In late 2011 the European Union adopted a Directive on child abuse, child sexual exploitation and child pornography. This constitutes a new, uniform law which applies to and sets minimum standards in all 27 Member States.
Article 25 of the Directive makes it mandatory for every EU Member State to establish and maintain processes which will enable them to secure the deletion of child abuse images hosted on web servers which are physically located within their jurisdiction. All bar one, arguably all bar two Member States already have such machinery in place. Everybody will have to have it by the end of 2013.
Where images are hosted on machines which are outside their own jurisdiction Member States are expected to “endeavour” to secure their removal at source. In addition, with appropriate safeguards, the Directive also creates a discretionary power allowing Member States to require images hosted outside their jurisdiction to be blocked pending their deletion. Typically it would be Internet Service Providers (ISPs) and other access providers that would be expected to do the blocking.
Article 28 of the Directive creates a specific obligation requiring the Commission of the European Union to report to the European Parliament and the Council of Ministers on how Member States have implemented Article 25.
Apparently the expectation in Brussels at the moment is that the Commission will collate information on implementation provided to it by the Member States and simply pass it on to Parliament and the Council. However, I think it is likely the Commission will end up having to do much more than that. I say this not least because the Commission itself is a major player in the space through its support for internet hotlines and through its support for INHOPE, the association of hotlines.
Hotlines are a key part of the process
For many years hotlines have been a major part of the processes and systems for securing the removal of child abuse images from the internet. With a single exception the Commission part funds all the operational hotlines within the EU.
In many instances without the EU’s initial funding the hotlines would never have got off the ground. In varying degrees hotlines have continued to rely on the availability of EU funding to keep them afloat. There is therefore no avoiding the Commission’s (at least partial) responsibility for the current state of play with hotlines and with INHOPE. To be completely clear, by that I mean the Commission is not just responsible for the existence of the hotlines and INHOPE it is also responsible at some level for what they do, and what they don’t do.
Birds of a feather have not flocked together
It has not all been plain sailing. The EU funded hotlines are a heterogeneous collection of organizations with a wide variety of governance structures, working practices and orientations. By and large the differences between the hotlines reflect the interests or primary concerns of the organizations which first came together in each country to create them.
Most countries have only one hotline. Germany has three, Italy has two. Some of the EU-funded hotlines deal exclusively with child abuse images. Others embrace a wider remit. One or two hotlines are substantial undertakings performing a great deal of what elsewhere is considered to be police work. However, more than one national hotline appears to be so circumscribed by local laws they are little more than post boxes whose only function in relation to the reports they receive, literally, is to pass them on to the police. They cannot even look at the content to determine whether or not what has been sent to them is a genuine item, a spoof or a mistake.
There are other important differences between EU-funded hotlines in INHOPE. While INHOPE maintains a database of the web addresses reported to it by member hotlines it cannot properly be described as being an EU-wide database because not all hotlines enter data into it. Again it would appear that this is down to legal restrictions which apply within a number of countries.
One or more hotlines tend to think of themselves as having a primary or overriding duty to protect free speech and whilst no one would suggest anything should ever be done to abridge anyone’s free speech rights, the focus which this mind set implies is somewhat at odds with the hotline’s principal purpose which is as a child protection agency performing a child protection function. And if it isn’t, it should be.
Finally, some hotlines are seen as being almost indistinguishable from or too close to elements within the internet industry. As a result there is considerable doubt about their ability to take a view which is always or only in the public interest or children’s interests.
Time for a change
The Commission started funding hotlines in the mid to late 1990s when the world and the technology were very different. In 1999 the funding was taken up and included in the Safer Internet Programme. The policy on funding hotlines has not fundamentally changed since. Following the merger of hotlines into national Safer Internet Centres I have found it difficult to ascertain precisely how much money has been spent by the Commission in this area but over the years it must run to many millions of Euros.
Hotlines first appeared because few police forces and fewer Governments then had the knowledge or the wherewithal to deal with online child abuse images. As ever, necessity is the mother of invention. Hotlines emerged as a pragmatic response. To begin with they were edgy and experimental. In other words they were exactly the sort of initiatives the Safer Internet Programme could and should support.
