A chance to amend the GDPR?

The European Union is currently reviewing aspects of the operation of the GDPR. The consultation closes tomorrow so if you want to stick something in you better move fast.

Below is a submission I just made on behalf of various children’s groups.

For several years many children’s organizations have focused on the way the worldwide web facilitates the distribution of child sex abuse material (referred to as “child pornography” in EU Directive 2011/93). The GDPR has done nothing to halt or reduce this criminal exploitation of children. The problem continues to worsen and in no small measure this is due to the fact that the WHOIS database is not maintained as an accurate record and ICANN, the body charged with oversight of WHOIS, refuses to exert itself to improve its accuracy.

The Commission’s formal consultation paper on the GDPR, published in January 2012, made no mention either of ICANN or WHOIS. In the following four years, while the draft was being debated, discussed and amended as the measure made its way through the legislative processes and institutions of the European Union, in none of the publicly available minutes of proceedings is there any record which indicates ICANN or WHOIS were ever even mentioned by officials or politicians, or indeed anyone. This was an oversight, an opportunity missed which has had grave consequences. It is hard to imagine if any democratically accountable politicians or decision-makers had fully understood the nature of the issues surrounding ICANN and WHOIS that they would have let matters rest where they did.

ICANN is the creature of its principal funders, the Registries and Registrars. Registries and Registrars operate on low margins and high volumes. They have no financial incentive to ensure WHOIS contact data are verified as accurate, or that they relate to a genuine physical-world entity who can be contacted, swiftly if necessary, via a genuine address which is actually connected with that entity.

Verification costs money, takes time and it is therefore believed it would reduce the volume of sales and renewals. This might adversely impact the income of Registries and Registrars and therefore, ultimately, ICANN itself. For these reasons the levels of inaccuracy remain extremely high. This fuels, permits and encourages higher levels of crimes of every kind, including crimes against children. In other words, the rest of us pay the price for this avoidable neglect.

The financial and operational penalties attaching to recording and storing inaccurate WHOIS data should be substantial, irrespective of the legal domicile of the Registrar, Registry or indeed ICANN itself. This would help keep the EU’s children safe. Secondly, the limits currently placed on who may access WHOIS data and on what basis are unduly restrictive, time-consuming and expensive. Either we should revert to the status quo ante and make WHOIS fully open to anyone and everyone or some alternative arrangement is made mandatory. Such an arrangement should ensure there is rapid, free access to WHOIS data by anyone with a legitimate interest in receiving it.

The worldwide web is a public space. The use of privacy and proxy services to conceal the identity of a web site owner should only be allowed in prescribed circumstances under rules that are subject to an independent oversight mechanism.


PS: Not included in the formal submission  but the above is yet another illustration of how the under-funded under-strength children’s lobby is too often thwarted in its attempts to cut through the faff and the noise. One way or another, hopefully sooner rather than later, the GDPR must be amended to strip ICANN, Registries and Registrars of any hiding place. They are performing a public function with public safety implications and they are doing it very badly.

Posted in Child abuse images, ICANN, Internet governance, Regulation, Self-regulation

A look inside the Internet Watch Foundation

You might be interested in this chilling but extremely well-produced and informative insight into the workings of a hotline, in this case the Internet Watch Foundation: “Pixels from a Crime Scene”.

Posted in Child abuse images, Regulation, Self-regulation, Uncategorized

More bad news about children and the lockdown

In England the Department for Education(DfE) has lead responsibility for child protection. In 2019 the total school population for England was 8.7 million pupils.

A shocking story broke today on the BBC and  in The Guardian about what is happening to some of England’s most vulnerable children during lockdown. I guess people will start hunting down equivalent data for Scotland, Wales and Northern Ireland. Let’s hope they have done better than England and we can learn why.

Working with local safeguarding partners DfE has oversight of systems which identify vulnerable children. The children will fall into two broad categories.

There are about 270,000 children who are the subject of an “Education, Health and Care” (EHC) plan. These will be children with learning or other difficulties which will often entail them being provided with close support or other forms of extra assistance.

The second and much larger group are children who are on what used to be called the “At Risk Register” (and still is in practice) although such children should more properly be referred to as children who are the subject of a safeguarding plan. There are about 500,000 of these in English schools. Typically this means the child has suffered from either neglect, or emotional, physical or sexual abuse, or some permutation thereof.

Children in this latter group are  supposed to be the subject of regular case conferences with all of the statutory or other agencies who have contact or dealings with the child and/or their carers. Of these agencies, schools are a major partner.

The case conferences are carrying on, virtually, but large numbers of the children they should be discussing have disappeared from school during lockdown.

Every child in the at risk group was guaranteed a place at school during lockdown (as are the children of key workers) On Day 1 of lockdown (23rd March)   it seems about 60,000 turned up. That’s 12%. By Friday 3rd April this had more than halved to 29,000, or 6%.

The number of children of key workers taking up the guaranteed places has also fallen during the same timespan so there is obviously something about all parents having some misgivings about letting their children out of the house in times like these. However,  the point is vulnerable children probably need to be at school more than any others.

