Cybersecurity & Tech

Write the Laws for the World in Which We Live—Not the One We Imagine

Susan Landau
Wednesday, December 20, 2023, 1:35 PM

Many proposed laws on encryption assume that children are harmed by the technology, but encryption often provides children with safety and security.

Two children sitting on a brick ledge using their cell phones. (pixabay.com, https://tinyurl.com/2jbvwtnp; CC0 1.0 DEED, https://creativecommons.org/publicdomain/zero/1.0/deed.en)

Published by The Lawfare Institute
in Cooperation With
Brookings

Internet-enabled child sexual abuse exploitation (CSAE) is a horrible crime—and there’s no doubt that some CSAE investigations are stymied because criminals hide evidence using end-to-end encryption (E2EE), a method of securing communications so that only the message endpoints can view the unencrypted message. There have been many articles over the years, including a recent one I wrote, arguing that eliminating E2EE in order to protect children online will create risks to public security without actually improving children’s safety. But throughout these debates, there’s been an underlying assumption that E2EE confidentiality harms children. That thinking ignores crucial aspects of how children actually benefit from encryption.

A European Data Protection Supervisor (EDPS) report summarizing a recent seminar on CSAE in which I participated shows that this assumption about children and E2EE is false. Just like adults—and in some cases even more so—children benefit from the privacy and confidentiality afforded by E2EE. Preventing its use—as several current pieces of legislation proposed in the U.S. and the European Union would effectively do—would harm children.

Young people use encrypted communications as they go about their daily lives. Indeed, they depend on it heavily; removing such privacy protections for the purpose of enabling the detection of online CSAE goes against what young people want. The European Pirate Party, a European political party founded on these principles, and European Digital Rights, a European civil society organization, recently commissioned a study of 8,000 adolescents between ages 13 and 17 from European Union member states on surveillance of online communications. Two-thirds of those surveyed use encrypted messaging apps; the same share objected to internet service providers monitoring their communications. Furthermore, more than half used anonymous communications for political organizing, and four-fifths responded they would not be comfortable being politically active or exploring their sexuality online if governments could monitor their communications. None of this should be surprising, but legislatures should take note—especially because political activism should be encouraged.

Sexting—sending explicit nude images of themselves through texts—is another aspect of the issue. It is not just done by adults. A 2018 study found that “[c]onsensual sexting is becoming a more common practice among youth, with 14.8% and 27.4% of youth sending and receiving sexts, respectively. Moreover, higher prevalence rates were found in more recent studies, with older youth, and with youth using a mobile device to sext.” More recent data bears out this trend. Data from Thorn, an international organization seeking to prevent child sexual abuse, found that in 2021, 34 percent of U.S. teens between ages 13 and 17 thought of such sharing as normal; so did 14 percent of children aged 9 to 12.

While it is easy to imagine that eliminating E2EE will make children safer by making CSAE investigations more effective, it is likely the opposite effect will occur. As the EDPS report noted, “E2EE provides security and safety to children too, especially vulnerable ones (e.g. LGBTQ+ who use the Internet to explore their sexuality).” Indeed, the systems that automatically flag CSAE are likely to capture images created by the children themselves. These sexting photos are intended for private sharing, and the broad scanning envisioned by the bills thus risks that young people sexting will be investigated and accused of purveying CSAE.

Gandhi is supposed to have said that “the true measure of any society is how it treats its most vulnerable members.” LGBTQ+ children are such a population. Children are aware of their sexual orientation from relatively early on. A Human Rights Campaign (HRC) report showed that 84 percent of LGBTQ+ children realized they were non-straight by age 13. Socially isolated, and with a high risk of suicide, LGBQT+ children use the internet for information about sexual health and behavior (this is especially the case when faced with the absence of such education in schools). It is not uncommon for LGBTQ+ children to find disclosing their sexual orientation to family members difficult; HRC found that 60 percent disclose that information to friends before telling family. Research shows that LGBTQ+ children use the internet for establishing relationships, including sexual ones. Not being outed is particularly important to this population. Privacy and confidentiality of communications is essential to those children’s emotional and mental well-being—and sometimes for their physical safety.

It might be tempting to imagine that in a world without E2EE communications, children would turn to more innocent pastimes. But rolling back youth’s world to a pre-internet time is no more plausible than imagining a world without cars, chips, computers, or other modern technology. Nor is such rolling back a useful approach. Anyone who knows teenagers knows that if you make it harder for them to do something, they will simply find another way to accomplish their goals. In the process, they might find themselves using less-secure methods for communicating, putting themselves in greater danger, not less.

The point is that E2EE benefits children. Confidential communications systems enable at-risk children to search for the help and social connections they need, and they enable young people to become politically active and organize. E2EE benefits youth by providing the privacy they need as they find their path into adulthood. The EDPS seminar discussed adverse effects from the proposed CSAE regulation, observing that combating CSAE is a complex societal problem. It is not one to be solved by preventing the use of confidential communications by children.

U.S. lawmakers should take note. The same issues that plague the proposed EU regulation are at play in two U.S. bills that address CSAE, the Stop CSAM Act and the EARN IT Act. As well intentioned as these bills may be, they ignore young people’s reality of relying on confidential messaging systems as they go about their daily lives. Let us improve young people’s online safety and security, but let’s do so in ways that those who work with young people recommend: by making them safer at home and at school and, thus, enabling them to raise issues of unsafe online situations when these situations occur. One place for legislators to begin might be with proposals from Arturo Bejar, former director of engineering for protect and care at Facebook, whose testimony before the Senate Judiciary Committee provided concrete suggestions that online social networks could implement to make it far easier for users to flag and report unwanted contact or harassment. That would be the real improvement for teens’ safety—and for the rest of us as well.


Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

Subscribe to Lawfare