this system could be the tip of the spear that essentially provides an encryption
backdoor
that the US and other global authorities have sought since the 1990s. "This sort of tool can be a boon for finding child pornography in people's phones, but imagine what it could do in the hands of an authoritarian government," Green tweeted.
As the implications of what Apple is proposing became clear, over 4,000 security and privacy experts, cryptographers, researchers, professors, legal experts, and Apple customers
signed
An Open Letter Against Apple's Privacy-Invasive Content Scanning Technology
. The signatories, including NSA whistleblower Edward Snowden, contend that "Apple's proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products."
Apple's plan also received pushback from some tech executives. For example, the head of WhatsApp at Facebook, Will Cathcart,
tweeted
that "Apple has built software that can scan all the private photos on your phone — even photos you haven't shared with anyone. That's not privacy."
Epic Games CEO Tim Sweeney
tweeted
that "I've tried hard to see this from Apple's point of view. But inescapably, this is government spyware installed by Apple based on a presumption of guilt. Though Apple wrote the code, its function is to scan personal data and report it to government."
Governments worldwide mandate access to data
If Apple ends up installing a front door that hands both authoritarian and democratic governments access to user data, Apple would undoubtedly be accelerating a trend already underway worldwide, according to a Black Hat briefing last week by Andrea Little Limbago, vice president, research and analysis, at Interos.
In her
talk
,
Government-Mandated Front Doors?: A Global Assessment of Legalized Government Access to Data,
Limbago said that her research indicates that over half of the world's population lives under governments mandating or considering mandating government access to encrypted data. Even more concerning is that these front doors are not necessarily occurring by breaking encryption but by shifting government policy to gain access to vast reservoirs of collected data.
Surveillance and tech infrastructure on the rise
Based on her review of data access policies around the globe, Limbago said she discovered that although "the crypto wars were certainly, and still are, a big concern in that area, there are other kinds of shifts that are going on. We also see the rise of surveillance and tech infrastructure, and in turn with that government access to that data."
The final step in the evolution of government data access is "just blatant data access requirements. All of these generally are under the auspices of national security requirements. You'll hear the same kind of discussions made across the globe, whether in authoritarian regimes or democracies, asking for data access upon requests for various kinds of national security reasons," Limbago said. "We've got greater interference of the government across the globe when it comes to data protection and access risk."
Digital authoritarianism and democracy exist on a spectrum
Digital authoritarians, such as North Korea, China, and Russia, are at this point well-studied. "They are trying to gather up as much information and data as possible to gather control of that data" through offensive behavior, such as not only mandates but also through censorship and manipulation and disinformation, Limbago said.
On the other side of the spectrum are what Limbago calls digital democracies, such as the European Union. These governments have an "open, secure, resilient internet, focus on individual data rights, individual data protection, and no government access to that data, or very minimal or within some sort of transparent guardrails for that access to information. There is a very solid playbook starting to emerge for digital authoritarians. That same kind of playbook does not really yet exist for digital democracies."
Many countries fall between these two extremes, such as Ecuador. After the government imposed requirements that service providers hand over data or even decrypt data, the country passed a privacy protection law in the wake of a significant data breach. "We're seeing a whole lot of different countries fall in this middle area, sort of a hybrid, adopting some aspects of the authoritarian, some aspects of the democracies, and really pulling it together to meet their own regime objectives and government objectives."
Democracies are not immune to mandated access
Australia passed a crypto law that mandates access to encrypted content. Another democratic government, the UK, with its Snooper's Charter, was found to violate rights to privacy by the European court of human rights. "So, by no means are democracies immune from these kinds of [privacy-violating] tendencies," Limbago said.
The good news is that based on Limbago's research, over 100 countries have enacted data protection laws, and even more countries have passed data protection laws but haven't enacted them yet. Nevertheless, "what I see a lot is this movement from censorship and manipulation to the next step being mandated data access," she said. "That's a concern. If the censorship and manipulations are working, let's just try it. Let's go straight out and try and grab that data through legal shifts and regulatory shifts. A lot of countries are pursuing some aspects of the authoritarian model and some aspects of the democratic model."
The changes in law and policy are happening very fast, with a lot of rapidly evolving variations across the globe. "Everything from the US, which I didn't talk a ton about, pushing tech firms to hand over source code to India, a huge democracy really falling in that hybrid model, with some data protection procedures, while also at the same time, demanding data access from various social media companies. You've got the EU, as strong as the GDPR is, you've got the Hungarian government suspending some aspects of it.
It's too soon to tell what trends will become dominant as countries continue to evolve their mandated data access policies. "Which of these movements [at either end of the spectrum] is gaining traction. Are the data hoarders winning or are the data protection advocates winning?"
Next read this
Tabletop exercises: Six sample scenarios
21 best free security tools
Securing CI/CD pipelines: 6 best practices
7 tenets of zero trust explained
How to hack 2FA: 5 basic attack methods explained
How to check for Active Directory Certificate Services misconfigurations
Move over XDR, it's time for security observability, prioritization, and validation (SOPV)
How to rob a bank: A social engineering walkthrough
10 security tools all remote employees should have
8 biases that will kill your security program
