Protecting Children’s Online Safety Does Not Require Less Data Security

The CEOs of five major technology platforms testified at a recent Senate hearing about online safety for children. A critical issue explored throughout the hearing is the availability of child sexual abuse material (CSAM) on these platforms. Several bills were championed as potential solutions, including the EARN IT Act and the STOP CSAM Act. However, lost in the emotionally charged hearing was the fact that proposed legislation could have unintended consequences that actually harm data security practices— and that the most effective solutions to increase children’s online safety might already exist.

Enhance data security without exacerbating the problem

The United States has no federal comprehensive data privacy and security law; instead, it relies on a patchwork of sectorial and state-level legislation. However, few states have their own comprehensive data privacy and security laws, leaving millions of consumers’ data less protected. With or without those laws, many consumers and organizations seek to implement data security measures. One example is technology companies pushing products with end-to-end encryption (E2EE) to protect data in transit (e.g., a digital photograph sent over the internet via email, SMS, etc.) and fully encrypted storage devices to protect data at rest (e.g., that same photograph stored on a hard drive).

Whether data is in transit or at rest, foreign adversaries and other nefarious actors lurk in the shadows, seeking opportunities to disrupt global commerce or gain strategic information to undermine national security. Because data security is immensely important to national security, the 2023 National Cybersecurity Strategy calls for the deployment of encryption to protect data, recommending accelerated research and development of encryption technology. Further, several of President Joe Biden’s executive orders have highlighted encryption as a tool to increase data security.

But the STOP CSAM and EARN IT acts go against data security best practices, and the Biden administration’s pleas for better data security are largely dismissed when E2EE technology is undermined. Debates on E2EE, such as whether encryption is a barrier to intercepting criminal evidence, are not new. And using CSAM as the impetus to decrease data security is a powerful angle that can sway these debates and drive political action. Undoubtedly, it is a strong appeal—CSAM must be ended. This author has investigated hundreds of CSAM cases and seen firsthand its devastating, far-reaching impact on children all over the world. Some provisions in the STOP CSAM and EARN IT acts, such as increasing funding to organizations and law enforcement agencies investigating these crimes, would help combat CSAM. But it should not come at the expense of data privacy and security.

The National Center for Missing & Exploited Children (NCMEC) reported a significant increase in reports of CSAM content, from 32 million in 2022 to 36 million in 2023. Several variables might explain this. First, more individuals adopt technology each year, meaning more people have access to devices that can manufacture or distribute CSAM. Additionally, increased public hearings, education, and overall awareness around CSAM are working as intended, and technology companies are improving their ability to track and report CSAM to the NCMEC. Often lost in the details is the significant amount of self-generated CSAM by young technology users unaware of the potential harm it can cause. Removing E2EE or self-deleting data technology from young users only exacerbates the problem.

Without encryption and E2EE technology, sensitive information would be at risk of interception by nefarious actors and adversarial nations as well as by law enforcement. Imagine politicians in the 1980s asking telephone companies to record all calls, allowing parents to monitor their children’s phone conversations, or requiring all mail correspondence to be sealed in transparent envelopes. While these policy solutions might alleviate the risk of children engaging in inappropriate conversations or encountering CSAM that leads to other serious crimes, they simultaneously generate a fresh array of challenges.

Take advantage of existing solutions

Safety regulations work well when individuals adopt the safety measures. While drivers can wear seatbelts, they can still incur significant harm if they disregard speed limits. The same can be said about technology and children’s online safety. Parents can adopt many technological safety features at the network, device, and application levels to help keep their children safe online.

Network Level: Parents can control content that flows across their home network by implementing controls on their router. Many internet service providers provide simple solutions to identify what’s being accessed on your network, which devices are currently using it, and how long a device has been connected.

Device Level: Apple and Android devices offer robust parental controls including explicit content prevention and restrictions for app downloads, use time, web search, and privacy.

Application Level: Parents can research apps with robust parental control features and set them to their liking. They can also download an app to monitor their children’s devices.

Consider new solutions

In December 2023, the Federal Trade Commission (FTC) announced it was exploring rulemaking for the Children’s Online Privacy Protection Act (COPPA). Last amended over a decade ago, COPPA struggles to keep up with today’s technological advancement. The FTC seeks public comments on strengthening the protection of personal information collected from children—including enhanced data security requirements—and will consider arguments regarding a prescriptive versus non-prescriptive data security law. The FTC also seeks comments on the data security practices of third-party education technology companies, which contract with local schools and collect a large amount of children’s data. This rulemaking process could be an opportunity to establish rules that enhance data security, such as E2EE, to protect children’s personal data.

There is an urgent need in the United States to address CSAM. Law enforcement agencies around the country are understaffed and underfunded when it comes to investigating CSAM and other online crimes that affect children. Supporting legislation focused on training and funding law enforcement agencies like regional Hi-Tech Crimes and Internet Crimes Against Children task forces should be a priority for lawmakers. However, it is important to create sound policy decisions that avoid negative consequences like deteriorating data security. Instead, lawmakers should embrace existing technology solutions and encourage future innovation to ensure the privacy and security of our data.