A letter from the Government

Here is a link to a reply from the Government on the question of age verification for pornography sites. No surprises but, equally, confirmation that age verification  remains as part of the plan.
Posted in Uncategorized

Age verification for porn sites. How we got here.

Online gambling in the UK began to take off in the early 2000s. It sprang out of the rapid growth of the consumer oriented internet. I was soon getting calls from distressed parents whose children, typically 14/15 year old boys, had been diagnosed as “gambling addicts”. Not many calls, but there shouldn’t have been any. 18 was and is the relevant age limit.

These boys had bank accounts with debit cards that could be used to engage in a whole raft of online transactions. The children were being classified as addicts because, among other things, they had developed a compulsion which led them to stealing things from their family and friends, converting the items into cash to put into their bank accounts so they could go online and blow everything on a football game, a horse race or whatever.

To open an account with an online bookie all a person had to do then was tick a box to say they were 18. That was it. No further checks were made. Hence the problem.

I went to see several large and ostensibly respectable gambling companies. Face to face. Most of them said the same thing. They were aware of the problem of under-age gambling on their web sites and took it “very seriously” but actually the majority  were not prepared to do anything about it. In essence they were worried if they did age verification on a voluntary basis their less fastidious competitors would draw away some of their customers who just preferred to avoid the hassle. Deadlock.

A change in the law changed everything

Long story short, when the Government initiated a review of gambling in 2003, the children’s groups lobbied to make age verification mandatory for online gambling even though, at that time, there was really no such thing as an “age verification industry”.

Appropriate clauses were inserted into the Bill as it progressed through Parliament. The Gambling Act 2005 became law with all-Party support. Then capitalism worked its magic. Businesses sprang up to do age verification or existing systems were adapted to make age verification easier. Since the new law came into effect I have not heard of a single case where a child was able to do what they did before, namely tick a box to claim they were over 18 then go on to gamble.

A couple of wrinkles have emerged. The Gambling Commission is addressing these and new forms of online behaviour have developed e.g. loot boxes in games, which have not yet been recognised as gambling. They will be.  Online businesses selling alcohol, tobacco, knives and other age restricted products which take 18 as their baseline have been following suit. Ripples in the pond and all that.

But porn?

What happened with online gambling provided the inspiration to press on to address online pornography. It gave birth to what became, in effect, a twelve year long campaign to get online pornography sites to do the same as gambling sites, and for the same reason. To protect children.

Once again we received significant support from all of the main political parties, particularly from a group of prominent women Parliamentarians in both Houses.

Following its inclusion in the Tory Manifesto and the subsequent passage of the Digital Economy Act 2017, all thenecessary regulations were drafted, consulted upon and approved. We started getting the bunting ready as D-Day approached. Then 16th October  2019 happened.

Bad but not fatal

I think the UK Government made a bad decision when they announced they were not going to approve the final set of regulations. These were the ones which would press the button to make the policy operational more or less immediately. The infrastructure was ready and in place. Everything was ready and in place. The civil servants and the designated Regulator (the BBFC) had spent millions getting there, ditto the porn companies and the age verification businesses.

Political decision

The decision to call a halt was a political one taken at the highest level. That it was announced on a day which pretty much guaranteed it would struggle to get coverage in the media is evidence people in those high places were aware they were doing something dodgy. Brexit madness provided and continues to provide cover.

We have a  new Government

Coming out of nowhere, as it did, we still have to ask the obvious question. Why? For one thing, although the current Government is, as it was before, a Conservative one, it is nevertheless a new  Administration.

Theresa May has gone. Boris Johnson is the new kid on the block and when he became Prime Minister he appointed a load of new Ministers. One of these is Matt Warman MP, the DCMS Minister for Digital and Broadband. In an earlier life,  Warman was Technology Editor of the Daily Telegraph. He came to his new job with opinions and knowledge. One of the great things about being a Minister is you can set an agenda.

One cannot rule out the possibility of political influences from elsewhere e.g. No. 10, but my hunch would be that Matt Warman was lobbied by his erstwhile friends in the tech space and their close allies in the free speech and civil liberties communities. Either way he took up the cudgels, convinced his Secretary of State and the rest we know. Were all the senior civil servants happy with this? Did they have a hand in the volte face? We may have to wait 30 years for the memoirs to appear before we know the real answer to that.

