UK cybersecurity chiefs back Apple’s controversial photo-scanning feature

The heads of GCHQ and the UK’s National Cybersecurity Centre have said that technology giants should scan users’ phones for illegal images.

Ian Levy, the NCSC’s technical director, and Crispin Robinson, the director of cryptanalysis, claim that a controversial technology called “client-side scanning” could protect children and privacy.

Apple had made moves to introduce such a feature last year, which would detect when people have child sexual abuse material on their devices. The smartphone giant had to ‘indefinitely delay’ its rollout due to pushback from privacy campaigners.

Edward Snowden said that Apple was “rolling out mass surveillance to the entire world”, and the Electronic Frontier Foundation said the feature could easily be broadened to search for other kinds of material.

“It’s impossible to build a client-side scanning system that can only be used for sexually explicit images sent or received by children. As a consequence, even a well-intentioned effort to build such a system will break key promises of the messenger’s encryption itself and open the door to broader abuses,” it said.

However, the heads of the UK’s security organisations said that there is “no reason why client-side scanning techniques cannot be implemented safely in many of the situations one will encounter” in a discussion paper published today.

"Child sexual abuse is a societal problem that was not created by the internet and combating it requires an all-of-society response”, they write.

"However, online activity uniquely allows offenders to scale their activities, but also enables entirely new online-only harms, the effects of which are just as catastrophic for the victims."

The pair claimed that criticism of the feature were due to flaws that could be fixed, such as requiring the involvement of multiple child protection organisations and using encryption to ensure that the platform does not have access to the photos – which would only go through child protection groups.

“Details matter when talking about this subject,” Mr Levy and Mr Robinson wrote. “Discussing the subject in generalities, using ambiguous language or hyperbole, will almost certainly lead to the wrong outcome.”

However, Alec Muffett, a cryptography expert who worked on Facebook’s efforts to encrypt its Messenger chatting app, told The Guardian that the paper “entirely ignores the risks of their proposals endangering the privacy of billions of people worldwide” and that it was “weird that they frame abuse as a ‘societal problem’ yet demand only technological solutions for it. Perhaps it would be more effective to use their funding to adopt harm-reduction approaches, hiring more social workers to implement them?”

Apple has already introduced message-scanning for children’s iPhones in the UK to look for images that contain nudity. The tool is referred to by Apple as “expanded protections for children” on iOS, iPadOS, WatchOS and MacOS, but is not turned on by default.