Something could be done now?

If you click here you will see a copy of a letter I sent today to Information Commissioner, Elizabeth Denham CBE, the UK’s chief privacy enforcement official.

In the letter I suggest the fact that the Government called a halt to the implementation of Part 3 of the Digital Economy Act 2017, (DEA) appears to have convinced porn companies they can carry on as before for at least another year. Other businesses that engage in the provision of sites, apps or services intended only for adults seem to think they too have been awarded an extended, child-harming holiday.

All of them are mistaken, at least in principle.

My letter is designed to see how far this principle might be able to propel the Commissioner to act to make the internet safer for children sooner.

What was Part 3 about?

There are two fundamental points about Part 3 of the DEA.

First, it only applies to commercial pornography sites.  As already mentioned, there are several other types of adult sites, apps and services which can put children at risk. For them Part 3 is substantially if not wholly irrelevant.

Secondly, reverting to commercial pornography sites, let us recall Part 3’s quite specific purpose. It was intended to create a regulator with powers which would allow it to influence the behaviour of businesses ordinarily outside the reach of UK courts. All the porn sites that matter are based overseas. They have no significant asset base in the UK.

The regulator would be able to bring such sites to heel by attacking their income streams. Ultimately, if necessary, the sites themselves could be blocked.

There has to be another Bill

The DEA said the regulator would be the BBFC. Now it looks like it will be Ofcom but that is contingent upon the Government bringing a Bill to Parliament.

The Government said they will bring a Bill at or around the time they publish their final response to the Online Harms White Paper.  We still have no idea exactly when that will be. Covid and Brexit are set to dominate British politics for ages. However, even if the Bill appears, as promised, “sometime this year”, it likely will not pass until next year,  then the processes of getting a new regime established will begin.

Things could be “speeded up” by the wholesale copying of the BBFC’s work but, assuming the Government remains true to its word, there will be the new powers to integrate vis-a-vis social media platforms. Then there’s privacy. It seems likely there will be changes there as well. Either way we could be looking at 2023 or beyond.

That is completely unacceptable but some people who were focused solely on porn said they weren’t so bothered because once the excellent Age Appropriate Design Code kicks in  the Information Commissioner can go after the sites. A regrettable delay but not a huge one. We can live with it. No.

The Code is not about adult sites, apps or services

The problem is the Code, brilliant and necessary though it is, actually is not concerned with adult sites, apps and services. It follows if the Commissioner can do anything it has to be rooted in the basic law. And if that is the case we do not need to wait until the Code comes into force. The child-harming holiday is cancelled.

Still need Part 3 DEA powers but in the meantime

Obviously, the Commissioner does not have at her disposal the same powers that were going to be given to the BBFC. But if, whether in a letter or as the outcome of a formal investigation, Elizabeth Denham were to make clear that certain sites or classes of apps, sites or services operating without robust measures to restrict children’s access were operating unlawfully, or were likely to be, it may have some beneficial impact. It might shame the owners into acting earlier or cause other businesses on whom they depend to withdraw their services or support.

We can but hope.

PS If you read the letter all the way to the end note the point about perilous and deceptive marketing.

Posted in Advertising, Age verification, E-commerce, Pornography, Regulation, Self-regulation

A child’s legal right to porn? I don’t think so.

Pornhub is not an aid, comforter or reliable source of advice, guidance, support or information for children who are anxious or inquisitive about sex, their own sexuality, or relationships. Neither is any other porn site I know about.

The fact that some children may say they go to sites like Pornhub because they are anxious or curious about sex, their own sexuality and relationships, or are looking for support or guidance in relation to such matters, is simply a terrible indictment of the poverty of 21st Century societies’ approach hitherto. It does not give Pornhub a tick.

Delegating your child’s sex education to Pornhub. Bad idea.

There has probably never been a time when it was exactly easy for parents or schools to find the right way to help children and young people through that part of their lives when sex, their own sexuality and relationships loom so very large in their developing consciousness and self-awareness.

There  has long been a tendency, at least for parents, to dodge the “difficult conversation”or,  consciously or otherwise, to delegate it to “someone else”.

The problem is today the “someone else” is often a ubiquitous, money-making business with so few scruples that, despite acknowledging none of their materials are suitable or meant for children they do nothing to prevent children accessing them. Even though they could. Pornhub is the 800lb gorilla in the room (with apologies to the many gorillas who may be reading this).

The internet has changed everything. Dramatically.

Porn ain’t what it used to be

One of the world’s leading commentators in this field, Gail Dines, said she almost (note, “almost”) felt nostalgic for the porn of the early 1980s and before.

“There has always been porn but there has never before been a porn industry such as that which the internet has created.”

Gail points out the porn today’s parents and grandparents saw when they were younger is likely to be a million miles away from Pornhub’s everyday offerings both in terms of  its nature, quantity, ease of access, which is constant, and cost, which is zero.

Like their parents and grandparents some of today’s children might say “porn has done me no harm” or “I can handle porn” or “porn helped me, it was useful” . These are not convincing reasons for continuing to accept the status quo.

Consequences may only become apparent later in life

Many of the problems associated with porn use, particularly excessive porn use, do not manifest themselves immediately.  They may not do so until a person reaches their mid-20s or  it could be later than that.

And by the way, in several studies substantial numbers of children said porn was either the most upsetting thing they had encountered online, or it was one of the most upsetting things. Alternatively they felt that while they, personally, were “ok with it”,  they felt really strongly other, younger kids, shouldn’t be looking at it. “Just saying, for a friend”.

