wordpress blog stats
Connect with us

Hi, what are you looking for?

Encryption and issues related to Child Protection online

“When Child sexual abuse material (CSAM), in the form of messages, are sent on WhatsApp, Telegram and other media, the real source of this information is often the web, including pornographic sites. The challenge lies in identifying the original source of the material and addressing that”, a speaker said during MediaNama’s workshop on identifying challenges to Encryption in India, “The problem of identifying the source of the material is very tough. You cannot control who will take a video or an image and upload it to the Darknet. The web is easier,” another speaker concurred. “We have a problem at the DNS level, at the categorisation level: why can’t ISPs join together and do it at a DNS level? Why can’t we block these [specific] porn categories?

This workshop was held with support from the Internet Society (Asia Pacific Office), and was under the Chatham House rule; the quotes have thus not been attributed.

Challenges to encryption in India

1. Mandatory reporting of pornographic material involving a child: There are laws and regulations that mandate reporting of CSAM, and “compliance with the POCSO Act [Protection of Children Against Sexual Offences Act] is still being figured out.”

As per the POCSO Act: “Any person who has received any pornographic material involving a child or any information regarding such pornographic material” either being stored or likely to be transmitted/distributed, “shall report the contents to the SJPU [Special Juvenile Police Unit] or local police, or as the case may be, cyber-crime portal (cybercrime.gov.in)”. In addition, in case this is an intermediary, they shall “also hand over the necessary material including the source from which such material may have originated”. The report should include the details of the device in which it was noticed, and suspected device from which it was received, including the platform on which the content was displayed.

How intermediaries can comply with these requirements is still something being figured out, and something that platforms are struggling with – “how can such a thing be materialised, using available technological tools?”

Advertisement. Scroll to continue reading.

2. Non-cooperation of Intermediaries in reporting CSAM material: The lack of cooperation of intermediaries in reporting or assisting with detecting CSAM material in India ends up creating grounds for removal of encryption for monitoring of messages and groups:

  • Lack of accountability and response: “Intermediaries in India do not want to take any responsibility for this content being circulated on their platforms. If we’re afraid of our private communications being accessed and used by authorities, it is created by the lack of accountability and response from intermediaries, by which they have given leverage to the government.”
  • Different systems for different countries: “Intermediaries have different systems for different countries, even though CSAM and non-consensual sexual content is not permitted anywhere. Both POCSO in India, and laws in the US ask intermediaries to mandatory report CSAM material”, a speaker said. Platforms have “complied with this requirement in the US – by reporting to NCMEC – but none complied with it in India, and have explicitly said that they won’t comply with this requirement in India. What option do people working with children have? What option do people working with government have?” this speaker asked. “It is indefensible that they’re doing something in one geography, but not in another. The Prajwala judgment said that a reporting mechanism should be created,” this speaker asked.
  • Lack of transparency regarding technical capabilities: Just as in the case of misinformation,” one speaker said, “companies have been reluctant to be transparent about where their technical capabilities lie and where they end, in terms of metadata and traceability, and how much of it [traceability] is possible without breaking end to end encryption.
  • Takedown related issues in groups: “Platforms take down images, and not groups where such images are shared. They don’t look into complaints about groups. Groups usually alter names, and often names are in different languages.

Also read: Break end-to-end encryption to trace child porn distributors, make ISPs liable: Recommendations from Rajya Sabha Committee

3. Identification considerations:

  • Identification of the source of the material: Technical participants in the discussion, as mentioned earlier, were of the opinion that it is next to impossible to identify the source of CSAM material, whether it may be from porn sites, or from the Darknet.
  • Identification of the distributor of the material: “These [online] platforms give cheap and arbitrary access to everything. People who want to do abusive things can do that, and know-how to hide it. CSAM, as well as non-consensual adult content, can be circulated in a fraction of a second. It is difficult to identify who has circulated the information.”

