IGF 2025 - Day 4 - Workshop Room 2 - WS #241 Balancing Acts 2.0 Can Encryption and Safety Co Exist

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> DAVID WRIGHT: Okay. Good morning, everybody. And a warm welcome to this workshop this morning. Which we're going to run through. Balancing acting, encryption, privacy ‑‑ excuse me. It is great to see the speakers join us as well on the balancing acts 2.0: can encryption and safety coexist? My name is David Wright at director at the Safe Internet Center. It falls to me to moderate this particular session.

Before I do give the floor to speakers just to introduce themselves and add some opening remarks, just to give a little context around this workshop. We're building on the success of the IGF 2024's workshop, which was balancing acting: encryption, privacy, and safety measures. We want to see how if we have encryption and child protection. This year we're asking if it can exist. We have lawful models without undermining the encryption. Particularly the regulatory standards frameworks.

Tensions between platform accountability, privacy, and state responsibilities to protect vulnerable groups. We aim to move beyond the positions and explore how multistakeholder engagement can help develop rights expecting balance approach to encryption policy. That's subject that we aim to cover.

So, we will be just running through I'll allow the panelist to introduce themselves shortly and add some general opening remarks before throwing a series of questions that we have to them. Then there will be an open floor. Just will be asking and enabling you to address the particular questions based on what it is they have contributed. The code of conduct applies to all of us. We have seen some emotional content. Please, I ask that the rules are upheld.

I'm just going to start off by allowing the panelist to introduce themselves. I'm going to start off with Andrew.

>> ANDREW CAMPLING: Good morning, everyone. I'm Andrew Campling. Congratulations to surviving to the final day of our event. I work in the tech space and also I'm a trustee of the Internet watch foundation which is focused on finding and removing child sex abuse material online.

>> DAVID WRIGHT: Thank you. Next to Katie.

>> KATIE NOYES: Absolutely. Good morning, everyone. I'm sorry to not be with you in person. Katie Noyes, I'm from the FBI, I've been working in lawful technologies for the better part of five years. We focus on ask security counseling emerging technologies and really preparing our environments. I have one portfolio.

One of them is lawful access. We're going to talk about that today. I have the FBI patent programme which is super fun. We have 26 patents. Most people don't know about the organisation I also have the group that's involved in the technology standards. We have membership and even leadership roles in many of the international standards development organisations, so that we can be shoulder to shoulder with all of the multistakeholder partners from a public safety point of view. It is a great collaborative space. Thank you.

>> DAVID WRIGHT: Thank you. Next up is Honey.

>> HONEY MAKOLA: Good morning. I'm Honey Makola. I am also Vice Chair responsible for security of the international communications union. I'm familiar to technical work in that respect. I'm very passionate about regulation of causes. I work for the regulator. It is important to highlight regulation and accessing the councils that look at balance of regulation for online participation.

>> DAVID WRIGHT: Thank you, Honey. Finally, if I can throw it to Lloyd. Introduction and opening remarks.

>> LLOYD RICHARDSON: Good morning. Thank you for the introduction. I'm Lloyd Richardson. I've been doing this work for about 20 years now. Our organisation operates Canada's national tipline for reporting online crimes against children. We also operate a global project which deals with the removal of child sexual abuse material locally. We see the front licence of harms to children. Been working in the space for a long time. I worked in the technology sector before intersecting with children in the space. I'm passionate about the issue. Pleasure to be here today.

>> DAVID WRIGHT: Thank you, Lloyd. It I would be remised if I didn't remark really on the time of the day that both you and also Katie join us. Being 4:30 in the morning. I appreciate the commitment that you've shown. It is going to be a long day for you. Thank you very much. As you are going to start off with throwing the question to Katie. Katie, just to give you the real world consequences and encryption and what they are particularly those involving children and also how can law enforcement seek access?

>> KATIE NOYES: Thanks. These are great questions. Honey, I want to remark I loved what you just said. Regulation need not hamper innovation. That's probably a great place to start. I couldn't agree more. It's been only the collaboration with the industries are involve. It is only against criminals and adversaries to include the successful investigations because of the technology partnerships and being able to stay ahead or at least have some parody with understanding the criminal tactics, techniques, and procedures.