On ice not frozen out

Even so, as I made clear in my earlier blog the Government has emphatically not said they are abandoning age verification for porn sites but Ministers are saying the later publication of the Online Harms White Paper, with its emphasis on the creating an overarching duty of care, does change the wider environment. On that they are definitely right. Not sufficiently to justify delaying the commencement but there you go.

Aside from needing to align with the duty of care, with the stated aim of making the UK’s approach to online child protection even stronger, what else might  have been behind the Government’s decision? I think there were two main issues, both of which we had spotted and raised very early on in the legislative process, and two others which have arisen since.

If you plan to try to get age verification going in your country, take all this on board now so you minimise the risk of hitting similar buffers.


Consuming porn on the internet is not the same as ordering alcohol, buying cigarettes or knives or placing a bet on a horse and it is no good trying to pretend otherwise. Hypocrisy is the tribute that vice pays to virtue – in this case literally.

However, even though the privacy lobby had shown scant concern for porn consumers’ privacy rights before this measure came along, when the world’s largest producer of porn announced they were going to create an age verification solution and become an age verification provider, opponents of the policy were handed a major publicity gift. These opponents seized it and invented a series of wholly bogus or hugely exaggerated fears.

Nevertheless, because the privacy code of practice that is linked to the age verification policy was made voluntary, rather than compulsory, it did create tensions. Even people sympathetic to introducing age verification were not wholly unsympathetic towards.

If I had to pick a single aspect which is most likely to have motivated Warman to do what he did, it would be this.

Tip:  if you are addressing porn in your country do not think of privacy as “someone else’s problem or a different and unrelated issue”. Make it part of the deal from Day 1.

It may seem weird  for child protection people to worry about the privacy of porn consumers but if you don’t take care of it be prepared for it to come back to bite you. The objective here is to change the law to protect children from porn. It is not to persuade adults not to consume it or to frighten them with the risk of exposure (so to speak).

Social  media

This was the second major issue.

As the Bill was going through Parliament the Government refused to countenance expressly including social media sites within the ambit of the Bill because the social media companies  are not principally in the business of publishing porn. The assumption was social media companies would find a way to fall into line if only to avoid giving the Government a reason to come back at them.

At the time it felt that by going for age verification for porn sites the Government was being dramatic, bold, complicated and revolutionary. Drawing social media into the frame was a step too far. In other words the last Government “bottled” it. The new Government seems unwilling to do the same and wants to sort it out now. Hey ho again.

In a minor key

Other factors? Voices were raised to argue the BBFC was the wrong organization to be the Regulator. In part the BBFC seemed to me and others to be the obvious choice because of its expertise and experience in online content classification and because the only plausible alternative, OFCOM, repeatedly said they wanted nothing to do with it. Cynics suggested this was because OFCOM thought the policy was doomed to fail.

Could it be OFCOM changed their mind and went in to bat to pull it back?

Then there is the EU’s approaching AVMSD. Brexit or no Brexit this complicates things. The suggestion is civil servants in the age verification bit of the DCMS had missed it.  When their bosses realised this they also had a reason to bring everything to a full stop and wind back.

Politics is murky at the best of times and these are not the best of times.

Until the dust has settled on Brexit and the imminence or otherwise of a General Election is clearer it is hard to know how best to respond to the current situation. Should we mount a campaign to get the Government to change their mind or should we take them at their word and go with the grain?

I am certain age verification for porn sites is on its way in the UK but it could be that the UK will now not be the first liberal democracy to introduce it.

Watch this space.

Posted in Age verification, E-commerce, Regulation, Self-regulation

Journalism and wishful thinking

Today there is much concern about the accuracy of words appearing on the internet. That being the case is it unreasonable to hope journalists make clear when they are offering an opinion about, or an interpretation of, events? If that is too much to expect could they not state what the facts are meant to be before going on to rubbish or rewrite them?

I mention this in the context of what happened last week when most (not all) media outlets reported the UK Government had “dropped” plans to use age verification as a mechanism for keeping children away from commercial pornography sites.

Almost all (“almost” being the key word) media outlets went with that line. There was absolutely zero basis for it when judged solely by what the Government actually said.