A parallel with smoking?

When I was a kid, in England the legal age at which you could smoke was 16. As I reached the magnificently mature age of 15 I could see no good reason to wait an extra year to do something that was so obviously enjoyable and cool.  What did these idiotic oldies know about anything anyway? They had never even seen The Beatles live. Or The Rolling Stones. I had done both. Twice.  I had a unique insight into the meaning of life. That proved it.

The pleasures of smoking were plainly wasted on the gerontocrats. They just needed to step aside.  And this was at a time when lots of people claimed the harms associated with smoking were vastly exaggerated or non-existent. Twenty years later I realised what a terrible mistake I had made and after a lot of pain I quit.

The adult world is charged with doing stuff that is in children’s best interests, even when not all children see it that way.

Not a silver bullet but a big bullet nevertheless

Children do not have a legal right to access porn. Children have a legal right to good advice and access to a range of sound, inclusive and comprehensive information about and support in relation to sex and sexuality.

States have a legal obligation to provide that and  it would probably be best provided in the context of a public health and education framework.  However, an inescapable part of states’  obligations includes a duty, on the basis of the best available scientific advice, to restrict children’s access to stuff that harms them. Pornhub and the like harms kids.

When introducing age verification to restrict children’s access to porn it is essential we get right and respect both children’s and adults’ right to privacy. And we certainly should not see age verification as a silver bullet.

Yet it definitely is a bullet. I think a big bullet. It is a bullet aimed specifically at denying the Pornhubs of this world any role in determining the sexual socialization of the young.

 

Posted in Age verification, Internet governance, Pornography, Regulation, Self-regulation, Uncategorized | 2 Comments

Problems with the GDPR

The EU recently undertook a review of the first two years of the operation of the GDPR. If you missed it you are not alone. The existence of the review was not well publicised. It will report soon but the focus was anyway too narrow. I hold out no great hopes of seeing any much needed improvements which will help children. However, CNIL (the French national data protection authority) is conducting its own review and here the terms of reference are much wider. I pass on these thoughts to them about the points in their questionnaire and other matters.

A  neglected group

Children make up 1 in 3 of all internet users in the world. In some countries this rises to 1 in 2. In high income countries such as France and the UK the proportion hovers around 1 in 5. Thus, whichever way you look at it and whatever else you might believe or want the internet to be, unquestionably it is a medium for children and families.  Too many people appear not to know or accept that.

Arguably children are the world’s largest single, identifiable constituency of internet users.  Unarguably they are the world’s largest single group of vulnerable users.  Yet time and again children appear to have been put in a box marked “too difficult” when it comes to data protection and privacy concerns.  Children are constantly forgotten or overlooked, which is another way of saying “neglected”. In the whole of its life the Article 29 Working Party produced only one substantial report on children. That was in 2008 and principally it concerned schools’ handling of students’ data. Important but not exactly hitting up against the far edges of the techno-horizon being ushered in by the internet.

Like moths to a flame

The modern internet evolved largely as a set of services floating on a sea of data used to fuel targeted advertising.  It was shaped and developed by techno-advertising companies presenting themselves as disruptive rebels. Creative spirits of a new age. Fabulously wealthy, cool and at first sight overwhelmingly benign.

Against this background it is hardly surprising lawyers were drawn to the new frontier along with the technical experts who support them.  Either as employees or retained consultants most of these lawyers and geeks consequently developed a sophisticated understanding of the immediate, cash-generating needs of their paymasters. They did not contemporaneously develop a comparable appreciation of the position of children as end users. There were no laws compelling businesses to do that so they didn’t whereas there is always a compelling need to increase sales and stay ahead of the competition.

Platform immunity and no obligation even to try to confirm a user’s age pretty much guaranteed what happened next. Like moths to a flame,  albeit for different reasons, gigantic numbers of children were also drawn to the “new cool”, places not meant for them, not understood by parents or teachers. Which made the whole thing even cooler.

A lack of expertise

Whatever you make of my reading of history, it is incontrovertibly the case that there has never been the same incentives or possibilities to develop a countervailing body of legal or technical knowledge, expertise or institutions which are readily and continuously accessible to impecunious children’s groups. The playing field remains massively tilted. Ad hoc pro bono assistance is welcome when and where it is available, but no way is it a substitute for solid, on-going professional engagement.

Recommendations

Expertise,  research, guidance and clarification

  1. National Governments, the European Commission, the European Data Protection Board and national data protection authorities must strengthen their own expertise and understanding in relation to children as actors in the digital environment.
  2. Inter alia, this should be built upon a solid and substantial, publicly available evidence base regarding children’s use of digital devices, Apps and spaces. In the USA the FTC is being urged to engage in such a major evidence gathering exercise as part of  a process which may lead to revisions to COPPA. Maybe there is be some scope for  Europeans and others to co-operate in that endeavour? As usual, any changes made to operating rules in the USA will have a global impact so this  would be logical.
  3. Civil society organizations should be helped to improve their understanding of the position of children as data subjects.
  4. Ways should be found to ensure civil society organizations  have access to professional expert technical and legal advice when pursuing privacy issues relating to children as actors in the digital environment. It should be made easier for class actions to be brought to settle disputes which are likely to affect significant numbers of children.
  5. Individual companies and industry-based regulators should be given detailed guidance in relation to what is expected of them. The  UK’s Age Appropriate Design Code  amplifies key provisions of the GDPR in ways which business can readily understand and act upon. The Australians have been considering moving in a similar way.
  6. There is persistent confusion about the nature and scope of what constitutes “sensitive” data, particularly in respect of inferred data which, almost by definition, cannot have been given with explicit, informed consent. In respect of children what are the rules governing how it might be processed and stored?