You know, the methods they are using to turn our citizens into victim of crime. Again I take that very seriously. I think just again a quick general statement is encryption and safety have to co‑exist. We are here today because they have to co‑exist. We have to find a way. The challenge is real. Let me kind of explain why. I think sometimes this gets missed in a lot bit of understanding. For those of you who, you know, maybe new to the conversation, first welcome and very much welcome your perspective. We're very open group here. Both the panelist who evening for some time and really all of us in the space. There are two parts to the process. We need to be able to show and offer that to get an order. That's the first step in a rule of law country like the United States. It is the first step as we have to move to a judge that we have predication to be able to request the information in general and request access. It is the second part of the process where the focus of this conversation and others ends up going.

Once we have that order, then what happens? And in the case of encryption, it is really kind of an interesting one. Particularly end to end encryption which is more many cases when an application or technology was rolled out, it wasn't end to end encrypted. So for sometimes, up to seven or eight years, law enforcement had this process with provider where we would retain, you know, garner the order through the process, present the order, and then we would have the technical access needed so that two‑part process had parody. Now in the case of deployments, and I think this is the challenge for us, now we in law enforcement, we know what we are missing. I can give you some examples.

First, let me just state we're always asked to quantify the scope and the scale of the impacts. We do try to now have a little bit of an understanding of the quantifiable side of this. We're trying to and ask questions of the investigators. I was able to share the figure and able to share. It is everything from needing to stymie the case, because we don't have all of the facts for the investigation. One of the biggest impacts is violent crime against children. We're able to see and have access to the evidence, we know what the cost is when it is then what we call warrant proof, meaning it is behind the end‑to‑end encryption with no way to ask security councils the content. Here's how critical that is. Many of you have either experienced this in your own countries or heard about our cases on actual extortion or sextortion.

That individual unfortunately took his own life, because he was being extorted by criminals who were perpetrating the crime from Nigeria. We were lucky to see how they approached Jordan, and one of the individuals goated him to take his own life. You should take your own life. That features prominently in the individual's sentencing. It is crucial for seeking justice for these victims and for the parents of Jordan DeMay. There were over 100 other victims. That's one of the key changes. We can't stop the harm when we can't actually follow to conclusion of successful investigation in this space.

Very quickly, I'll touch because I think I'm probably way over time I'm allotted here. I'm excited for the conversation of what is in the realm of technically possible. How can we actually find a method in technical solution where encryption and safety can co‑exist. We've been very encouraged by some of the research and white papers and throwing things out like home morphic encryption. Looking at the solutions where it is like a wiretap, if you are familiar.

From this point forward with the order, now we would only be affecting the architecture of the single subject for who we have predication. I think there's a lot to discuss in the space where we could find comfort, observability, and ability to audit and look at what we're doing in law enforcement and be able to view the processes and also ensuring that we're enabling the ask security councils that we want to make sure we can stop the harms. I'll stop there. Thank you for the opportunity.

>> DAVID WRIGHT: Thank you, Katie. Yes. We shall now move it on to throw the question next to Andrew. On my left. Two or three questions. How do privacy standards become standardised? And perhaps finally just a supplementary question of any examples that you could share that might demonstrate the practice?

>> ANDREW CAMPLING: Thank you for the questions, David. Yes. Firstly, in terms of, you know, how do privacy arguments become weaponised? I'll broaden it to not just in standards development organisations, but sometimes in other forum. As David said in the opening remarks, it is an emotive topic. Whether it is about privacy or child safety. Both of those are motive topics. So sometimes that in itself makes a useful discussion challenging. Sometimes we have examples where the privacy issues close down the meaningful conversation. And just used as the reason to not do something. It may be a good reason. I think it needs better explanation than just we can't do that because privacy.

I think you need to unpack that and say specifically why and then if it is an SDO, big into the specific technical reasons and understand if they are bury or solutions. There may be a technical solution and there is that will give you privacy and child safety. In reality, they don't need to be in opposition. And, in fact, some cases actually if we talk specifically about encryption, inadvertently, the use of encryption to include privacy can sometimes weaken privacy and security. And there are some current examples where met data is being encrypted to include privacy. Some of the meta data includes the important indicators of compromise. Signals to your fire wall tour enterprise security software that the system has been compromised by malware. And by encrypting that meta data, you may be open to attack.

Ironically, you may be losing your privacy because of that encryption. I think we have to be careful, sometimes, we don't blindly do things for good seasons without fully understanding the consequences of those reasons. I'll give you a different example. We know from research that the big so‑called end to‑end encrypted messages platforms are widely used by offenders to share child sex abuse and material. There's extensive research with an enormous sample size. It is over 60,000 files that work in the sample explains what tools they use and these are the tools they use to share their material. And again often the conversation on what can we do anything about that is closed down straight away. We can't do anything with end‑to‑end encryption because of privacy. There are techniques that you can use.

Without the need to block the back doors. This can be used that doesn't affect the strength of the encryption. There's no need for a back door. Many of them already use the technique. It's being employed in the software. People don't object to it in principle and possibly don't realise it is already in the software that many of us use. You can do that without affect the privacy. The only time is when someone is trying to share unknown legal images. Privacy is a qualified right, if you are doing an illegal act it is reasonable that you might surrender your right to privacy.

Second question that what are the barriers to standards bodies. In fairness, be more specific it depends on the standards body. So, for example, there's a number of us here from the Internet engineering task force. There are no barriers. Anyone can attend. You don't have to pay to attend remotely. You have to pay to attend in person. And by the way, the remote tools for attendance at the ITF are fantastic. You have the equal basis to the in‑person participants with access to the conversations and coon. That said, and I'm sorry some of the other barriers that you have to be part of the national group or pay to participate and so on. It depend on the SGO. Whether it is specific intentional barriers. There are other barriers though. So the cost. There's a real cost to attend. The IGF, for example, to diversify attendance. There are pretty extensive travel costs, hotel costs, and so on. There's also the cost of people's time. Not only do you have to commit to attend the meeting, if you attend in person, you are committing to attend for a week. And with any of the SDOs, you have to attend for a while to understand how it works and engage effectively. You are look at a multiyear commitment to effectively engage. You only need to bring relevant knowledge.

You know, just wandering in off of the streets would be challenging for any of the SGOs. Having said that, it is absolutely an important thing to do. Because any of the DOs can always benefit from better diversity in their attendance. Again I'll refer to the IGF as my reference point. We have fantastic representation from the tech community. In my view, we are upholding on gender diversity. And they need to do significantly better there. We were absolutely benefit from better representation from groups with experience outside of the tech sector. Whether that's network operators, or whether that's Civil Society groups, regulators, government, and if we had that broader representation, we would have better standards. And all of that's true of all of the SDOs. Please if you got the right knowledge level to be able to engage, please do so. It would be worthwhile. Final answer.

Why would it be worthwhile? As an example, inference controls are probably the one tool that parents have to try and manage if that's the right word the user experience that their children have. But we know that there's so many of them. Even technical experts struggle with the parental controls because of the sheer number of them on any given device. We have the ISP controls. They are all different. They don't need to work. They use sometimes the same terminology to mean different things. I have the CTO of the technical organisation tell me he struggles with the parental controls and he certainly has, you know, enormous technical competence.

It is a problem. Where we can use SDOs, some of us are working on the proposal to develop a protocol, so they can interwork and education change signals with each other. So you don't have to invest time in every single one of them to put reasonable controls on your device. And if anyone is interested in that, let's have a conversation afterwards. That might be a useful thing we can do where the Civil Society can actually input useful knowledge that isn't currently present in some of the SDOs.

>> DAVID WRIGHT: Andrew, thank you very much. We're next going to turn to Honey. Honey, your two questions. How should it address regional diversity. What's the model that show promise in safety and privacy.

>> HONEY MAKOLA: Thank you for the question. I want to pick up on what Katie said. It is not mutually inclusive. It highlights the importance of collaboration. But to make encryption policies work together, we need to think about how diverse the points are. Especially where I come from. We have registered with the state and then you also have Mozambique. They are trying to balance the safety, privacy, and capacity just in the way that fits their own local context. Whether this is wrong or right. The main point is they are trying to have a certain at balance.

Then in the global south, they are taking into consideration that we have limited local infrastructure, including data centers, and this also poses a challenge, posing some of the countries that rely on external resources with the processing. When we talk about global encryption, there's a need for investment in local capacity and technical community as well. They mentioned the technical work involved. That will be meaningful participation the global south. We're not just adapting, but we are helping shape them that applying a real opportunity. We are trying to build capacity and technical skills and capabilities at the same time.

In the end, the encryption policy will not work if it doesn't reflect the diversity of the different regions. And in terms of the second question, what the models for safety and privacy, I'm assuming with regard to the global south. I think the most promising regulatory models are the ones that enable law enforcement access without weakening encryption or undermining the user trust frameworks in my county, South Africa, Nigeria, and Brazil require the access be granted only through judicial authorization and based also on clear legal criteria, such as necessity and propositionally. This is the protection of fundamental rights.

While the legal framework incorporates judicial and provider registration, there's definitely room for improvement. We need greater clarity in terms of the obligation on providers, alignment with evolving international notes and also I do think that we are on the right path. But there's still room for improvement.

>> DAVID WRIGHT: Honey, thank you very much. Just by way of the final contribution, we're going to throw it to Lloyd. Lloyd, from your perspective, how does strong encryption affect the fight against online child sexual abuse? And secondly as well what safeguards are needed to ensure child protection is prioritised in encryption debates? Lloyd?

>> LLYOD RICHARDSON: Yeah. Thank you. Firstly, I agree with all of the previous colleagues. It aligns with everything I was going to say. I really like to encapsulate it by saying it is not necessarily about banning encryption and banning this cipher and et cetera, et cetera. It is more about the responsible use of encryption. I think there was a statement before about the weaponisation of encryption. I think we can sort of point to real examples of that in the world.

Where we see, for example, client server and related to Facebook messenger. There was an enormous amount traded that way. They were able to prevent it from being distributed and disseminated. They chose to turn the lights off with that. That's irresponsible use of encryption. You are seeing harm and turning a blind eye to it. In a lot of ways when we're talking about media distribution in adult context, I think there needs to be methods by which we can identify child sexual abuse specifically in the media sense. But there's also areas where we see children being affected in terms of adults communicating directly with children. That touches on some of the examples Katie gave earlier about where adults have access to children on the Internet by way of a platform, not delineating children users or turning a blind eye to what is obviously a child user and adult user. They intersect with essential consequences. I can echo that we've seen a hand suicides here in Canada.

It deals with dozens of sextortion requests. If I'm industry in the face, that's a cost center for me. If I can turn on end‑to‑end encryption and void moderation, it is cheaper and makes more sense to approach that way. I see problems with that. We need to look at where infringes can be applied in the responsible way. I would use examples that we see in the brick and mortar world.

What we see in the financial institutions. If banks decided they wanted to have financial transactions completely end to end encrypted from point to point, that would be a great scenario for people to perform money laundering. The reason they are not allowed is no, you may not. You can use client server and must inspect the communications. That is what we have developed. If you don't do that, you are going to have problems with money laundering. It is the exact same thing that we see on the Internet. We've been slow to regulate in the space and apply to the appropriate technologies where there's a balance of safety and privacy.

>> DAVID WRIGHT: Lloyd, thank you very much. We're going to open the floor for questions. Before I do, I'm going to turn to my colleague, Boris, who is compiling and has been watching the online comments. Boris, if I can invite you to the microphone. If there's any particular questions that we've seen online. That can be addressed for the panelist.

>> BORIS RADANOVIC: Thank you very much. There's been a lot of discussions in the comments. Thank you for your contributions. I'm going to ask and try to convey this the best that I can. Please help me. First one was is it possible to create an encryption protocol that balances personal privacy and national security without compromise? Kind of the second part as well was a question that did not know about the FBI standards work and is FBI which organisation is it working with? There's been a couple of comment on ITF. I'm not sure if they are direct or not. ITF waves fees for NGO participants and decisions are made remotely and physical participation is not required. Thank you for that, if that's correct.

There was one question in regards to parental controls. It might be interesting. Perhaps maybe government and suggestion from the contributor can fund better development of the effective tools. There were questions and comments on the distributions and the examples of privacy concerns that get weaponised. Is there any you could share. I hope you share to ask the panel. Thank you so much.

>> DAVID WRIGHT: Thank you very much, Boris. We'll have a go answering them before we open the mic. There was an easy one as well. If there was any information around them if there was any organisations that you refer to.

>> KATIE NOYES: Thanks. I'm glad to hear the interest in that. I'll give a couple of examples. In the international telecommunications union. I love seeing I with Study Group 17. We're involved in the Study Groups there from all manners. Trying to keep pace from the public safety point of view. And ICANN, Internet corporation for assigned names and numbers that manages the domain names, if you are not following the group, we have the co‑Chair of the public safety Working Group is from the organisation.

That's really heavily focused on really stemming and making sure we all collectively understand DNS or domain name system abuse and then also access to IP address and be able to make victim notification and how is the process working? There are two prime examples that we're involved in the organisations.

>> DAVID WRIGHT: Thank you, Katie. The other question I'm going to turn to you here. Particularly with the encryption protocol and parental controls points as well. Can you take both of those?

