{"id":16341,"date":"2026-06-10T04:21:06","date_gmt":"2026-06-10T04:21:06","guid":{"rendered":"https:\/\/newestek.com\/?p=16341"},"modified":"2026-06-10T04:21:06","modified_gmt":"2026-06-10T04:21:06","slug":"uk-move-to-filter-photos-and-messages-triggers-encryption-worries-for-cisos","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16341","title":{"rendered":"UK move to filter photos and messages triggers encryption worries for CISOs"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

UK Prime Minister Keir Starmer\u2019s speech on Monday insisting that tech companies create device controls to somehow block children from viewing or creating sexually explicit imagery has raised alarms among CISOs, who worry that the same technology could undermine enterprise security. Starmer gave tech firms three months to create and implement <\/a>such restrictions voluntarily, at which point he said he would push for legislation to make it mandatory.<\/p>\n

Behind the technical and logistical hurdles for tech firms to clear, such as how a device would determine that an image was inappropriate, and how it could reliably determine the subject\u2019s age, is the issue of whether this process would interfere with encryption protections for enterprises worldwide. And that comes down to whether the required data analysis happens on the device or in the cloud.\u00a0<\/p>\n

Starmer did not go into a lot of detail, preferring to let technology companies craft their own plans, but in this case the details matter. Analysts and consultants said that there has been a push for everything to happen on-device, which would avoid any encryption problems; if the inspected data never leaves the device, the encryption protection would stay intact.<\/p>\n

But this plan for the process to stay on the device seems highly unlikely for multiple reasons. The first problem is device capabilities and hardware age. Although Apple and Google engineers would be working with the latest devices, much of the UK population is using much older and less capable hardware, analysts said.\u00a0<\/p>\n

Although a 2-, 3- or 4-year-old phone might still be able to handle the additional load, it would likely suffer a dramatic slowdown sufficient to make users decidedly unhappy. That would mean that even if the execution of the data analysis began on the device, it would likely have to be shifted to the cloud for performance reasons. And once it moved into the cloud, the encrypted data problem begins.\u00a0<\/p>\n

Trying to do this scanning on-device in the UK would fail, said Flavio Villanustre<\/a>, CISO for the LexisNexis Risk Solutions Group. \u201cIt will make unusable the majority of devices used in the UK today. It just can\u2019t work on-device.\u201d<\/p>\n

However, Villanustre observed that on-device analysis for this kind of effort, which would need to scan everything <\/em>that gets downloaded to the phone in search of prohibited images, might be viable in a few years, once the typical device becomes much more powerful. But not today.<\/p>\n

Creates new risks<\/h2>\n

Leading secure messaging app provider Signal also issued a strong statement opposing Starmer\u2019s proposal.<\/p>\n

\u201cThe UK government\u02bcs demand that all content on all devices sold or used in the UK be scanned on the presumption of nudity, using a dystopian combination of age verification and content scanning, will not safeguard children. It endangers us all, whilst strengthening Apple, Google and Microsoft\u2019s market dominance and their control over our most personal information,\u201d Signal said<\/a>.\u00a0 \u201cOnce created, [the program] will be expanded, forming a dangerous tool that will be wielded both in the UK and abroad to censor and surveil whatever they might consider \u2018threats\u2019 or \u2018harmful content.\u2019\u201d<\/p>\n

Signal has aggressively fought against such programs before<\/a>. Similar privacy campaigns have also been launched in other parts of Europe<\/a>.\u00a0<\/p>\n

The long held fear is that moving encrypted data to the cloud, regardless of whether it remains encrypted or is converted to clear text, creates opportunities for attackers to access the sensitive data.<\/p>\n

\u201cThe mechanism that flags and reports a match to external authorities creates a new, built-in exfiltration path,\u201d said Jeff Valdes<\/a>, a director at consulting firm Acceligence.<\/p>\n

Could do more harm than good<\/h2>\n

Sanchit Vir Gogia<\/a>, chief analyst at Greyhound Research, argued that the UK proposal is likely to do far more damage than good. He pointed to the short three month timeframe as evidence of a lack of good faith.<\/p>\n

\u201cLegislation of this complexity cannot be drafted in a quarter. The deadline is a pressure instrument, not a delivery schedule. Child safety is the destination. Device-wide inspection is the wrong vehicle,\u201d Gogia said. \u201cApple and Google already run on-device nudity detection in bounded contexts, and it works: a child can be warned, an image blurred, a sharing attempt interrupted.\u201d<\/p>\n

Gogia pointed to another logistical problem, which is that some devices such as tablets are often shared between family members, which makes reliable age determinations all but impossible.\u00a0<\/p>\n