Correcting a major error

  1. In the original proposal for the GDPR, issued by the European Commission in 2012, there was no mention of ICANN or WHOIS. In none of the subsequent proceedings in the European Parliament, either in Committee or plenary session, neither at the Council nor during the Trialogue, was ICANN or WHOIS mentioned in any way whatsoever, directly or indirectly.
  2. This led to two different but quite specific difficulties which need to be urgently addressed. They have profound and wide ranging effects on children’s rights.
  3. The first concerns the ease with which WHOIS data might be accessed and by whom it can be accessed. Commercially driven forces within and around ICANN used the failure of the GDPR to address WHOIS to bring an end to practices which had existed since Day 1 of the internet. The cost, complexity and time it now takes to access WHOIS data mean levels of online crimes against children, and many other kinds of online crimes, continue unabated or they get worse. It is hard to believe this is what the European Institutions intended or anticipated. How could it have been when the issue was never discussed?
  4.  Secondly, a distinct problem concerns the accuracy of data within WHOIS. Whatever the rules about access might say, if a someone intent on distributing child sex abuse material via a web site knew their name, address and contact details had been accurately recorded by anyone anywhere on Earth, it is hard to believe they would still allow such a site, linked to their name, to be used for criminal purposes. Yet within WHOIS accurate data are the exception not the rule. ICANN has recently taken decisions which make it likely the levels of inaccuracy will increase not decrease.
  5. There are provisions within the GDPR which refer to the importance of  maintaining accurate data in databases but  these provisions are poorly enforced and the penalties are in no way a sufficient deterrent. The penalties for internet Registrars and Registries not verifying WHOIS data prior to selling, renewing or recording a domain name should be substantial and the penalties for persistent failure should be tough.  As the body ostensibly with the power and initial authority to enforce WHOIS rules ICANN should be drawn into the line of fire if they too persistently fail to ensure their own rules are fit for purpose and are honoured.
  6. ICANN should be placed under an explicit obligation to have regard to the way in which their systems facilitate unlawful behaviour or make the job of potential plaintiffs or law enforcement agencies more difficult,and costly than it need be. Studied indifference towards the real world impact of their behaviour must become a thing of the past for ICANN.

Strong encryption

  1. The early drive towards more widespread use of encryption was hugely important. Should an organization’s defences fail and hackers get on to their servers the fact that all stored data are encrypted is a vital, last line of defence.   Neither should it be possible for hackers to intercept data moving across a network. Vital communications between critical national infrastructure facilities, supply chains, online banking and other use cases remain obvious candidates for the deployment of strong encryption.
  2. However, we are approaching a point where encryption is being used at large in generic environments not as a defence against crime but as an enabler of or cover for it.
  3. Measures which have been developed to work at scale to defend children, for example PhotoDNA, are threatened with redundancy by the deployment of encryption. Look, for example, at what Facebook is threatening to do with Messenger and Instagram. However, Facebook is only in the limelight because it previously released data showing the level of criminal abuse of their service. There is no reason to suppose things are significantly different elsewhere.
  4. Moves towards encrypting even metadata will complicate the fight against online crimes against children yet further.
  5. The idea of the Rule of Law presupposes the possibility that the law can be implemented or enforced yet the way strong encryption is spreading threatens to create large spaces where courts in every country in the world will be rendered impotent. For all practical purposes their subpoenas and orders will be nullities.
  6. Careful consideration needs to be given to how this problem should be addressed.
  7. At the very least companies offering services which are used by children will need to explain why they have intentionally deprived themselves of the ability to protect children, both generally and specifically in relation to personal data.

A question of age

  1. The GDPR strongly suggests that where a service is provided for or is meant to be limited to groups or individuals defined by reference to their age, the service provider should take all reasonable and proportionate steps to ensure those provisions or limits mean something.
  2. This should be the case wherever  an age limit is stipulated in a company’s Terms and Condition of service. Where age is also stipulated by law, penalties for breach should be higher than they would otherwise be.
  3.  In Germany there appears to be a greater willingness to engage with and approve technical solutions to assist with determining a person’s age while at the same time remaining respectful of the individual’s privacy.
  4. Age is an obvious and important reference point, but what matters is whether or not children are actually using a service,  irrespective of whether or not the service is intended for them.

—ooo—

Posted in Age verification, Child abuse images, Consent, Default settings, Internet governance, Privacy, Regulation, Self-regulation

President Trump gets it wrong

So it wasn’t an empty threat.  President Trump did it. He signed an Executive Order which, in essence, seeks to change the law on platform immunity, as conferred by s.230, Communications Decency Act 1996.

It is doubtful the Executive Order will withstand a legal challenge. There is not only the obvious 1st Amendment point, the fact is Trump is trying to change the substantive law by fiat. Congress has to be involved in any alterations to substantive laws of this kind. By the time they got around to it, if they ever did, the Congressional and Presidential elections would be over and who knows where things will be? Not me.

I am not going to waste words on stating the obvious about the President of the United States. Let’s just say I am sure I will not be alone in finding the speed with which he moved on this topic was in such marked contrast to his lethargic approach on a broad range of issues concerning children’s rights and children’s safety on the internet that, well, words don’t fail me but what’s the point?

There is a great deal that is wrong with s 230. It does need amending but the crudely political and partisan way the President has engaged with the topic means in the weeks ahead there is going to be a great deal of sound and fury which will signify nothing much of consequence. The dust needs to settle before it is clear how, if at all, the children’s lobby can best intervene.

I have no problem with social media platforms maintaining their immunity providing they can demonstrate that, mindful of the available technology, they took all reasonable and proportionate steps to eliminate or reduce breaches of their terms and conditions of service, in particular in respect of behaviour harmful to children, and doubly so where that behaviour is anyway illegal.

On the question of responsibility for fact-checking and truthfulness, children’s groups do have a dog in that fight. We all want children to grow up aware of the importance of basing their judgements and actions on accurate information in respect of events or matters which impact on their own and other people’s lives.

Given the huge dominance of the internet as a source of information, perhaps particularly in the lives of young people, allowing or being indifferent towards algorithmic pulls towards sensationalised, distorted rubbish or downright lies cannot be a good starting point. Internet companies have built these systems which reach into all our lives. They cannot now turn their backs on what follows on from that.

How you solve this problem is not easy or obvious but I absolutely do not think it is acceptable for a company to argue that just because someone claims to be a politician they can say whatever they like on their platform. “All it needs for evil to triumph is for good people to do nothing” (Edmund Burke).

Posted in Facebook, Google, Internet governance, Privacy, Regulation, Self-regulation

Good but nowhere near good enough

Last Thursday Facebook made an announcement about its plans for Messenger. In truth the substance of the announcement concerned great stuff I thought they were already doing, at least on their main Facebook platform, so discovering they were now going to do the same on Messenger was a little underwhelming.

But first, if you click on the link to the announcement you will see it is headed

“Preventing Unwanted Contacts and Scams in Messenger”. 

So we’re clear, this is not about the content of messages in Messenger, at least not insofar as it relates to known illegal images of child sex abuse, the sort that have previously been picked up by PhotoDNA.

Then we see these important words

“As we move to end-to-end encryption, we are investing in privacy-preserving tools….. to keep people safe without accessing message content.”

This bears out two things: it ain’t about content, illegal or otherwise, and they are going ahead with it.

Their mind is made up. They know exactly what they are doing and why they are doing it. The only Damascene moment they are likely to experience will have been the result of legislative action or the threat of it in a jurisdiction which is important to their business.

Don’t get me wrong.  As I suggested earlier, the measures they are proposing are welcome. However, even Alex Stamos, former Chief Security Officer for Facebook, could only bring himself to say it was a “good start”.  Maybe he is as underwhelmed as I am.

Analysing metadata

The software tools Facebook say they will be deploying in Messenger will analyse metadata to pick out dodgy patterns. Once detected, an alert will be triggered on the end user’s screen and maybe there will also be an intervention by the company itself.  But what these tools will not do is spot known illegal content being exchanged between users.

Facebook must find a way to convince us

Facebook must find a way to convince independent and respected experts that its move to encrypt Messenger has not worsened the lives of children who have suffered the tragedy of being sexually abused while a camera was trained on them. If Facebook cannot do that I really don’t know where it is going to leave the company’s reputation. And I don’t mean just with people like me.

Finally, be aware, dear readers, some of the members of the Silicon Valley chapter of the Sons of Anarchy are working on ways to encrypt metadata. Can you see where this is going? Can you see the next pressure point?  When other messaging services announce they are encrypting users’ metadata, rendering it unreadable, how will Facebook react?

What this highlights and reminds us is Facebook is really a victim of its previous policy of transparency and US laws on reporting. To that extent it is “unfair” to single them out or pick on them. There is a larger and wider issue to be faced about how modern societies tackle the emergence of strong encryption.  And we need to be emphatic about that. It is a societal issue, not a technological one individuals or companies can decide for themselves.

If there has been a rise in the demand for encrypted services it has been caused by the previous bad behaviour of companies like, er, Facebook. Surveillance capitalism did not drop from the skies, but when it got here it was compounded by the bad behaviour of certain Governments, as Snowden reminds us. However, we cannot let the previous bad form of Governments and companies create an insoluble problem for the rest of us.

Posted in Child abuse images, E-commerce, Facebook, Privacy, Regulation, Self-regulation

Anonymity and privacy in the time of encryption

“What’s in a name?” is a recent publication from Demos (full disclosure: many moons ago I was a founding trustee of Demos but I haven’t had much contact with them of late).

The Demos authors did a great job describing the conceptual differences between privacy, anonymity and encryption. They also acknowledged the interconnectedness of these ideas. However, they then decided to press ahead with a discussion about anonymity without really engaging with that interconnectedness in any depth. That was a grave error.

It wasn’t the only problem. Here is a sentence from the summary that makes no sense.

“We examine two identity systems – those of the Government Digital Service’s ‘Verify’ program and Facebook.”

I went through the Verify process recently. Quite a palaver.  It took several days although, to be fair, that could have been due to a lockdown-related surge in demand. Whatever the explanation, it was impressive and thorough.

You can create a phoney email address in seconds then proceed to open an account with Facebook. You could “borrow” someone’s mobile phone for a few minutes or use a burner and you’re in.

Back in 2013 Facebook acknowledged it was “powerless” to stop under age users from joining their platform. Data suggested more than a third of 9-12 year olds in the UK had a profile with them despite the specified minimum age being 13. Globally for the same demographic it was thought the proportion was around 25%.

In the intervening 7 years while Facebook has declined in popularity with that cohort another Facebook owned brand, Instagram,  has taken over and the proportion of under 13s  on it is thought to be higher. How can anything which allows that to happen be  dignified by describing it as an “identity system”?