>> ANDREW CAMPLING: Yeah. I'll briefly touch on one of the others. On the encryption, there have been put forward where you can have encryption and respond specific to the question and governmental access to the content. I think it will be under states and I think there's some skepticism as to the appropriateness of that approach. I think one of the proposals was called the protocol. It has been criticized as effectively providing a back door that could be exploited by the bad actors. There are issues with that. I'm happy to have provide more information online. I think jus on the fees ITF; you can participate literally no financial cost at all online.

There are no question fee waivers for online ask security councils and unlimited without question fee waivers. There are a small number of in‑fee waivers for in‑person attendance. You need a clear justification. You have hotel and air cost to pay. There's no funding for that. You need to clarify why you need the fee waived for the registration fee if you can afford to be present anyway.

Remote access is totally free. Someone asked if I have any examples of weaponised discussions. I do. I don't think it would be appropriate to share those. We want to keep this as a constructive discussion. Sorry. Parental controls is a good conversation to have equality. It might be in the conversation to have governments reviewing the operations of parental controls and maybe getting involved in the discussion about the usefulness of having a protocol, so there can be some interconnectivity between the controls. Standardisation that will be hugely controlled.

>> DAVID WRIGHT: Thank you very much. If I could now invite and ask you to introduce yourself and ask you to keep it to a couple of minutes, that would be good. Thank you.

>> AUDIENCE: I'm Warren. I spend most of my time in the ITF. Thank you for noting how open it is. I want to amplify the message. It is free to participate remotely. The next meeting is July 19‑25. If you would like to participate, chat with me. I'm happy to help you figure out how to get started.

>> ANDREW CAMPLING: It is in Madrid. If anyone in Europe wants to attend in person.

>> DAVID WRIGHT: Thank you, Warren.

>> AUDIENCE: Hello. I'm Simon. I'm a student here in Norway. I wanted to ask their perspective on this as my view is that if we start doing these things as allowing governments to access encrypted communications and you can say we do client scanning. I don't see how this won't harm things as journalism as if the government turns corrupt, how can journalist keep communications and stay safe for communicating and criticizing the government?

>> DAVID WRIGHT: Simon, thank you very much. We'll take each question in turn. Andrew?

>> ANDREW CAMPLING: Yeah. I'll offer a thought on that and hopefully some of the other panel will as well. Thank you, Simon for the question. Specifically on the client side scanning for the sharing of known child sex abuse. You can only get it from a trusted flagger. You can secure the hash file that's been shared to protect it from being interfered with by a badly intentioned third party, including the government. Ultimately, I think we have to be honest if there's a government can bad attentions as perhaps other tools and other levers they can use anyway, and there's maybe not technical solutions to that.

You know, there are other solutions needed. I think you can put some safeguards in to protect against the abuse.

Again I'm happy to have a longer discussion offline in the interest of getting more people. Great question.

>> DAVID WRIGHT: Can I extend any response to that, Katie, Honey, or Lloyd?

>> RICHARDSON LLOYD: I would weigh in by saying there's inclusion of throwing in the government automatically there. There seems to be the automatic. In the examples that we're talking about, it is the man in the middle being the person in the industry doing the intervention in term of data. It doesn't mean the government is descripting. It is likely based on the judicial order, depending on what country you are in. It is sort of the hypothetical based on a particular government in the particular country. It is hard to answer it really specifically. What I can say in the context here is I don't see the government as being receptive.

>> DAVID WRIGHT: Anyone else?

>> KATIE NOYES: I'm going to weigh in really quickly on that one too. I think these are good points. I think that's part of the reason why we're saying and why we're asking for the technical assistance. There's a two‑part process. One is for us getting the order and serving that process right to a provider. I think that's why it is so important to have the provider in the mix of the processes. There's a check in balance. I think one of the channel challenging for journalist worldwide, Andrew was saying there are all manner of tools used against them. By the way, that's part of the protective mission is to ensure that we're protecting, right, one of the things about privacy that I think is interesting is when you define privacy, if you look at a lot of terms of service for a lot of the providers who are providing the services, it wants you to be free from harassment, so that free from harassment in your example where you are saying there's harassment coming from potentially an authoritarian, how do we protect against that?

That is one of the reasons why for us in the FBI we're so keep to, I think, have the partnership and collaboration with the process of the orders that are provided to a provider. There's another party that can offer the checks and balances and making sure what is covered in the order. When we start getting to other techniques like computer network exploitation or hacking tools that are used against journalist regularly, that's where I think you get into the ungoverned space. Where the ask security counsels are no longer. It is a really good question. Why we favor to ensure there's the ability for auditing.

