Dropsafe

by Alec Muffett

The @ukhomeoffice-funded #NoPlaceToHide campaign claims that “14 million reports” of child abuse may be “lost” if @Messenger implements #endtoendencryption. Here’s a horrible thought …

The NoPlaceToHide campaign is bandying a huge number — 14,000,000 — as the number of “reports” of child abuse that “could” be “lost” if the Facebook Messenger application implements end-to-end encryption by default.

This is a very large number. Please show your work.

This number — as cited — comes from the (US) National Center for Missing & Exploited Children, also known as NCMEC (pronounced: “neckmeck” amongst tech-industry people)

If you visit the NCMEC “CyberTipline” statistics page, you can learn a few headline statistics:

  • under “2019 Reports by Electronic Service Providers (ESPs)”, Facebook companies provided 15,884,511 of the total 16.9 million total reports that NCMEC received in that year.
  • in 2019, 74,330 NCMEC reports related to the UK
  • under “2020 Reports by Electronic Service Providers (ESPs)”, Facebook companies provided 20,307,216 of the total 21.7 million total reports that NCMEC received in that year.
  • in 2020, 75,578 NCMEC reports related to the UK

That Facebook comprises 93+% of all NCMEC reports is not surprising nor disturbing, because Facebook comprises several of the world’s most popular image-sharing sites and communications tools, and the Facebook team has been assiduous in checking and reporting 100% of all matching “PhotoDNA hits” that they detect.

However…

However what is typically unreported and unremarked in public discussion about “reports” of abusive imagery, are a couple of blog posts where Facebook details its own research into the images and accounts that they detect.

The key findings were that:

From Facebook’s analyses…
  1. More than 90% of the content which they report, are duplicates of, or are very similar to, previously reported content; sometimes ludicrously so (“copies of just six videos were responsible for more than half of the child exploitative content we reported in that time period”)
  2. More than 75% of accounts which were reported “did not exhibit malicious intent” — in other words were stupidly, unthinkingly, mindlessly or unknowingly forwarding content which is deemed illegal or abusive. In past, even journalists have been reported by Facebook for forwarding such content — because Facebook, like other platforms, is literally legally obliged to report such occurances.

Analysis

So back to that “14 million” figure; it does not appear in the above NCMEC statistics, but I will guess that it is the “Messenger” portion of the 20.3 million reports that were sourced across all Facebook companies, in 2020.

On that basis, we can observe:

  1. The UK Home Office (through their agents MCSaatchi) are quoting international numbers, not UK-centric numbers, in pursuit of a UK-centric political goal
  2. If 75% of the reports were from non-malicious accounts, and of those if 90% were duplicate or redundant reports, then possibly as few as 350,000 global reports might relate to actual instances of new and malicious abuse
  3. Put differently: worst-case, possibly 97.5% of reports are-or-were unthinking or duplicates; best-case somewhere between 75% and 90% were unthinking or duplicates.
  4. In practice it is not knowable, without more information, regards how the 90% / 75% splits will impact the “14 million lost [global] reports”, but it seems strange that the UK Home Office is attempting to use a global number which is somewhere between 4x and 40x larger than it ought to be, in order to swing a political argument about end-to-end encryption in the UK.
  5. If the 97.5% worst-case were applied to the 75,578 UK reports, it would suggest that the number of reports pertaining to new and malicious abuse in the UK would be a little less than 1900, total.
  6. The real figure is surely larger than that (?) but any number in the “low/few thousands” is shocking to compare to the headline of “14 million”; it would be interesting to know the truth, because “14 million” is not it.

Postscript: A Note Regarding Scale

If the number 350,000 looks large to you… that’s perfectly normal. People tend to have a challenge when first encountering what tech companies call “scale”.

By comparison for criminality it’s useful to consider (say) the global murder rate, which at the moment stands at about 6 murders per 100,000 people on the planet. This rate varies from country to country of course (e.g. 1.2 per 100k in the United Kingdom) but overall it’s a little more than 6 per 100k.

For the sake of argument there are 2.5 BILLION users of Facebook, globally — actually probably somewhat more, but being conservative that’s a reasonable number.

Feed these numbers into Google and you get:

You did know that you can use Google to do maths?

… probably around 150 thousand Facebook users are murdered per year; given that Facebook tends to be more popular in first-world countries where the murder rate is lower, that number is probably a bit smaller, but as an order of magnitude it should be correct.

I have written about this before, and at greater and more involved length, but I mention it here to underscore that rare events like murder, when considered at a global, Facebook-sized scale, are going to occur many hundreds or thousands of times irrespective of how rare they are.

Comments

4 responses to “The @ukhomeoffice-funded #NoPlaceToHide campaign claims that “14 million reports” of child abuse may be “lost” if @Messenger implements #endtoendencryption. Here’s a horrible thought …”

  1. #NoPlaceToHide…for Stupid Ideas Like Backdooring End-To-End Encryption And Undermining Privacy

    […] encryption is brought in. But the security expert Alec Muffett has dug a little deeper, and found a number of serious problems with the claim. First, 14 million seems to be a global figure, not a purely UK one. Secondly, many reports are […]

    Reply
  2. All Watched Over By Machines Of Loving Grace: GCHQ’s Holistic, Sociotechnical , “Thoughts on Child Safety on Commodity Platforms” #ghostProtocol #ghost – dropsafe

    […] some actual numbers into the public discussion, numbers which are marginally more useful than the vastly over-inflated “numbers of reports” which NCMEC publishes, and which Ian and Crispin themselves criticise at considerable length: […]

    Reply
  3. How the #OnlineSafetyBill’s OFCOM surveillance measures can (will?) bring about public emasculation of the UK Government and a kind of #CyberBrexit effect (HT: @ciaranmartinoxf @allanofhallam @wongmjane @jamesrbuk) – dropsafe

    […] The platforms — even more than Hallam’s perspectives on Government — do not want to be seen to be compromising their global privacy ethics for some parochial purpose; and they also know that there is greater good to end-to-end encryption than even the statistics of actual abused children co…. […]

    Reply
  4. If you’ve been sent this blogpost it’s to ask you: do you NOT want 1.3 billion human beings to have better data security and better privacy? – Dropsafe

    […] NCMEC in particular is mourning that the numbers of “reports” of “hits” against their database of “PhotoDNA hashes” will drop; what they are less forthcoming about is that the vast majority of that number are meaningless duplicates posted by people who don’t represe…. […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts