On IWF's pamphlet about the "solving" encryption.
Written
Internet Watch Foundation (IWF) is organization that works ... to eliminate child sexual abuse imagery online,
preventing the ongoing victimisation of those abused in childhood and making the internet safer for all.
They support EU's Chat Control which suffered a set back when EU parlament rejected extending chat controls 1.0. I'm not going to talk about that too much. Reasons for the rejection are quite complicated but I wanted to understand
organization like IWF perpective on this. I have mostly listen Patrick Breyer's perspective. I did learn some perspective. Basicly right now GDPR[wiki] prevents Facebook's, twitters, and TikToks to scan chats for
Our new paper clearly demonstrates how child sexual abuse imagery can be prevented from being uploaded into end-to-end encrypted spaces in the first place. Users can be protected from the spread of this content without any need for anyone to ever be snooping on chats.
I was getting ready to dig up why having third global key in EE2E is not EE2E but then I noticed that spaces
and corretly guessed that was doing a lot of heavy lifting. The "paper" in the quote can be found here and will be focus of the ridicule today.
It is a pamphlet
Before getting meat of things. No this thing is not a paper as in journal article or technial schema. It is a pamphlet. A marking piece with pretty colors and lack of technical subtance. It only completes the general idea description, not more. I will get more details on that later but for now I want to address IWF directly. This is not only place where I find your descriptions of things
What is the IWF's idea? Essentially scan, before encryption, any message going into encrypted "space". Image below is from their pamplet.
So why such strong option. Well, let's just first aknowledge that idea side steps the hard part of actually decryption encryption. Also, to be fair to IWF they kinda indicate that they want this check be local compute. More on that later, for now, problem is that this is complete wrong way to think about security on internet. "Space" as used is more like playground of a kindergarten. There should be fences and adults checking who is going in. This is not how internet works. When you connected to something in the internet it should be considered as suspicous. Browser is just general tool to execute/render what browser connectes to. This means random stuff gets executed. Sure, human interaction is not the same but if we discuss this as random people meeting then everybody is treating each other suspicous. How do I know person I'm talking to actually runs the checks?
Let's also ask what fuck is the actual risk analysis here. Those how don't speak computer science, you do not just increase security because hypothetical treat exists. You analyze the likehood of that risk, and is it actually worth it to have protection in the current enviromental context. Increase in security means decreases in user friendless. So, what is the risk IWF is aimming at?
It is not clear. My best interpertation is prevention of transfer of
I'm going to take this study mentioned in face value because I don't find it inheritly wrong that offenders would use most convenient option.
So better to switch the check to receiving end right? Well... I did consider that as steelmanning argument. It does fix the how do I know part. However, I think IWF would reject this as kindergarten idea is more to their liking. They argue that:
Problem is that it still introduces systematic leakagle posibility with real gain in CSAM prevention. To be fair, IWF is proposing it to be local compute rather than
explainer
[source] but this is not only example. In article about AI been online abuse machine
you say first that you seen frightening
26362% increase of photo-realistic AI videos of child sexual abuse
when 2024 and 2025 are compared. But then in the next sentece you admit this is increase of 13 to 3440. So basicly this NOT a socking relevation. You are abusing mathematical definition of procent here when really all this is that there was no tools to that there are tools. Later this article also says 312,030 reports where analysts confirmed the presence of child sexual abuse material
. I have no idea does this include AI or not, I assume so, regardless your analysist confirmed AI use is give or take bit over 1% of total records. No security researcher would propose this.
Offenders who create and share child sexual abuse material (CSAM) are turning to E2EE platforms to avoid detection. Research conducted by Protect Children Finland, based on a survey of more than 30,000 active online CSAM offenders,
found that many deliberately choose E2EE applications due to a perceived lower risk of exposure or prosecution.
Can I steelman?
On E2EE platforms, files can be checked for malware before they are sent.
. I have not find any E2EE platfrom that does this and they do not reference software which is doing it. I'm not saying they are laying; I'm saying it is odd they do not mention a it.