>> DAVID WRIGHT: Thank you. Next question.

>> AUDIENCE: I'm representing Finland. My background is at the university. I'm a mathematician and computer standards. I think I understand the techniques a bit. First the comment on clients that have studied the idea a fair amount. I don't think it can be done safely. There are lots of comments, one hasn't come up. It means he's telling software and everybody's phone. That would be an irresistible honey pot for all kinds of bad actors in the countries that we don't want to have.

I was intrigued by the mention of the homomorphic encryption. I think I understand highway it works. I know what it means. I don't think how it could be effectively used. Whether you are like the clients. I want to ask if you have a concrete implementation and paper that opens up. It could be used here. There's a testable code. The solutions that I see amount to sharing the key and breaking the encryption. At the same time, it is the same question about differential privacy. I won't go more into that. Thank you.

>> DAVID WRIGHT: Thank you. Just before I open it to the panelist, one of the panelist that was going to be talking about the technical solutions. Arnaud is not able to join us today. The question about homomorphic encryption was one that Arnaud could have taken. I do open the floor.

>> ANDREW CAMPLING: Yeah. I'll pick up the question on the client‑side scanning. It is a great question. Perhaps we need clarity on what we need and how it could be done. What I'm talking about is let's say WhatsApp. I'll pick on that. As an example. The actual code in WhatsApp does the scan. Not a government‑supplied piece of software that would be. It is problematic. To have your third party software. It would be the application provider in store for the functionality. By the way, if you think that's a principle as I mention in the opening remarks, it is already in your phone. Example of that.

Again I'll use WhatsApp, but it applies to other messages apps. If you type in the URL, unless you disable it, it will by default produce an image of the landing page within the message when it is sent. That's client‑side scanning. It looked at your message, content of the message, worked out there's a URL there, it has fetched that from the relevant site, and I believe with WhatsApp it is in doing that shared your IP address. If you are concerned about privacy, you might want to think about that.

If you do the client‑side, you can scan any files you wish to include with it. You don't need to know the list of known. There are no privacy implications. I think in the specific implementation, there's a concern with the third party piece of software. I don't know if anyone else wants to comment on that. If there's any response to the questions.

>> DAVID WRIGHT: Lloyd or Katie?

>> KATIE NOYES: Yeah. I want to weigh in. I've been watching the chat, by the way. Thank you for putting your comments in there and your feedback. You know, as we're having the discussion. I really want to take up sort of how do we find some compromise here? I know that the people on the panel and the people in the chat and people who are in the audience do not want children to be exploited. They don't want child sexual abuse material. All of us want to ensure their safety there. Let me open and throw it in the chat. I hope I'm not breaking any property toll here with the panel. I'm just interested. We've been really trying to figure out what's the workable way forward here?

We've been interested in reading papers about abuse resistant law enforcement access systems, for instance. Thing that is are trying to, crown, build trust which has to be a key here. We are, you know, I understand the criticisms of the FBI. We all understand them. We want to earn the trust. So we can only really, I think, do that if there are these processes; right? Where there are orders involved and some manner of, you know, auditing, there's some manner of transparency around these processes. So I wanted to put forward the idea of ‑‑ that we had heard before ‑‑ which is looking at the prospective solution. Yes. I'm the first to say it is not going to resolve all of the challenges that we have with ask security councils to digital evidence that we have authorities for. However, maybe it is a starting point for these conversations which is if we're looking at a prospective solution, what I mean by that is it is kind of like we give the order to a provider who is managing the encryption already. That's what the companies do. They are doing all of the manners and sorts of things around that encryption like patches and other things. I know some of that is different.

But, if we looked at a prospective solution where we were then only affecting the architecture of the single user with predication, you know, is there something that could be perceived as workable by folks on all sides of this debate and conversation. Is this a starting point for the true technical solution that provides, you know, kind of the assurances that folks are looking for and can build some interest and also at least restore some of the access that we already had. I think it gets missed in the discussion.

For many, many years, some of the performs did not have a full end‑to‑end encryption solution. That gets added later. That ask has been impacted without a solution in mind, even though there's again global recognition about the authority. I'm just hopeful that this conversation can come out of the back and forth on this is why we should have no and this is why we should have all and where can we meet in the middle. Let's maybe stop with the noes and weaponising of it can never happen and find the space in the middle where some of this can and should happen. I would love to take up fully the discussion of homomorphic encryption. There are challenges at scale. They are more for narrowing than decryption. I would very much like to engage in discussions with more technical folks. Over.

