Client-side scanning has been proposed by Apple as a means to detect child abuse while protecting privacy and security
Two of the UK’s most senior intelligence officials in the field of cybersecurity have expressed support for so-called client-side scanning technology, which examines users’ devices and data for unlawful content.
The technology – which has been most notably proposed by Apple, in the form of its NeuralHash system – is touted by its supporters as potential means of detecting and cracking down on child abuse, while protecting the security and privacy of digital services.
A client-side scanning (CSS) system works with the programs installed on users’ phones to scan the content of their messages and other files, typically with the aim of detecting the sharing of images of abuse or other unlawful activity. This approach differs from server-side scanning which, in order to perform checks, requires data to be stored and accessed from the systems of the service-provider in question, such as Apple, Facebook, Microsoft, or Google.
Apple announced its plan to deploy the NeuralHash last year – before swiftly deciding to indefinitely postpone the introduction of the technology, with the delay attributed to “feedback from customers, advocacy groups, researchers and others”.
But, in an academic paper published today, the technology received some public support from Crispin Robinson, the technical director of cryptoanalysis at GCHQ, and Ian Levy, the technical director of the GCHQ-based National Cyber Security Centre.
- DCMS keeping tabs on child-safety implications of Apple updates
- Government fails to rule out anti-encryption law but says agreement with Facebook is ‘preferred solution’
- Home secretary unveils new tech tools to help police combat child abuse
“Through our research, we’ve found no reason why client-side scanning techniques cannot be implemented safely in many of the situations one will encounter,” they said. “That is not to say that more work is not needed, but that there are clear paths to implementation that would seem to have the requisite effectiveness, privacy and security properties.”
The intervention from the cyber chiefs – albeit in a document that they stressed was “not intended to represent UK government policy” – stands in contrast to much of the response so far to proposals for client-side scanning, both from academia and industry, as well as civil society.
In a paper published shortly after Apple paused its NeuralHash plans, a group of 14 professors, current and former tech execs, and third-sector representatives jointly authored a paper titled: Bugs in our Pockets: The Risks of Client-Side Scanning. Authors included academics from the Universities of Cambridge, Harvard, and Columbia, the Massachusetts Institute of Technology, and the Australian National University.
“CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite,” they wrote. “CSS, by its nature, creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused.”
In their newly published paper, Levy and Robinson said that they hoped the publication of the document would “lead to a balanced and informed debate that will help inform global policy in this area”.
The paper closes with a set of of 11 conclusions and recommendations for ongoing work, including “practical demonstrations of technology” and the creation of “an evaluation framework providing a shared context in which to analyse the impacts of safety technology”.
The final recommendation is that there should be an “in-depth public conversation” on the matter.
“Services carry responsibility, to some degree, for the activities that they facilitate – both positive and negative,” Levy and Robinson wrote. “In order to achieve a balance of opportunities for public good against mitigation of public harm that meets with the expectations of users and of wider society, we welcome further, deeper dialogue on the details concerning the varied policy, service-specific, and technical issues that we have highlighted in this paper.”