\u201cThe deeper flaw is that the policy assumes a stable mapping between device, person, and age, and that mapping does not exist in real households,\u201d Gogia said. \u201cA device cannot know its holder has changed. The only architecture that survives this is default-child with recurring adult verification, which is surveillance arriving through the back door of household economics.\u201d<\/p>\n

In addition, he noted, \u201cChildren disproportionately inherit the old, out-of-support handsets the mandate cannot reach. Forcing churn manufactures electronic waste and punishes the families least able to buy new.\u201d <\/p>\n

Carmi Levy<\/a>, an independent technology analyst, agreed that the computing overhead alone for such an effort could make this a deal-killer.\u00a0<\/p>\n

\u201cThe compute requirements, particularly in light of the need to execute this kind of filtering in real time, would be immense. It is futile to assume this capability can ever be rolled out at scale without running into massive concerns on several fronts,\u201d Levy said. \u201cSimply deciding how to tune the filters is an almost impossible task. Although the overall definition of nudity, namely not wearing clothing, is generally agreed upon, the line where it becomes inappropriate for minors is neither static nor universally established. So it\u2019s wildly optimistic to assume that a single threshold would be workable at the scale proposed by Prime Minister Starmer.\u201d<\/p>\n

Nidhi Luthra<\/a>, a director at Acceligence, added that the logistical and technological roadblocks are also a big problem.\u00a0<\/p>\n

\u201cTechnically, parts of this can work,\u201d she said, but vendors would have to deal with age verifications, drifts in the models and false positives, and there is also the \u201clack of contextual information that truly would have let this work.\u201d\u00a0<\/p>\n

Puts CISOs in \u2018an impossible bind\u2019<\/h2>\n

The UK proposal also puts enterprise CISOs and IT directors who need to protect sensitive data in an impossible bind, Gogia said.\u00a0<\/p>\n

They \u201ccan govern device management and conditional access. What they cannot govern is a mandatory inspection capability that updates according to political appetite rather than enterprise risk appetite,\u201d he pointed out. \u201cThe proposal does not automatically create a breach inside Signal, WhatsApp, or Teams, but it creates the conditions for a new class of breach around them. The weakness need not live in the messaging protocol. It can live in the mandated inspection layer, the classifier update mechanism, the age-assurance workflow, or the logs that enforcement inevitably generates.\u201d<\/p>\n

Regime change could lead to abuse<\/h2>\n

Another common concern is that governments change hands, so limited capabilities granted today to one government might be used very differently by a future government.\u00a0<\/p>\n

Brian Jackson<\/a>, principal research director at Info-Tech Research Group, noted, \u201cthe current government may only use it to detect nudes, but what is to stop a future authoritarian government from using it to detect unfavorable political commentary? Creating a back door means there is potential for third parties \u2014 hackers \u2014 to exploit that back door to gain access to the user\u2019s communications. This is exactly what encryption and on-device security measures are supposed to prevent.\u201d<\/p>\n

He added, \u201cApple\u2019s Communication Safety feature, Google\u2019s Family Link, and a range of parental control tools already use on-device AI to detect and restrict explicit imagery on children\u2019s devices. The government is not filling a gap the market failed to address. It is proposing to transfer control of an existing capability from the device owner to the state. Parents can deploy this protection right now, on their terms. That is where the decision should sit.\u201d<\/p>\n

Ryan O\u2019Leary<\/a>, research director for privacy and legal technology at IDC, said the current proposal only involves the UK, and there\u2019s no way to determine whether other governments will try something similar. He noted that the EU\u2019s GDPR was widely expected to go global when it launched in 2016, but in ten years, it hasn\u2019t.<\/p>\n

O\u2019Leary said that if this proposal is enacted in the UK, he would advise IT and cybersecurity executives to be extra cautious when sending team members to the region.\u00a0<\/p>\n

\u201cIt would essentially be \u2018China rules\u2019\u201d such as air gapping systems and traveling with disposable data-limited burner phones, O\u2019Leary said. \u201cIt\u2019s an exceptionally big deal if it goes through,\u201d but, he added, the chance of it happening is very low. \u201cIt seems like the technology companies will call his bluff.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

UK Prime Minister Keir Starmer\u2019s speech on Monday insisting that tech companies create device controls to somehow block children from viewing or creating sexually explicit imagery has raised alarms among CISOs, who worry that the same technology could undermine enterprise security. Starmer gave tech firms three months to create and implement such restrictions voluntarily, at which point he said he would push for legislation to… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16341","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16341"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16341\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}