>> DAVID WRIGHT: Thank you. Lloyd or Honey, any remarks?

>> LLYOD RICHARDSON: I was going to touch on the example that Apple fully built with neural hash a couple of years ago and quite quickly threw in the garbage. I was going to touch on the example that Apple fully built with neural hash a couple of years ago and quite quickly threw in the garbage. It was audited by external folks. It was a complete example of how you can do client‑side scanning. I'm not saying I favor such a solution. It is a potential solution to side with the child protection. Better than nothing, which is where it is now.

>> DAVID WRIGHT: Thank you, Lloyd. Perhaps that's a starter for the conversation that Katie is called for.

>> HONEY MAKOLA: Not necessarily on the specific comment. There's comments in the chat that I would like to respond to a bit if I'm allowed.

>> DAVID WRIGHT: We just a minute. We can't actually see the comments. Boris, it is difficult to know what the comments are that Honey. Can you actually introduce what the comment is that you would like to specifically respond to given that we can't see the excellent?

>> HONEY MAKOLA: Yes. Maybe just weighing in first on the government involvement which we all heard. I think it sounds what we discussed last year in the very panel. On the issue of dual politics when it comes to international law and how it can pose a challenge. That question basically speaks to the different governance structures that are there. We really need to find a way of working around it. For me, I think, it boils down to the importance of why judicial authorization is important. When granting government access. And also the clear legal thresholds that needs to be defined in the legislation or policy and the transparency and mechanisms also need to be embedded in such policies. That's the first one. There was a comment by Ian saying that electronic communication transaction by South Africa has drawn a lot of criticism.

Yes, it is right. It has drawn criticism. It is in alignment. It is embedded in the framework which is an important point in balancing rights. It is about definitely room for improvement. The obligations for providers and the stronger procedures and safeguards and in alignment with policy in the space. They need to be aware of that. Those are the questions that I wanted to respond to. Thank you.

>> DAVID WRIGHT: Thank you, Honey. We may come to Boris. You just did after the next question. I'll just line you up for that one. Please, thank you for waiting so patiently as well.

>> AUDIENCE: No problem. I work in Internet access. Thanks for the conversation. I think virtually, it was one sided. I wanted to add another perspective. Like Katie mentioned predication. With the big cell phone type hack of the U.S. telecoms, they leveraged what is happening infrastructure that's being promoted here. That citizens at risk, including governments and children. We need to understand the end to‑to end encryption is getting the channel. I can run malware protection or parental controls using the encrypted DNS with protection.

The parental controls, I think is a good suggestion. The victim has access to the data; right? You can work with the victim to try to get the criminal in the data. So that's another idea. There's new data that's helpful. It is allowing you to make attestation and prove you can have some property. You can do age verification which I think will be really helpful.

The last thing is that even when we use the https, the domain names are in plain text. With AI, you can tap into your wild's school Wifi and collect the domain names and create a profile of your child and use that for targeting and extortion. Which is scary. We need to adopt the standards like encrypted DNS and it will hide the information and make them safe.

>> DAVID WRIGHT: Thank you very much for those questions. I'm going to open it to Andrew.

>> ANDREW CAMPLING: Let's go to Katie first. She's best informed.

>> KATIE NOYES: Yeah. There's a lot of discussion around that. The lawful intercept, it wasn't the vector for attack. But the information was accessed. It is absolutely something we are concerned about. The fib is concerned about encryption. That's why we are asking for it. We are not against encryption. We are not against end‑to‑end encryption. There's a balance here. That's the one of the things where we're really trying to have the conversation with all of you and with each other. We haven't had the conversations before. Which is what are those solutions for balance?

Again, I know all of us are committed to doing better about stemming sexual abuse material. What are those solutions? What are the ways that, you know, again I understand you are absolutely right making sure that victims are able to have an easy way to report and preserve the evidence to be able to report it. But the challenge for us is that, you know, the victims are sometimes not even in the mix as far as, you know, and with extortion, of course.

You know, there's a lot of challenges let's just say. Someone takes their own life or again if it is perpetrator to perpetrator, we want to make sure we're identifying other folks and that preservation is a tough one too to ask people to preserve their own evidence and put the sole responsibility only on the victim and user. Your points are right. Don't mistake me. They are great ideas. I want to hear more of those. I've been very excited hear the interventions here. Keep them coming. with salt Typhon, we are very concerned. We are all protecting that in a better way ourselves as well.

