Dear Minister, I was disappointed to discover that you signed the recent international statement on end-to-end encryption and public safety [1], which indulges in the disgusting practice of using the victims of child abuse as a political prop to attempt to justify ever more ubiquitous surveillance. Perhaps you are unaware of the important role end-to-end encryption plays in protecting the safety of children. This year, as I'm sure you're aware, there has been, for very good reasons, a surge in the use of video calling and video conferencing. I wonder how many toddlers have been naked in the backgrounds of family video calls, how many children have undergone intimate medical examinations via video calls, and how many teenagers have foolishly exposed their naked bodies to digital cameras, thinking that only their boyfriend or girlfriend would see them. If you really want to protect these children from the eyes of paedophiles, then you need to unequivocally support end-to-end encryption. To illustrate their vulnerability, look at The Citizen Lab's report on just one vulnerability in one popular video-conferencing system — Zoom's waiting room vulnerability [2], which allowed an attacker to access the video stream of a room by simply attempting to join the room, even if they were never admitted to the room. This would never have been possible if the video stream was end-to-end encrypted. That was merely one of a series of problems with Zoom's privacy. And Zoom is not unique in having security problems. A site called ';--have i been pwned? [3] tracks leaks of personal information by online systems. They already list over ten billion personal accounts whose information has been leaked; that's an average of more than one account per living person on this planet. The most recent leaks they list include 400,000 accounts belonging to Chowbus, an Asian food delivery service, nearly 3,000,000 accounts belonging to WiziShop, a French e-commerce platform, and the personal information of tens of millions of people listed in the database of Experian South Africa, a credit bureau. All three of those leaks occurred between July and October this year. If communications service providers have any means of accessing people's conversations, then very often that means of access will be leaked to people with sinister motives. It's no use trying to be optimistic, as the international statement does, about the prospect of "reasonable proposals" that will allow access to benign governments, while protecting the human rights of those living under authoritarian governments. No encryption system can possibly distinguish legitimate requests, made by liberal governments, from requests made by authoritarian governments for the purpose of persecuting their peaceful opponents; cryptography simply doesn't work like that. Businesses don't work like that, either. There are numerous examples of Western businesses acquiescing to the Chinese government's demands for censorship, production of information about their customers, or recognition of China's territorial claims, but the one that comes most strikingly to mind in the present context is that of Skype's well-documented collaboration with the Chinese Communist Party [4], which affected not only Skype's customers in China, but also anyone using Skype to communicate with someone else who was using TOM-Skype, the version approved by the Party. This was the case when Skype was owned by eBay, and continued to be true for years after Microsoft's acquisition of Skype [5]. Skype's defence of this practice was telling: they had to obey Chinese law [6]. If communications providers have any means of accessing people's conversations, then very often they will willingly provide that access not only to benign governments, but also to authoritarian ones. If you really care about journalists and human rights defenders in repressive states, then you need to unequivocally support end-to-end encryption. I note that the international statement envisages that the communications service providers themselves will have access to their customers' conversations, as I have been assuming above. But I am also aware of past proposals (of varying degrees of vagueness) that involve only governments having the keys to decrypt the conversations, rather than the communications service providers themselves. But government-controlled sets of keys will not prevent any of the problems I've discussed above. Governments, too, are prone to leaking sensitive data. For example, the US Government leaked (probably to the Chinese Communist Party) the fingerprints of millions of its own employees with security clearances [7]. And if you do manage to persuade (or force) communications service providers to use only encryption systems that grant special access to certain governments, then it would be very, very easy for the Chinese government to pass laws requiring those companies to grant similar access to the Chinese Communist Party, too. And very easy for those companies to comply with those laws, noting that it's one of the requirements for operating in China. The journalists and human rights defenders you hope to protect will have nowhere to turn, except, perhaps, to software you may have rendered illegal even in liberal democracies. And it's worth examining the motives of your cosignatories, too. In the past, I've spoken with someone who worked in Kolkata, assisting women who wanted to leave the sex trade. She indicated that the police in Kolkata made no attempt to enforce laws against the ownership and sale of children as sex slaves. This casts very serious doubt on the Indian government's commitment to preventing the sexual abuse of children. In contrast, Indian police were active in enforcing prohibitions on public protests in the wake of the Citizenship (Amendment) Act, 2019, which specified a path to citizenship for people belonging to certain religions, notably not including Islam [8]. It would be very surprising if the Indian government reflected significantly different priorities in its use of communications surveillance powers. I hope, having read this, you will reconsider your support of the international statement. Sincerely, Tim Makarios https://circulex.nz <>< [1] International statement - End-to-end encryption and public safety https://tinyurl.com/yyfk7z29 [2] Zoom's Waiting Room Vulnerability https://citizenlab.ca/2020/04/zooms-waiting-room-vulnerability/ [3] ';--have i been pwned? https://haveibeenpwned.com/ [4] Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform https://tinyurl.com/y58fwdvx [5] China Chats: Tracking surveillance and censorship in TOM-Skype and Sina UC https://citizenlab.ca/2013/07/china-chats/ [6] Skype Defends VoIP IM Monitoring In China https://tinyurl.com/yykyzhlq [7] US government hack stole fingerprints of 5.6 million federal employees https://tinyurl.com/jyu94yr [8] Home Ministry Holds Security Meet Amid Protests Against Citizenship Act https://tinyurl.com/y2h5spxr