Encryption has long been touted as one of the most trusted methods for keeping data safe and secure. This is especially the case in a world that faces issues involving nonconsensual access to sensitive data and the protection of children online.
Regulators and technology companies play an equal role in safeguarding users' data by promoting the use of technological safety methods, including encryption, to protect individuals from cyber threats that can impact their safety and wellbeing. But threats to encryption loom large, most recently with the U.K. attempting to secure backdoor access to Apple's encrypted data on cloud servers via the Investigatory Powers Act.
Such a move presents a double-edged sword, with a government arguing access is required for law enforcement to protect the public over individual privacy concerns.
"As we explore privacy and security solutions for the next generation, we must ensure that encryption remains a cornerstone of digital safety," Ontario Information and Privacy Commissioner Patricia Kosseim said during a recent Future of Privacy Forum webinar focused on the impacts and importance of encryption implementation for children's safety.
Promoting user safety
Encryption protects consumers' privacy by using mathematical models to convert information into code, making it difficult for unauthorized users to obtain safeguarded data. This allows companies to create a baseline of data protection by ensuring information and messages remain private.
"Encryption is not secrecy, it is privacy," Safety Sync Group CEO Matt Mitchell said during the webinar. "There's something about humanity that's tied to this agency of control over who we let in and who we don't."
Social platforms like Facebook Messenger,Signal and WhatsApp encrypt user messages by default, while others have added encryption to the variety of privacy tools consumers can opt in to.
According Meta Head of Policy for WhatsApp and Messaging Jonathan Lee, end-to-end encryption represents a valuable tool "for protecting the privacy, safety and security of all of our users of our messaging services, including young people." Lee added WhatsApp works to provide children and their parents with the tools to customize their "online experiences."
Social Web Foundation Executive Director Mallory Knodel also encouraged companies to "give more agency" to users under age 18 by educating them on what tools they can use to protect their information.
Knodel noted with parental guidance and an understanding of privacy controls, younger users can use these features to protect their data while enhancing their experience online. She said teens "want more control over the conversations they are having … and until very recently they didn't have those controls."
Additionally, Toronto-based barrister and solicitor Michael Power opined the introduction of privacy controls is not just aimed putting parents at ease.
"It is about empowering your children to keep themselves safe," Power said, noting online safety education for children can be the key to making the utilization of privacy tools instinctual.
Regulatory efforts
Regulatory requirements around encryption vary globally based on jurisdiction. The EU General Data Protection Regulation is an example of a legal framework with a stark encryption mandate. Nations including Australia, Canada, India and the U.S. have encryption requirements built into more sectoral legislation.
With Canada's provincial encryption approach, the Ontario IPC's Kosseim highlighted the recent adoption of Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act.
Bill 194 requires organizations in the public sector to implement encryption measures and improve transparency with consumers. While the IPC's recommendations to include digital safeguards for children were not included in the bill, the authority said it will continue to ensure children's online safety is prioritized through its enforcement and its promotion of digital safety tools.
Kosseim noted, while educating children on digital and technological safety elements is crucial, regulators must work to make the internet safer for vulnerable users through active enforcement.
The push to break encryption
Though encryption is a supported protective measure, law enforcement agencies are concerned children could be more vulnerable to exploitation if messages are private through end-to-end encryption.
American University's Washington College of Law issued a 2022 report that considered children's online protections in the face of end-to-end encryption's growth. The report outlined the privacy dilemma encryption poses, explaining how law enforcement officials "bemoan that this technology leads to criminals 'going dark,'" while privacy advocates "dismiss law enforcement's 'but the children' arguments as fearmongering."
The U.K.'s order to break Apple's encryption comes as issues with child exploitation, specifically child sexual abuse material, have only gotten more serious with artificial intelligence in the picture.
Social media companies and online services have noted it is difficult to detect and report abuse on their platforms due to encryption, sometimes complicating investigations. A recent review of Australia's Online Safety Act by Minister for Communications Michelle Rowland found 96% of content intercepted by law enforcement was incomprehensible due to encryption.
U.K.-based tech policy and regulation specialist Heather Burns said on the FPF webinar that if the U.K. order had gone through, consumers including children and their parents would not have known "communications and data flows they thought were protected were encrypted, were not."
Burns claimed policymakers and parents should be conscious of the push to simultaneously reduce encryption and online harm. "There's myriad problems with Big Tech and their impact on young people," she said, adding "you don't solve that" by potentially violating consumers' privacy.
Lexie White is a staff writer for the IAPP.