>> DAVID WRIGHT: thank you, Katie. Andrew?

>> ANDREW CAMPLING: I want to be quick and bit superficial for time. On the indicators of compromise that two quick thoughts. One is yes; encrypted DNS is useful to protect from a third‑party observer. You are sharing your data with the resolver operators. Some of those resolver operators where there's not good privacy regulation. Assuming by putting in encrypted DNS you've fix privacy, wasn't isn't what you said. That's not true. You have to consider who is operating the resolver as well. You may have bigger issues.

Also, on the indicators of compromise, that's absolutely used by fire walls and other software to identify when you have an exploit has happened and maybe data is being exfiltrated. I think we need to be careful. Some of the people that are working on that maybe focused on encryption and not on the broader security ecosystem, if you will. That's probably a longer conversation that we can easily have in the next seven mines and 21 seconds.

>> DAVID WRIGHT: Lloyd or Honey, did you want to add anything?

Okay. We can move on. Please do ask the question.

Boris, I'll come to you next. We have only seven minutes left. We probably will run out of time for further questions. Please.

>> AUDIENCE: I think I know most of the people in the conversation. How many times have we been having this conversation at the IGF and ITF in the last ten years? 20 or 30. Every time that someone says we should do this. They made the abuser. This is still that of not having the intersection. The problem with the discussion is it is a political discussion of balances compromise. I think the compromise might be depending on which country you are from.

How big in your country and whether you have organised crime or don't? Allowing the lawful in Norway is different than Iran. This is why I'm starting to think we could focus on the development of this in another direction. Every country will decide this at the political level. If we decide to do this, can we find ways to prevent it from spilling over and what's the best way of deciding this and managing this? Do we have any advice for governments that want to do this? In terms of safeguard and taking ways of doing this. Maybe this could be something that's more productive than stating the arguments every time.

>> DAVID WRIGHT: I admire the question. If it was an easy thing, we wouldn't be recycling it. It would have been fixed. I recognised the point. Andrew?

>> ANDREW CAMPLING: Agree. Great point. Can I just maybe build on that slightly without addressing it? It is a complex solution. I think if I extrapolate that, the reason is we ought to just remind ourselves it is important. If we look at child sexual abuse and exploitation, the current estimates of roughly 300 million child victims annually. That's roughly 14% of the children across the world, which means every country, probably every one of us, we might not know them, but probably we've got people close to us that are victims.

So, it is the sheer scale of the problem that's been enabled by the Internet, which is why I feel we need to find a solution, but to Victoria's point, accepting there are tradeoffs. We have to do this with accepting the tradeoffs and maybe try to minimise the risks of those tradeoffs. But they will exist.

>> DAVID WRIGHT: Thank you, Andrew. Lloyd and Katie, any response to that?

>> RICHARDSON LLOYD: I think it was a really good point, actually. I think if we continue down this road, you are going to see a sort of split as nation states declare their sovereignty on the Internet. It won't be the one unified thing anymore. If you are not going to come to this sort of standard, because this is a country of law and order, then you are going to start seeing fracturing happen, I think. It is not fair what's going to happen in this country will happen in this country. We can't stick our head in the sand and say there's nothing we can do about it. I think the risk here is the fracturing that we're going to see if we don't address the issue to some satisfactory sort of level.

>> DAVID WRIGHT: Okay. In the last couple of minutes, Boris, if we can. I'm now intrigued with all of the conversation going on online, if you could summarise that in two and a half minutes.

>> BORIS RADANOVIC: That's not going to be possible. Thank you, everybody, online for contributing. It is difficult to follow. Please read them afterwards. I hope there's a recording. An interesting point has been raised. It showcases the point of the discussion in setting up the future panel discussion. It is an important point to make.

There are reasons to use one application or another. High‑tech any call standards are not banned in police investigation. There was a diverse discussion online. Thank you to everybody who sent them. Keep sending them.

>> DAVID WRIGHT: The final one minute, I'll bring this to a close. Boris, thank you to you for trying to summarise all of that. I think we've heard a lot in the last hour and a quarter. There were quotes, one of your first comments, Katie. We have to find solutions to this despite as the question said is we keep coming around. It is one that we have to resolve in some manner. I like the suggestion to focus in one particular place. That's where we'll start. I thank all of you for joining us this morning. As Andrew said, the last and final day of the IGF. If I can just close to show your appreciation to what is an extraordinary panel. Thank you all so very much. Thank you.