However, it now seems that as time went by and as the hotline concept was proven so it also started to ossify. The Commission’s funding began to be taken for granted. A comfortable assumption grew that, other than in extreme circumstances, the Commission would never dare to turn off a hotline once it was up and running. The money and the support would be there in perpetuity. To several national Governments hotlines were seen as a “free gift”, funded by the European Union and other actors. Perhaps because the hotlines came at no direct cost to the nation’s coffers many sensed that some Governments were not engaging with them to the extent that they should.
The Safer Internet Programme is coming to an end
Nothing stands still forever. The Safer Internet Programme is now coming to an end. It will be replaced in 2014 by the wider “Connecting Europe” initiative. This means, if it has not already done so, it is probably inevitable that the Commission will have to review its policy in relation to hotlines and INHOPE.
Even if the Commission were minded to carry over the status quo into the “Connecting Europe” programme, in my view the adoption of the new Directive on child abuse, child sexual exploitation and child pornography makes that impossible. The Directive changes everything. Things cannot carry on as before.
I am not suggesting the Commission needs to develop a single model for every hotline then become a Stalinist centraliser, riding roughshod over proper concerns about subsidiarity, refusing to fund organizations in Member States solely because they disagree with the Commission’s current policies. What I am saying, though, is that in light of the provisions of the new Directive the Commission will need to ensure it is doing nothing in any Member State which will make it more difficult for that country to deliver what the Directive requires. If hotlines are to remain part of how the Directive is to be implemented, and I think they must, each country should have at least one hotline within its borders that works with the EU-wide grain, not against it. The Commission can fund as many other groups as it likes, I suppose, but someone somewhere has to take care of business.
Moreover if it really is the case that any EU jurisdictions have local laws which prevent their hotlines from engaging in activities which would help the EU-wide or global fight against illegal images, the Commission, Europol, INTERPOL, whoever, should go in to bat very vigorously to get those laws changed or find a work around.
A review of the kind I am suggesting is needed is bound or ought to prompt other questions. For example, do we have to have in each Member State a fully blown hotline with identical and perhaps extensive resources? I doubt it but any review should be given permission to consider all options.
Is the overwhelming focus on the web and “Notice and Take Down” still as important as it was? Should hotlines be doing more to help law enforcement with Peer2Peer networks and other technologies? Are we confident we are picking up addresses which are visible in Europe but maybe are not getting reported to INHOPE hotlines because the primary language used on the site or service is not a majority language in any country where INHOPE-affiliated hotlines operate?
It is acknowledged and wholly accepted that in every jurisdiction there must be a distinct reporting mechanism and a person or persons on the ground whose function is to liaise with the local police, internet industry and child protection agencies. But what about all the back office functions that hotlines perform? Must they be replicated up to 27 times? Could there be one focal point to which each country feeds their data? Could we get to a position where a single set of skilled, practised analysts could examine, confirm and classify reports before passing back their conclusions to the country the report came from to be acted on? Could the INHOPE Secretariat be reconstituted to be that focal point? Perhaps.
The future of INHOPE
As anyone who has read my CV will know I have had a long association with INHOPE. Stemming from this I fully accept that any review that might happen is bound to reflect on its wider role.
INHOPE was established as a membership association of independent organizations, again at a time when the internet was very different. INHOPE appears to play a useful role in establishing and policing professional standards among hotlines, particularly new hotlines. That function ought to be maintained in some guise or other in whatever outcomes arise from the review being suggested.
However, the big problem with INHOPE is that, because of its origins as a membership association, it has always proceeded on the basis of needing a consensus before it can change anything of importance in terms of how it operates. Given the heterogeneity referred to earlier this has inevitably meant that INHOPE has a tendency to become frozen in time, or at best it moves forward exceptionally slowly. In the context of the speed at which the internet itself can change, and given the subject matter, this is utterly inappropriate, completely unacceptable.
There is a strong suspicion that some of the disparate forces within INHOPE, some of the hotlines, will never see any advantage to their own organizations in changing anything. Alternatively, whatever individuals’ personal views might be, they feel the laws of their country prohibit them from so doing.
The never ending saga of the INHOPE database
This predisposition to inaction has not been without consequences. For more years than I care to remember major elements of the internet industry have been calling for INHOPE to provide them with a consolidated list of all known web addresses where child abuse images can be found. As we have seen, at the moment certain hotlines do not contribute to the database but, allowing for that, the INHOPE database still ought to be the largest of its kind in the world.
