Summary Report: Panel on Terrorist Use of E2EE

On 21 September 2022, Tech Against Terrorism organised a panel discussion on terrorist use of end-to-end encrypted (E2EE) services. This event, organised on the margins of the United Nations General Assembly, concluded our 2022 roundtable series on assessing and countering terrorist use of E2EE services, which focused on risk mitigation strategies that are technically feasible, proportional to the threat, and safeguard privacy and security for all. This session saw participation from counterterrorism experts, digital rights advocates, and government and tech sector representatives.

The panel was organised following the publication of our landmark report on “Terrorist use of E2EE: State of play, misconceptions and mitigations strategies”.

• The desire for privacy through the use of E2EE services has substantially increased due to the growing digital nature of everyday life and communication.
• Encrypted services are mainstream and readily available. As with other widely available technology, terrorist and violent extremist (TVE) actors have been exploiting E2EE services for malicious purposes.
• TVE actors still need access to public-facing platforms for recruitment and propaganda purposes. From public-facing platforms, TVE actors will often outlink to encrypted channels for operational security and communication.
• The risk of TVE actors exploiting encrypted services cannot be neglected, and service providers, alongside policymakers, should propose a mitigation plan that focuses on the data that is not encrypted.
• Online privacy is a fundamental right. Strategies to mitigate TVE use of encrypted services must be proportional and balanced against the need to protect online security and privacy.
• Encryption protects the right to privacy and freedom of expression. Governments and legal bodies must do more to enable tech companies to protect encryption, and to support mitigation strategies that do not entail breaking encryption.

“Breaking” encryption is not a viable solution

Participants discussed the feasibility of technical solutions providing law enforcement with access to encrypted content, or allowing for the systematic scanning of encrypted content to detect TVE content. They raised that whilst technical solutions may seem an appealing and easy solution, they are resource heavy, difficult to implement at scale, and present a risk of abuse, including by malevolent actors. Participants notably highlighted the risk of authoritarian states mandating access to and monitoring of encrypted content. Given the global nature of the internet and the replication of similar online regulatory requirements across jurisdictions, the risk of an encryption mandate passed in a democratic country and replicated in authoritarian states cannot be ignored. Participants highlighted that governments and legal institutions should enable tech companies to protect encryption and promote mitigation strategies that do not entail breaking encryption. Participants also highlighted the risks of criminal actors exploiting any weak point in the encryption protocols.

The participants also commented on the need to replace TVE use of encrypted services within the broader online threat landscape to understand why and how encrypted services are being used, their relation to non-encrypted platforms, and the adversarial risks of breaking into encryption. The discussion focused on TVE actors’ awareness of operational security (opsec), in particular their understanding of the difference between “private” or “secure” and encrypted messaging. The discussion also focused on TVE actors’ tendency to migrate from one platform to another when their opsec is compromised or when they are targeted by moderation actions. In doing so, the participants all agreed that if encryption is compromised, TVE actors would move to more secure platforms, including to non-compliant platforms, if breaking into encryption is mandated by law.

This points to the wider argument that breaking encryption would fail to meet its goals of countering the TVE threat as TVE actors would simply migrate to other platforms and use tools to evade monitoring.

Promote encryption compatible solutions

Whilst participants warned against the false appeal of technical tools breaking into encryption, they highlighted that other solutions exist and are easy to implement for encrypted service providers to counter TVE use. This includes user reporting, which participants identified as an existing detection strategy that should be further promoted across encrypted service providers. Participants also stressed the importance of ensuring that platforms’ user reporting systems are easy to use in order to limit frictions in the reporting process.

For an overview of encrypted services providers offering a user reporting process, see Tech Against Terrorism’s report on terrorist use of E2EE, section 18.a on “Reactive content moderation and E2EE”.

Focusing on how encrypted services integrate within the broader TVE online landscape, the participants stressed that mitigation strategies should focus on preventing TVE access to encrypted services in the first place. In doing so, participants discussed how public facing platforms are linked to encrypted services, with TVE actors relying on public platforms for recruitment and audience reach, then moving over to encrypted spaces. Participants highlighted that limiting the use of joining links could help break the link between public and private spaces, introducing friction in the transition from public to private spaces and preventing access to encrypted services from being easily and widely shared.

Frame encryption in a positive manner

Participants noted the importance of clarifying and shifting the narratives around encryption to limit users’ confusion around what encryption means. They also discussed the need of a proactive and positive understanding of E2EE in discussions around its regulation, to raise the standard around online privacy.

In relation to this, participants agreed that E2EE is a common and critical element of our contemporary world and of our online lives. They discussed the need to move away from calls of breaking reducing access to encryption, and towards the development of solutions that safeguard encryption.

You can find Tech Against Terrorism’s recommendations on countering terrorist use of E2EE, for policymakers and tech platforms, here.