Facebook collects usage data to sell targeted ads based on behaviourally driven algorithms. It’s not complicated. The fact that you can use your Facebook login to connect with other online services and these other services accept that as a “credential” is absurd.  Lies built on lies again hardly qualifies as an “identity system”, much less one which can produce any kind of anonymity worthy of the name.

Liberal Democracies

Another major problem arises when the authors speak about “liberal democracies” as if these could be addressed as a distinct group of nations that can be held to uncontested  standards unique to “liberal democracies”.

Just read the “Declaration of the Independence of Cyberspace” Remember the kind of thinking reflected there remains widespread in and around Silicon Valley, including among the highest levels of leadership of Big Tech as well as their acolytes and wannabes. External pressures, let’s call them “defeats”, might cause them to have to give ground from time to time but the underlying values, outlook and orientation remain.

The Declaration makes no distinction between “liberal democracies” or any other kind of government. It does, however, chime neatly with Ronald Reagan’s famous quote from ten years before the Declaration appeared. In 1986 he said

“The nine most dangerous words in the English language are ‘I’m from the Government, and I’m here to help’ “. I imagine when Reagan said that he was speaking about the Federal Government of the USA not the Politburo of the Soviet Communist Party.

Big Tech is a world  inhabited by people who think the absence of restraint means the same as “freedom” or “liberty”.   It is a world where “permissionless innovation” has the status of a deity guarded by a priesthood who take their job seriously. However, the only recognisable religion these notions really fit with is buccaneering free market economics.

It’s quite a marketing trick to make your business’s financial interests appear to be synonymous with intoxicating words like “freedom” and “liberty”. If they buy it, and many do, you neatly recruit free speech and free expression advocates as your infantry, sometimes without even having to hand them a dime but there’s lots of dimes available if needed to bolster their forward march or rearguard actions.

The democratic stakes

According to The Economist Intelligence Unit’s 2019 Democracy Index, the UK ranks 14th in the world democracy stakes. We are classed as a “Full Democracy.” The problem is a great many of the  “Declarationists” would laugh at the faintest hint of the UK being thought of as a “full democracy”. Alternatively they wouldn’t care whether it is or not. These dudes live according to their own lights. Because they can.

The ideologically driven exponents of tech freedom and liberty, as well as the money driven ones, might grudgingly admit there were some differences between Oslo (No.1) and Pyongyang (164th) but would not allow these  much if any relevance in a discussion about policy for the internet because all governments are evil or tend towards evil. If they aren’t evil today they could be, probably will be, tomorrow.

So  they go ahead and use strong encryption.  They seek to popularise it and spread it around as much as possible. The Rule of Law is a cute idea but only if the laws and the way they are administered meet with the approval of the priesthood.  See above.

Against this background, discussing how one might remain  un-named  when commenting on the Government’s  latest blunder seems …… I was going to write “trivial”, but it’s not. The ability to be anonymous sometimes can be important. Yet somehow being anonymous in a toxic sea seems a lot less important than some would make it out to be.

Do we need  a cyber equivalent of car number plates? Or something else?

 

Posted in Default settings, Internet governance, Regulation, Self-regulation, Uncategorized | Tagged

Failures of contingency planning worsened by delay

UK Children’s organizations have written a letter of protest to the Government.

The media have covered in some detail certain headline failures of contingency planning in relation to Covid-19 and lockdown. Less well remarked has been the failure of contingency planning in respect of children and families in the context of online safety and in particular how, if the Government had acted more expeditiously, certain risks to children could have been, if not eliminated, then at least reduced. That is the essence of the letter.

While acknowledging hindsight is a marvellous gift, it nevertheless remains the case that if Part 3 of the Digital Economy Act 2017 had been implemented in the way and according to the timescale originally anticipated fewer children would have been exposed to explicit pornographic material during lockdown.

If the Age Appropriate Design Code had been moved along with greater speed a smaller number of children would have been trapped or exploited during lockdown.

And let’s not forget the “Big One”: the “duty of care” and associated requirement for online businesses to honour their own Terms and Conditions of Service rather than  use them simply as deceptive marketing.  Both those ideas were foreshadowed in the Queen’s Speech in June 2017. They formed the centrepiece of the Online Harms White Paper.

While the Government has to carry a large part of the can for these acts of omission, so too do the companies whose only strategy has been delay. Delay for them is the same as winning. The status quo is what made them rich and powerful. They can live with it for a great deal longer. The money keeps rolling in.

Despite frequent proclamations by some online businesses of an acceptance of the need for regulation, the key word is “some”.  And even those who say they do accept the need might have a very narrow or limited view of what it might mean.

Why do I mention this now? A couple of weeks ago I was on a call where it was reported as uncontested fact that bodies like Tech-UK and the CBI are urging the Government to give Big Tech a “breathing space”, meaning further regulatory intervention should be put on hold sine die. This appeared to get a sympathetic hearing from HMG.

As the children’s organizations make clear in their letter this is completely unacceptable. And can I make a plea? If any of the big name online businesses really want to argue for delay or for a different approach to regulation could they please do so openly in their own name and not hide behind the skirts of trade associations or Think Tanks? And double please, do not say you would be OK with this or that proposal for regulation but you worry about the effect it might have on start ups – the companies you typically buy, absorb or close down the minute they show any sign of succeeding.

There is a great deal of knowledge easily available to any start up about the risks children face in the online world and how to address them. Doing the right thing should not be something you opt for only when you can afford it. Doing the right thing is now part of the entry costs for the industry you appear to want to join.