We need to add this to the list of things the authorities should have thought of and sorted out as part of their contingency planning for civil emergencies. As we can never know when the next such emergency might arise we all need to press the case asap before the institutional memory disappears, or distorts.





Posted in Regulation, Self-regulation, Uncategorized

When the schools go back

A distinguished Prussian General, Helmuth von Moltke, famously said “no battle plan survives actual contact with the enemy”. The truth of that is all too apparent in the way a great many Governments around the world, not least the British Government, have responded to the pandemic. Health emergency planning has been found to be full of holes and unanticipated consequences that ought not to have been. There will be a terrible reckoning for those responsible for serious avoidable failures but now is not the time.

I was going to open this next bit by saying “I’m sure someone has already thought of this” but in light of my earlier comment maybe I won’t.

Statement of the obvious: when the lockdown is over schools will face huge challenges.


Not all children will return to school having benefited or lost out equally from an educational point of view.

Part of this will be down to how well the individual school or local education authority had managed to organize things, get materials and instructions to children, and how well parents were able to help their children engage.

It will also have been impacted by variations in the nature of children’s access to technology, in particular in the nature of their access to the internet. Was it all on a smartphone? Did they have a tablet or a laptop with a decent size screen? How fast and reliable was the connection?

Some children will have had no access at all and, even among those who had, not every child will have been able to call on the kind of help or individual support that could have made the access optimal. For these reasons every school will have developed or ought to be developing a plan to try, when classroom teaching begins again, to level up all pupils.

And children’s welfare? Physical and sexual violence

In unusually stressful times children will have been in close, unbroken proximity to their parents, siblings and goodness knows what or who else.

There have already been lots of reports of an increase in domestic violence around the world, including the UK. Aside from the horror of seeing your Dad hit your Mum, some of this violence will have been inflicted on children themselves. It may have been sexual.  However, the likelihood is most will not find its way into official statistics. It won’t have been reported but it will have been suffered.

A great many children may need to unburden themselves or find some sort of advice, counselling and comfort to  help them process and address what they have been through in the early part of 2020. With children who lost relatives to the virus that will be obvious, but the scale and scope of need goes way beyond that.

Internet-based violence and abuse

In relation to the internet aspects, those children who did have access might have had minimal or zero parental supervision or engagement because the parents had to work or they were not very well informed about such things. Maybe there were no technical tools in place to lend a helping hand.

Yet we know paedophiles, scam artists and bullies have been making the most of the crisis. How many children will have got caught up in one of their webs? It may be a while before the real size of the problem becomes apparent but anecdotally it’s not sounding good.

And then there’s all the stuff children will have been watching or doing online. Violent pornography, violent games. Hour after hour of it.

All of the above constitutes quite a daunting list. But there’s more.

Strangers in masks!

A colleague who works in the field tells me lockdown has already produced a significant uplift in the number of children being taken into care, and that will continue for as long as lockdown does.

But here’s the horrific rider to that. It’s often, even typically, children being taken into care by strangers wearing masks and gloves!  Protective masks and gloves, but think about that. Or maybe don’t, because it’s almost too much to bear.

For many children school is the safest place and safest part of their lives. Thus, when the schools do go back teachers and Children’s Social Services, probably also the police, are going to have to prepare for a substantial spike in disclosures, some of which will require urgent attention. If Whitehall had missed that I hope they are now on notice. They may need to step in with extra resources to help flatten yet another curve.

Note to contingency planners

Some of the harms to children associated with prolonged internet usage during lockdown could have been avoided or reduced if Whitehall and Westminster had acted promptly to implement measures foreshadowed in the Online Harms White Paper. The same is true in relation to exposure to hard core pornography. If the Digital Economy Act 2017 had been implemented – and remember, absolutely everything was ready to go, it just needed the Government to name a commencement date –  a great many children would not have been exposed to some of the horrors of Pornhub and similar.

The Government said the reason for delaying the commencement was linked to their desire to bring social media sites within the ambit of the policy.  Children’s groups agree they should be in the ambit. We argued for that as the Bill was going through Parliament. However, that is no reason why the main measure cannot proceed, even now. We can add social media later. Pornhub and similar are way out  in a class of their own when it comes to online pornography. There is just no getting away from that.

Posted in Regulation, Self-regulation

Minor correction

Minor correction to my last blog. Iraq and the Philippines come ahead of Bangladesh in terms of csam uploaded.  The corrected version can be seen here. No change to the top two and no change to any of the percentages. Apologies.



Posted in Uncategorized

Big numbers again and countries named

Under US Federal law every electronic service provider (esp) within the US jurisdiction is required to report all child sex abuse material (csam) found on their virtual properties.  They must report to NCMEC, the US hotline, in a form described here.

The csam reported to NCMEC principally comprises still pictures and videos. It might have been notified to the esp in the first instance by a member of the public or a user of its service. However, as you will see, these days overwhelmingly it will have been found by the esp itself, typically through the proactive use of tools such as PhotoDNA.

NCMEC has just released a set of numbers  for 2019. They represent the total number of reports of online csam made to them that year.

