It feels like an eternity since I wrote about the Crime and Policing Bill for Mu. In that article, I warned of many new threats on the horizon for those who must live in - or interact with - the UK. That bill has now passed and will soon come into force. In this article, I will focus on just one of the horrifying new proposals, as I did with the ban on 'looks young' porn. Today, we're going to take a look at mandatory device scanning at the UK border.

How the border scans will work

The new law allows customs officers to mandate access to any electronic device in order to perform a scan for criminalized images of minors. This scan will use a tool to search for hashes that match images and videos on a massive database of criminalized content.

At the time the bill was introduced, the UK government stated:

In recent years, the Home Office has developed the Child Abuse Image Database (“CAID”) – a repository of all known CSAM detected during UK Police investigations. The CAID now holds millions of unique files. In parallel to the CAID, the capability now exists to undertake a rapid scan of a digital device to determine whether known material is held within its memory. Accordingly, it is possible to scan a digital device (such as a phone) for CAID material. As a scan is not a download, it will take approximately 15 seconds to identify whether CAID material is or is not present. This capability has now been operationalised at the UK Border, with trials generating significant intelligence around individuals representing a sexual risk to children – leading to investigation and arrests.

And additionally:

The reasonable grounds threshold may be met as a result of identifying paraphernalia associated with the commission of sexual offences against children during baggage inspection (for example, lubricants, condoms, children’s toys and underwear) of an individual travelling to or returning from a known high-risk location. If the individual refuses, then the existing offence of ‘obstruction of an officer of Revenue and Customs’ under section 31 of the Commissioners for Revenue and Customs Act 2005 would be triggered – which would enable the arrest of the individual and seizure of the device, thereby creating a double-lock.

The database

With reportedly millions of files in the database, it's hard to envisage a scenario in which there aren't any files which shouldn't be there. Indeed, with officers frequently going through enormous collections of criminalized images, it's inevitable that many lawful images will get scooped up and added to the database in the process. This might well include National Geographic type images of naked children, the likes of which anyone might stumble upon. In fact, such images can ultimately meet the definition of an 'indecent image' under the UK's astonishingly vague laws, and may be de facto treated as such when found among a vast collection rather than in isolation and with context.

Furthermore, when the Crime and Policing Bill comes into force, and 'looks young' porn becomes child porn by definition, one can expect a very large collection of adult pornography to find its way there. If you're thinking "they wouldn't put that on the database", remember that there will be zero legal difference between a 5 year-old and a 20 year-old dressed like a schoolgirl.

It's also worth remembering that erotic cartoon images which have the appearance of someone under the age of 18 are criminalized in the UK, so one can presume they will be on the database as well.

Reasonable grounds

The 'reasonable grounds' offered up by the government are wildly open to interpretation. Is a person returning from Thailand with a box of condoms a suspect? Perhaps if he has a creepy smile and a receding hairline? Given the UK's propensity for government overreach, one suspects that the net will be cast far and wide.

Everyone is at risk

Bearing in mind how images are collected and uploaded to the database, with incredibly blurry boundaries around age and content, it is reasonable to assume that many people who are not even looking for child erotica will have content in their browser cache that triggers a hit. This could be from browsing young adult porn on sites like PornHub or OnlyFans, having come across a photo of a naked kid on one's Facebook or Instagram feed, and so on. And while a case involving a random photo showing up in a feed would likely be dropped if the phone were searched and the person didn't seem to be intentionally collecting such images, the person would still have been arrested for "making indecent images of children" and had their life more or less ruined in the process.

For MAPs, the risk is even greater, regardless of intent to view criminalized images. There are many sites that offer legal images of children in underwear or swimwear, and some of those photos may be on the database depending on the discretion and laziness of prior investigators, having been found adjacent to illegal images during investigations. Again, such cases would perhaps not be enough to secure a conviction, but quite sufficient for ruining one's life.

Dealing with the system

The obvious response to this terrifying new law is to just not visit the UK. It would be a waste of time and money anyway, with bad food, bad weather, and high prices. Charming villages, vibrant capitals, and good soccer matches can found in other countries, ones which won't gouge you on prices or label you a child sex offender as an oopsie. If traveling to the UK is an absolute must, take a wiped or disposable phone.

Alas, there are those unfortunate enough to live in the UK. Given their government's extreme overreach, the criminalization of virtually everything other than sex in an approved position, and the very regular seizure of devices for almost any crime, they should ensure that their devices are as secure as possible. This would mean using full disk encryption at a minimum for devices that stay at home. Furthermore, they should not use their phone for watching erotica even if they believe it's entirely legal; such devices are inherently insecure, and much more likely to be taken across a border without much thought.

For anyone taking a device across the UK border, full disk encryption would not be enough. Unlike RIPA, which allows police to demand decryption after they have gone through a specific and time-consuming legal process, the new border scanning law gives customs officers the right to demand decryption on a whim. Consequences for refusal are likely to be arrest, seizure of the device, and a suspended sentence. Crucially, however, such a refusal does not constitute a child sex offense, which is something to ponder when deciding whether or not to comply.

Going over their heads

One way of beating the gestapo is to simply confuse them. Customs officers will be using a tool that they plug in, which quickly scans for hashes of criminalized images, without performing a forensic scan of the device. They will likely ask a target to unlock their phone or enter the login password for their PC, at which point the intended victim has complied.

One thing they would be very unlikely to stumble across is an encrypted container that is not located in an obvious place. You can create such containers free of charge on your device using Veracrypt. The container is mounted virtually but functions just like an external hard drive, allowing you to run any program or store any kind of data. Even better, a hidden container can be created inside a regular encrypted container, and would not be apparent even if the regular encrypted container were somehow found. Cool, huh? Just be sure to read the instructions carefully, because using a security tool without proper understanding can lead to a false sense of security.

Conclusion

With seemingly everyone at risk from the new law, the best way to avoid this drama is by never taking a device across the UK border, preferably not even traveling to the country unless you absolutely have to do so. But if you really must, leave devices at home should they not have first been wiped, even if you believe you've never accessed an illegal image.