Posted in Age verification, Consent, Default settings, E-commerce, Facebook, Google, Privacy, Regulation, Self-regulation

The scandal that keeps on harming kids

Behind the reflecting glass windows of a modern office block at 12025 Waterfront Drive, Los Angeles, are the people who have the power to end one of the great scandals of modern technology. The question is: why are they not using it?

The nature of the scandal is well documented. In all parts of the world the lives of an uncountable number of children are wrecked by illegal online child sexual abuse images, videos and stills – what used to be called “child pornography”.

The publication of the images magnifies and adds to the harm done by the abuse itself. The continued circulation of these images makes the possibility of  recovery from the abuse much harder to achieve and amounts to a serious, on-going breach of the victims’ legal right to privacy and human dignity. To the extent the same images encourage or sustain paedophile behaviour or networks they also put at risk other children as yet unharmed.

Billions not millions

A major glimpse of the scale of this type of criminal behaviour was provided in 2017 by the Canadian Centre for Child Protection. It’s Canada’s official internet “hotline”. They launched a proactive web crawler called, er, Arachnid which, in a six- week period, searched 230 million web pages and on 5.1 million of them they found child sex abuse material. Within the 5.1 million pages were 40,000 unique child sex abuse images. Once a new image goes online it tends to be copied and repeated a great deal.

Everywhere the phenomenon is investigated, the scale of the crime is appalling. In 2019 in the United States the National Center for Missing and Exploited Children, which works in a  very different way from and on a much bigger scale than the Canadians, received 16.9 million reports of child sex abuse material that had been found online.

Britain’s hotline, the Internet Watch Foundation (IWF), of which I was a Director, last month published its Annual Report. In 2019 they identified 129,111 web addresses containing child sex abuse material. In respect of each of address they had sent a notice to the hosting company asking that the material be deleted at source.  Every one of those pages could have had either a single image on it, or thousands with links to many more.

Earlier I said the number of children being harmed is uncountable. The same is true for the abusive images being circulated but few doubt we’re talking billions not millions. The challenge is colossal but it is by no means insurmountable. If there’s a will.

The cloak of invisibility

The images are pumped out by people and organisations who rely on being invisible.  Of course they do. Who would openly distribute child sex abuse material?

There are different online mechanisms which are used as distribution channels.  A key one, the major one, is the worldwide web, the  most widely and easily used bit of the internet. The bad actors use web sites they buy for themselves or they hijack or hack pages on other people’s.

The prosaic reality

To stop hijacking, minimal standards of security should be compulsory, not voluntary. Businesses which sell web site names or hosting services typically offer additional security as a paid for optional extra. That is wrong. It should be factored into the basic selling price. No exceptions. If this does not wholly eliminate hijacking it will greatly reduce it.

However, hijacking is probably the lesser of two evils. Straightforwardly buying sites is the easier pathway to child abuse.

When you buy a web site you will be forced to choose a unique name.  It will be within a particular domain e.g. .com. Your ownership of this piece of virtual property, along with your contact details, are meant to be checked, recorded and stored on a database known as “WHOIS”, ultimate responsibility for which is vested in the Internet Corporation for Assigned Names and Numbers (ICANN) domiciled in California. These are the guys on Waterfront Drive referred to earlier.

ICANN’s rules stipulate that checking and recording contact details are essential but, astonishingly, criminals are willing to tell lies about such matters and they do that with impunity because ICANN appears to be unwilling or unable to do anything to stop them. They quiescently float on a sea of mendacity, wringing their hands while children suffer.

It’s all about the money, money

Selling web site names is typically a low margins affair. Some can be bought for less than £1. This means achieving a high volume of sales is essential.

Around 98% of ICANN’s income  is derived from two sources: Registrars and Registries. Registrars  do the actual selling. Registries administer the systems that allow them to do that. Through contracts Registries and Registrars are authorised to act in their respective roles by ICANN to whom they both pay fees. So in the end the whole edifice is driven by the likes of you and me, companies and other organizations buying or renewing web addresses.  Nobody in the chain has an incentive to do anything which might suppress or in any way reduce sales or renewals of internet names.  Quite the opposite. The accuracy of ownership data counts for nought if the dollars keep rolling in.

For a few dollars more

Everyone in the chain should charge a few dollars more, do a proper verification job and that way they could still be profitable even on a volume of sales that was reduced because fewer crooks would be buying.

Accuracy is the exception rather than the rule

Emily Taylor is an English solicitor. ICANN commissioned her to look into how accurate the WHOIS  data were. She published her report eight years ago. She found that in only 23% of the cases were WHOIS data accurate in the way specified in ICANN’s rules.  In other words, by some margin accuracy was the exception rather than the rule.

Taylor found 21.6% of the WHOIS entries to be so defective as to render the owner completely unreachable if WHOIS data alone were relied on. At the time Taylor reported there were 220 million entries in WHOIS of which 47 million fell into this latter category.  Guess where most of the online criminals congregate, including those who trade in child sex abuse material?

How did  it come to this? No. 1 culprit is  the US Government.

Very easy answer.  Nerdy complexity, US politics and geo-politics.

Let’s start with the No.1 culprit, the US Federal Government. They pretty much “owned” the internet from Day 1.  As the number of web sites started to grow exponentially in the mid-1990s they gave ICANN a contract to start administering the naming system.

As the internet continued to expand and become internationalized pressure grew from other Governments and from parts of the internet industry to allow ICANN to become independent of any potential control by any US Administration.