A speaker pointed out that “The government of India has the super-power to look into and obtain electronic evidence. In selective cases, when it is critical, you can talk to a company to tap into a device or an app to take evidence.” Another said that if a message is shared with the police, you can tell whose device it is via the service provider. “If you have information on one side of the message, then the whole purpose of E2E [end-to-end-encryption] is broken: If you have meta-data of those messages, you can point to the person himself. “How do you know whose device it is? Via the service provider. Monitoring should be from the service provider perspective. There’s no need to break end to end encryption.”

Online platforms, though, don’t cooperate, according to another speaker: “If I share a message with you, a screenshot, which indicates that at this time, this date, this device has been used to send this message. You have the phone number, through which you can access the device, through which you can access the person sending it. The platforms don’t cooperate.”

Breaking encryption is not possible, but “there are workarounds, like usage of exploits, which can be used to provide access to mobile phones”, one speaker said.

4. Concerns about proactive monitoring and usage of algorithms: Draft amendments to India’s Intermediary Liability rules call for platforms to use technological tools to proactively monitor content for taking down CSAM content, among other types of content. There are two key concerns here: “It’s a thin line,” one speaker said. “Proactive monitoring also translates to shoulder-surfing what someone is doing on an app.”

Secondly, the effectiveness of algorithms is also a concern. While one speaker said that “if you can use algorithms for serving content, for delivering advertising, surely you can do that for CSAM. Intermediaries have the resources and datasets to develop algorithms.” At the same time, algorithms are entirely accurate, and accuracy will vary depending on one-to-one, one-to-many and many-to-many modes of matching. Algorithms also may not recognise context, as was famously demonstrated in Facebook’s napalm girl incident.

Advertisement. Scroll to continue reading.

Platforms can be an important source of learning for algorithms though: “The source of content is porn sites, and they diversify, in terms of distribution, like Instagram and Facebook groups. Facebook and Instagram have jpeg level deep learning algos, and these groups are taken down consistently. Facebook and Instagram have information on how such sites operate. The historic information that they have, help taking down of pages,” one speaker said. However, “A solution invented for one platform cannot work on every platform.”

5. VPN as a loophole: Even if traceability of individuals is possible at an ISP/Telecom operator level, those circulating CSAM material can use VPNs and proxy servers to bypass protections and restrictions.

Concerns about weakening encryption norms in India

  • Encryption cannot be a selective anesthetic: “It is a standard. It is really required, in case of banking transactions, for Aadhaar related activity. Despite encryption, we still see leaks. This is where end to end encryption comes in. Encryption is required: every data out in the Internet is sensitive.
  • Breaking encryption or instituting backdoors will create more problems: “If we implement this and give this super power to the government, then there can be advanced persistent threat attacks against [systems]. If something is breached and misused, it opens a whole new can of worms.”

What is the point of encryption if you can break it?

  • Trust issues: “If we relax the standard for this issue, and you give the government the privilege, you’re giving them the encryption keys. It’s like giving them the password or the pin code. If we relax this for this issue, it creates a concern.”
  • End to end encryption is important: people scan their house documents and send personal information using these services.

Questions that need clarification

  • Metadata: What kind of metadata can platforms provide to law enforcement agencies, on a best efforts basis, that may help with investigations?
  • Traceability:
    • Is traceability on end to end encrypted platforms possible without breaking end to end encryption?
    • What are measures that may be taken to address get to specific devices or groups, without breaking end to end encryption?
    • What do you do when you have a close-knit group that no one has information about, which is operating in the dark?
  • NCMAC: Where are with NCMAC globally, and how do we improve on those to deal with CSAM content?
  • How effective can algorithms be in encrypted (but not end-to-end encrypted) environments in detecting end-to-end encryption? What are alternatives to the enforcement of pro-active monitoring of content on platforms?
  • Where can technology be used to address access to platforms and services to address issues such as grooming?

Also in this series:

Written By

Founder @ MediaNama. TED Fellow. Asia21 Fellow @ Asia Society. Co-founder SaveTheInternet.in and Internet Freedom Foundation. Advisory board @ CyberBRICS

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Find out how people’s health data is understood to have value and who can benefit from that value.


The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