Internet companies want to get their hands on such a list and deploy it on their systems so as to block customers’ access to the illegal materials available at the addresses on it. The list has never materialised. A small but vocal minority of INHOPE’s members do not agree with blocking. This has effectively stymied the initiative.
The INHOPE database exists but is only available to INHOPE members, the people who fill it in, and even then only in a segmented and partial way. No INHOPE member is allowed to see the entire list, although obviously the Secretariat can. Thus the INHOPE list does nothing to help companies block access to illegal materials. INHOPE’s glacial decision-making and constitutional processes have therefore most definitely impacted adversely on child protection interests.
Moreover because such data as there is in the INHOPE database has never been published it has therefore never been independently scrutinized, no one can take a view on the relative efficiency of different hotlines or compare national approaches. Rumours abound. Facts are scarce. Accountability zero. As a result the added value of the database, even its purpose, remains obscure, whereas the potential value is enormous.
We ought to know, for example, how many reports of child abuse images are being received by every EU-funded hotline. How many of those are duplicates of reports already received or dealt with? We should be told how long it takes for the hotline to complete its processes, from receipt through analysis and confirmation or rejection and how long it takes for the hotline to pass on the report to the next stage of the process. We ought to know how much time elapses between a report being passed on by a hotline and the image being removed or blocked. And if there was any reason why this information should not be made public, for fear that it might tip off a criminal, some other scrutiny or accountability mechanism should be found so we can all be reassured that everything is as it should be.
It would be great to know what good came of all this activity. How did law enforcement use the information that had been so painstakingly collected? How many arrests were made? Most importantly, how many children were identified and rescued from the dreadful position they must have been in at some point for the pictures to have been made.
Last summer INHOPE’s operations were discussed at the High-Level Meeting between the US and EU. It was agreed that INHOPE’s database could perform a singular and valuable service globally in the fight against online child abuse images but it was also acknowledged that it was doing nothing of the kind and never had.
The police are denied access
Which takes us to another example which again reflects poorly on INHOPE. For five years the leadership of INHOPE has tried to get a Memorandum of Understanding signed that would allow INTERPOL to have access to data. Such access continues to be denied. Even if there was an argument about not publishing information to the world at large, what possible justification could there be for denying the police?
The Commission needs to step up
The widespread perception is that the Commission is fully aware of all of these matters, of all these shortcomings or limitations in the current operations of individual hotlines and INHOPE. They have been for years but are anxious that if the Commission is seen to threaten the continued funding or operation of INHOPE or any single hotline, national Governments and other political interests will mobilise to protest. The pressure might be too great so somewhere it was decided to avoid it by not disturbing the status quo. This chimes with my earlier reference to people in hotlines believing the Commission would never dare turn them off once they got started.
I guess we will never know the truth behind this sort of speculation. However, I now think it is irrelevant. We are in a completely new place. The review I think is needed is rooted in the new reality, the new dynamic created by the Directive. Commissioner Kroes has asked the internet industry to up its game on child safety, and she has specified very tight time scales. The long-running story of INHOPE and the hotlines is completely at variance with such exhortations. Physician heal thyself.
What do we need now?
It makes no sense to start the review by looking at INHOPE, as such, or by trying to look at how each individual hotline operates and relates to INHOPE. That may well be necessary at some stage but essentially how we got here is much less important than what we do now. The starting point has to be what is implied or required by the new Directive and in particular by the reporting requirements it has created.
In April of this year there will be a sea change in the leadership of INHOPE as several key members stand down from its Board and a new team takes over. I can see there might therefore be a temptation on the part of the Commission to leave things to see how the new team handles the situation. I think that would be an evasion of duty. The new INHOPE Board may or may not want to take forward a progressive agenda. But even if they did they will still come up against the cold reality of the current constitutional arrangements and entrenched positions. “Wait and see” could condemn INHOPE to two years or more of frustrating inefficiency, inaction and more bickering. And of course this would do nothing to address the issues arising from the significant differences in the governance and modi operandi of the hotlines.
The Commission needs to step up and resolve this now. Or at the very least the Commission should make an early public statement about its intentions in relation to hotlines and INHOPE post-2014.
Whispered conversations and veiled threats won’t wash. Whether or not we are involved with INHOPE or a hotline everyone in the child protection community and the internet industry has a stake in this so we all have a right to know what is going on. Moreover, as 2014 approaches, it will be difficult for anyone to make timely counter proposals if they do not have reliable information about what is happening in the here and now.