The Chinese, the Russians, India, Brazil and others were very vocal. A case was made to kill off ICANN altogether and roll its functions into the International Telecommunication Union, in effect handing control of the internet to the United Nations. Replacing DC with Geneva. It didn’t go down well.

The suggestion was strongly resisted by most western Governments, but the effect was to strengthen the argument for the US Federal Government to find some way of withdrawing from its unique status.

The Federal Government gave in to this pressure and  in 2009 entered into a  solemn sounding “Affirmation of Commitments” with ICANN. In essence the Affirmation said the US Government would relinquish its role as long as ICANN agreed to do various things.

One of the “things” ICANN promised (para 9.3.1) was to implement measures to “maintain timely… accurate and complete” WHOIS data. That never happened and the Obama Administration chose to overlook this fundamental flaw when they finally did do the handover in October 2016.  No one had come up with a better alternative and an election was looming.

So since 2016 ICANN has gone its own sweet way.  Now unhindered by any kind of external oversight ICANN remains driven principally by the financial interests of Registries, Registrars and the ICANN bureaucracy itself. In fact, in a recent rule change, ICANN has further reduced Registries’ and Registrars’ obligations in respect of verifying ownership and contact data. Things are likely to get worse, not better.

Could this call into question the validity of the 2016 handover? Has ICANN acted in bad faith?  Could it lead to the US Government “taking back control”? And while the prime responsibility for the current mess must be laid at the door of the US Government in the first place, other Governments and major law enforcement agencies share part of the blame for having allowed such a monumentally awful system to evolve and survive.

Historically, the people in and around ICANN have denied any responsibility for matters of the kind discussed here, saying it is for law enforcement agencies to address illegal behaviours. Not them. This is wilful, self-interested blindness. It is ICANN’s rules and the way they are observed or not observed which, front and centre, creates the problem.

Enemies of reform

Nerdy complexity and geo-politics are proving to be the enemy of reform. At the request of the FBI and the British police I attended my first ICANN meeting in 2010 to plead the case for stronger action to eliminate child sex abuse material from the web. Zero impact. More recently Cherie Blair QC, a distinguished human rights lawyer, wrote to the authorities in California asking if they would look into ICANN’s manifest failings in respect of protecting children. Ms Blair received a polite reply from the Attorney General but no action followed. Big Tech is powerful and important in Californian politics.

Companies such as Google, Facebook, Microsoft, Amazon and Apple have zero interest in maintaining the status quo in respect of ICANN and its component parts  but the damage done to  Big Tech’s wider image by the continuation of these sorts of crimes against children impacts them all.  Badly.

The difficulty is precisely because none of these companies are individually, or even collectively, directly responsible for ICANN they are all hesitant about stepping forward to insist on creating a better system for fear of being branded as bullies with a hidden agenda to increase their own power.

Yet it is obvious the whole ICANN structure needs root and branch reform. If ICANN is to continue as the Regulator  a way must be found to free it of its financial dependence on Registries and Registrars.

The Registries and Registrars profiting from the shameful lassitude  described above should be brought to book. The Canadian Centre for Child Protection recently sent me some data analysing the concentration of child sex abuse material on web sites according to the Registrars that sold or renewed the name. I have combined this with data published by the IWF showing the same according to the Registries responsible for the affected domains. What this reveals is the problem is highly concentrated among a relatively small number of businesses. I intend to publish the data soon.

Posted in Child abuse images, Default settings, Internet governance, Regulation, Self-regulation

Enfeebled enforcers

In yesterday’s “Observer” the ever-excellent John Naughton drew attention to a survey carried out by a new kid on the block, a company called “Brave”.  And they obviously are because Brave is trying to get going in the web browser market. Essentially this means Brave is taking on Google and Microsoft. They have filed legal complaints against Google.

On the second anniversary of the coming into effect of the GDPR Brave looked at a particular aspect of the relationship which exists between Big Tech and the regulators charged with enforcing our data privacy laws, the Data Protection Authorities (DPAs).

Allowing for potential bias in a survey commissioned by an entity seeking to challenge the established order, the findings Naughton discussed nevertheless drew attention to and quantified something many of us have known anecdotally for some time. Brave and Naughton deserve our thanks for doing that.

A major imbalance in resources

For practical purposes, on any given issue which is important to a large West Coast business, they can deploy an almost limitless number of lawyers and techie brains. What can DPAs do in response, at least on the techie side? It won’t be limitless but how limited will it be?

That is what Brave looked at in terms of in-house techie staffing resources available to the DPAs.  Brave defined these as  “specialists working in DPAs on tech investigations… people that have training or roles that are principally technical”. Brave drew on published data, checked, updated and confirmed via correspondence. The methodology is explained on page 13 of the survey report.

Of course DPAs can employ consultants, and some make it clear they do, but it is very rare to find consultants who are as readily available and subject to the same management and control protocols as direct employees.

In addition not all techies, howsoever defined, are necessarily equal. One uber-techie might be worth a dozen plodders. Then there is the age old problem that once someone working for a regulator becomes any good at their job Big Tech offers to treble their salary and away they go. This can create a residual sense that if you are working for a regulator it can only be because you are second rate or driven by messianic visions which means your judgement is not sound. Such is the end result of years of denigrating public servants. But that’s a culture war for another day.

