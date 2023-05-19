



The technology mandated by the UK government’s online safety bill could be used to turn millions of mobile phones into facial recognition tools.

That’s according to new research from Imperial College London investigating the potential privacy implications of a tool called client-side scanning (CSS). The Online Safety Bill will introduce CSS to flag images known to be illegal content, such as child abuse images, if they are being shared before they are encrypted and sent.

New research shows that governments can use CSS to search people’s private messages (for example, to perform facial recognition) without people’s knowledge.

“We urge policy makers to thoroughly assess the strengths and weaknesses of client-side scanning, including the risk of abuse, before passing legislation mandating its installation on millions of mobile phones. I ask.” Dr. Yves Alexandre de Montjoy Study Author

The Online Safety Bill is currently being debated in the UK Parliament. CSS is also included in an EU proposal that, if passed, could mandate installation on hundreds of millions of mobile phones. It’s already being developed in the US by companies such as Apple.

The new paper will be presented and published next week at IEEE Security and Privacy, one of the world’s leading security conferences. Corresponding author Dr Yves-Alexandre de Montjoy of the Department of Computing at Imperial College London said: “This bill would require the installation of software that checks if you are sharing images known to contain child sexual abuse.

“But what our paper shows is that facial recognition, the same technology used at airport gates, can be used to scan private content from the phones of hundreds of millions of people, such as , that other hidden features can be built or tweaked into the software.”

Governments have long believed that end-to-end encryption — a feature used by messaging apps like WhatsApp and Signal to ensure that only the sender and intended recipient of a message can read it — could prevent law enforcement from breaking illegal content. have been concerned about preventing access to messages containing

To address this perceived risk, the proposed bill would require apps to install CSS that scans images on mobile phones before they are sent encrypted.

The software compares image signatures of known illegal content from official databases. A “match” indicates that the content is known to be illegal and will be reported and shared with criminal agencies unencrypted.

But researchers say the findings show that the risks aren’t understood well enough to mandate implementation on hundreds of millions of devices.

To conduct their research, the team recreated the algorithms behind CSS and matched image signatures against a database of known illegal content. Then they taught the software to scan the content and find the faces they wanted. They showed that their software is indistinguishable from the original software, while at the same time being able to identify wanted faces in photos of people with great accuracy.

Shubham Jain, co-author of the Imperial Computing Division, said: But CSS can add a backdoor to personal devices, sacrificing the privacy of millions. ”

Dr. de Montjoye said: “It is our opinion that client-side scanning is not the harmless ‘single-purpose’ technology described in Congress. We urge policymakers to thoroughly assess the strengths and weaknesses of client-side scanning, including the risks of abuse, before passing legislation mandating its installation on millions of mobile phones. . ”

“Hidden Dual-Purpose Deep Hash Algorithms: When Face Recognition in Client-Side Scanning,” by Shubham Jain, Ana-Maria Cre?u, Antoine Cully, and Yves-Alexandre de Montjoye, IEEE Security and Privacy.