Headline numbers

In 2019 NCMEC received 16.9 million (16,836, 694) reports. Of these 150,667  (1.0%) came directly  from members of the public. The remainder came from esps.

The small proportion of reports from the public does not “prove” reporting by the public is irrelevant. 150,667 is a big number whichever way you look at it and any individual report can lead to huge quantities of csam.

The 16.9 million reports covered 69.1 million “images, videos and other files related to child exploitation”.  How many of these reports were of images reported more than once matters a great deal less than the simple fact that they were found 16.9 million times.

In the previous year, 2018, NCMEC received a larger number of reports, 18.4 million, but these covered “only” 45 Million images and videos. This suggests companies are getting better at finding and reporting stuff. Bravo, but note the enormous leap, i.e. from 45 million to 69.1  million in a single year, the largest ever year on year growth. I haven’t been able to locate the equivalent number of reports made in 2018 by members of the public but the ratio is unlikely to be materially different from 2019’s.

The platforms are….

The 2019 numbers should be read in conjunction with another part of the same document. This identifies the esps making the reports. There were just over 140 different companies in total, plus INHOPE which, obviously, is not a company.

First point to note: by a country mile Facebook is ahead of everyone with 15,884, 511 out of the 16,836, 694 total. That is a staggering 94%. A very long way behind in second place is Google with 449,283 (2.6%), third is Microsoft at 123,839 (0.7%),  fourth is Snapchat at 82,030 (0.5%). The rest dribble to 1s, 2s and 3s with only a handful registering above 10,000.

And the countries are…

The IWF and INHOPE report on the countries where csam is being hosted i.e. published from. NCMEC’s reports identify the country from which it appears the csam was uploaded on to the internet, regardless of platform or hosting provider. There are caveats surrounding the potential use of proxies and anonymizers but it is unlikely these would distort any individual country’s numbers by an order of magnitude.

The stand out country  is India with 1,987,430 reports (11.7% of the global total), followed by Pakistan with 1,158,390 (6.8%). Iraq comes third with 1,026,809 (6.0%)  No other country tops a million with Mexico in an unenviable fourth place with 827,988 (4.9%), closely followed by the Philippines, 801 272 (4.7%).   Bangladesh registers sixth with  556,642 (3.3%).

Other large numbers can be seen with the USA at 521,658 (3.0%),  Saudi Arabia 514,832 (3.0%),  then a series hovering round 2% e.g.  Brazil 398,069, Vietnam,  379,554,  Thailand 355, 396, and the United Arab Emirates (330, 268). The numbers then  meander down to 1 for Svarlbard, the Dutch Antilles, North Korea, Antarctica, Christmas Island and the Falkland Islands. In 1,668,157 (9.8%) instances no country could be assigned from the available  data.

Much food for thought.


Posted in Child abuse images, Facebook, Google, Regulation, Self-regulation

After the war is over

It is impossible for anyone to say with any level of certainty what the post-pandemic world will look like. Some pundits believe everything will be completely different. Rather more seem to be saying nothing much will change or things could get even worse as the ownership of key sectors of the economy become concentrated in fewer hands. This will happen because the companies that had the deepest cash reserves will come out stronger, gobbling up or completely eliminating potential or actual competitors who could not weather the downturn that was caused by the virus.

I am not going to  engage in crystal ball gazing at that stratospheric level but I will hazard one prediction.

Ronald Reagan’s words will look a little off

In 1986 Ronald Reagan  famously said

“The nine most dangerous words in the English language are ‘I’m from the Government, and I’m here to help.’ “

This kind of thinking is deeply embedded in the tech industry and among its surrogates.  It finds a perfect match in the later (1996) “Declaration of the Independence of Cyberspace” which still holds sway in much of Silicon Valley.

Of course it is important not to conflate or confuse how one responds to a public health emergency with issues arising under very different policy headings but, in a world where it is increasingly difficult to draw neat lines of demarcation I suggest the following.

Among the wider public and the media one of the consequences of the pandemic will be a a greater willingness to acknowledge the importance of the state as an actor uniquely positioned to define and defend the public interest. This will embolden politicians and Governments. And rightly so.

I say that even though I think few Governments will be seen to have got everything right in terms of their handling of Covid. Some might yet be completely undone by it if their incompetence or delay in acting is shown to have cost large numbers of lives. But we will all have received a sharp reminder of how important the state is or can be in holding the public ring.

Specifically, in respect of the internet the way scammers and misinformation merchants added to the collective misery by exploiting large numbers of people’s fears or ignorance while the big platforms seemed unable to prevent it, will  further weaken the platforms’ and tech’s hold on the body politic. Lobbying can only get you so far in a world without friends or in a world where your only friends are people on your direct or indirect payroll.

Finally, if the fears being expressed by law enforcement and child welfare experts about what is happening to children during this period of prolonged engagement with  technology, turn out to be true, rather than seeing online child rights and protection as a niche issue to be addressed in happier times, I can see the clamour for effective measures being given a major, urgent boost.


Posted in Default settings, Facebook, Google, ICANN, Internet governance, Privacy, Regulation, Self-regulation