Germany leads the way

The authors of the research estimated there were 305 tech specialist posts within DPAs across the EU. Germany’s Federal structure and consequential multiplicity of actors complicates things but the fact remains of all techies employed by DPAs in the whole of the EU (which still includes the UK)  29%  (88) are employed in Germany.  It would be 101 and 33% if all vacancies were filled. The German DPAs still think they are under-strength.

If you add the total cost of the German Federal DPAs to the total cost of the DPAs in the Länder Germany also spends the most on data privacy. The UK comes second overall in the spending league, or first if you don’t combine the German agencies’ expenditure. While the UK is a big spender it is only fourth in terms of techies employed.  Behind Germany comes Spain with 36, France with 28, then the UK with 22 (including 1 vacancy). Given  Spain and France have smaller budgets than the UK that is surprising, but not rivetingly.

Dodgy comparisons?

Drawing comparisons based solely on the amounts of money spent is fraught with danger. It could only ever be the crudest of indicators.  You might have comparatively few tech companies within your jurisdiction. In a given year if a DPA chooses to do more by way of public awareness and educational activities, who’s to say that is money less well spent? However, Naughton’s  rather obvious point is that the complex way in which data collection and data processing works on the modern internet puts an absolute premium on having a strong reservoir of technical expertise to draw on otherwise enforcement actions could be extremely difficult to mount, sustain and win.

And let’s never forget after and with the techies come the lawyers. Bringing enforcement actions can be incredibly expensive. Is it really right that a DPA might be deterred from bringing a case against an Amazon or a Facebook solely because they are worried the drain on their budget would put other responsibilities at risk?

Is there a better way? Could there be some relaxation or amendment of the GDPR which would allow DPAs at least to share the cost of major cases, including the cost of the technical side of the investigations? If a cast iron case presents itself in a country not blessed with a well resourced DPA could that plaintiff or case be lost because the national DPA blanched at the thought of taking it on?

The guys at Brave make several interesting suggestions ( page 11) one of which envisages an enhanced role for the European Data Protection Board (EDPB).

The special case of Ireland

You will recall not long ago the Irish Government was found to have been providing illegal benefits to Apple in order to attract them to their shores. I am pretty sure other tech companies were benefitting in like manner and this in part explains why so many chose to establish their European Headquarters there.

But it seems the Irish Government has been helping Big Tech in other ways . They get the whole of page 9 to themselves in Brave’s report. Ireland has the highest “Lead authority case load” in the whole of the EU, 127, compared with 92 in Germany, 87 in Luxembourg, 64 in France and 56 in the UK.

While the number of cases the Irish DPA has to address has been going up, their budget is not increasing commensurately.  Cui bono?

Again these sorts of numbers don’t necessarily tell you anything of importance, but they certainly hint at something. The same is true for Austria.

And Austria?

The position of the Austrian DPA is interesting only because its Head, Andrea Jelinek, is also the Chair of the EDPB. How many techies does the Austrian DPA directly employ? According to Brave, none.

Food for thought for all of us, not just those who are concerned about the position of children in this “tangled  web”. No pun intended. Honest.

Posted in Privacy, Regulation, Self-regulation

Another advertising scandal

Apologies for the fact I missed this at the time it hit the regular news cycle but when I read  about it yesterday I felt I still had to write something. Regular readers will know my blogs are occasionally partly a form of self-medication. So here goes.

Unilever spends £6 billion per year advertising its vast range of everyday foods and other household products. The company has threatened to remove ads from Facebook and YouTube if they failed to eliminate different kinds of content they didn’t like. Seems they also had plans to  draw up a “whitelist of trusted  publishers”.  With £6 billion at stake this would be a powerful incentive for anyone who depends on advertising revenue to pay attention. That’s pretty much everyone who provides ostensibly “free” online services.

Unilever owns a brand called the “Dollar Shave Club”.  Last November it emerged they had been spending some of Unilever’s marketing bounty on Pornhub. An unapologetic Creative Director of the Dollar Shave Club said he chose to advertise on Pornhub because  it “has guys’ backs” adding “It’s not expensive, but interestingly, the exposure you can get and the impressions are huge.

I gather no irony or double entendres were intended. Part of the advertising riff was that if you use “Dollar Shave Club” products you wouldn’t need to visit the Pornhub site so often. OK. Let’s leave it there. You can almost hear the hairy knuckles scraping along the ground.

The good news is that after carefully pointing out the “Dollar Shave Club” had operational independence within Unilever a company spokesperson nevertheless went on to say “This type of content is deeply troubling and we will ensure that none of our brands advertise on Pornhub again, or on any other porn sites.”

Result. Bravo Unilever

Kraft Heinz  do not appear to be in the mood to be similarly contrite. They own, among others, Weight Watchers, HP Sauce and Capri Sun and on a single day they took over the whole of the Pornhub home page to promote a #FoodPorn campaign  to promote a frozen product of theirs  called “Devour”. A spokesman said: “The brand was explicitly talking about #Foodporn, which has become a cultural phenomenon.”

So there you are. It is but a short step from frozen cheesecake and frozen pizza to bondage gang bangs. Who knew?

Porn harms children. Mindgeek, the owners of Pornhub, know this. They have the technology to keep children off their sites but in Britain and many other countries they refuse to use it until they and their competitors are legally obliged so to do.

No company that values its reputation as a family friendly enterprise should give any of its advertising revenue to Pornhub. Embarrassments such as befell Unilever can only be avoided if they issue unambiguous instructions to everyone in their marketing departments and associated advertising agencies that Pornhub and the like are a no-no.

 

 

 

 

Posted in E-commerce, Facebook, Google, Pornography, Regulation, Self-regulation