Journalists hunt in packs

Journalists often hunt in packs and are under severe time pressures to produce copy so while it may be annoying, or worse,  you know the rules of the game and can take counter measures. However, when an academic who invokes the magnificence of Emmanuel College Cambridge starts repeating opinions and interpretations gleaned from the ephemera of Fleet Street and rebirths them as “fact” you have to pause for thought.

Which brings me to the article in yesterday’s  Observer by Amy Orben.

Orben opened by asserting the Government’s plan to introduce age verification to restrict children’s access to online pornography was not only “dead” but had been for “months, if not years”.  As someone who had been involved with this initiative from Day 1 that came as a revelation.

There was nothing in the Government’s statement of 16th October which supported Orben’s view. On the  contrary the Secretary of State was clear that, in the Government’s new and expanded vision for policy in this area, she “expects age verification to continue to play a key role in protecting children online.”

On 17th October, in response to an Urgent Question tabled by Margot James MP,  in the House of Commons the  Parliamentary Under Secretary at DCMS faced a barrage of hostile questioning  from more than a dozen MPs. At no point did he swerve or even hint at a swerve on the matter of age verification for dealing with online pornography. He said he wanted to locate it within a broader range of measures but that is not the language of abandonment or dilution.

So whatever Orben was expressing in the article in The Observer it had no factual basis.  Moreover I am not the only person who appears to have read the Government’s announcement differently from her.

In a typically alarmist and exaggerated way on 16th October on the ITV web site Myles Jackman of the Open Rights Group is quoted as follows

“Superficially (the Government’s announcement) may seem like a victory for privacy and security, but the lacuna….. that they would be considering extending age verification to social media platforms like Twitter and Reddit without considering the risks to intimate personal sexual information being leaked onto the internet is frightening.” (emphasis added).

I rest my case.




Posted in Age verification, Default settings, E-commerce, Pornography, Regulation, Self-regulation | 1 Comment

Age verification update

Brexit madness is intensifying (and I didn’t think that was possible) so today’s media coverage of yesterday’s announcement by the Government of a delay in implementing age verification has not been anything like it would have been in more normal times. However, judging by the numbers of people who have been in touch with me to express outrage I would say this is definitely not over yet.

What media coverage there has been is saying  either that the Government has, variously, “dropped the plan because they didn’t think it would work“, or it has “dropped the plan because of privacy concerns”, or some combination of the two.  Neither of those things are in the Government’s official statement.

This suggests someone in officialdom is briefing against (as they are describing it)  “the previous Government’s policy”. Alternatively or in addition old enemies of the policy have been jumping in with their theories  and interpretations which, in reality, are a form of wish they hope will transform into a self-fulfilling prophecy. The fact that some journalists report these biased theories and interpretations as if they were fact is disappointing but not surprising.

Urgent questions in Parliament this morning

This morning a dozen or so Members of Parliament were on their feet questioning the Minister (Matt Warman) about the change of policy.

Some of the responses from the Minister were extremely positive. If you are interested you will be able to read the whole exchange in Hansard when it comes out later today but here are the highlights:

  1. Age verifiction is not being dropped.
  2. It will continue to be one important tool among several that will be used to protect children in the online space under the wider umbrella of the “duty of care”. That is the centrepiece of the Online Harms White Paper (OHWP)
  3. The range of companies that will be affected by the duty of care is to be expanded well beyond those caught by the Digital Economy Act 2017. Specifically social media companies were referenced, Twitter in particular. The implication of this was that they too may need to engage with age verification. Under the “old” arrangements they wouldn’t have been, and true enough we always saw that as a weakness.
  4. While it was acknowledged that responding to the OHWP may be a longer process the Minister seemed to suggest the age verification aspects could be brought forward within a faster timeframe.
  5. Who the Regulator will be was not mentioned but the Minister did say that the BBFC would remain as part of the architecture because of their undisputed expertise in classifying content.

None of this need have caused a delay

Two points :

  1. Accepting everything at face value, you still cannot get around the fact that systems to protect children from online pornography were in place and ready to go. They could have been triggered and be in force before Christmas. If issues then arose that needed correction or adjustment they would have been based on actual experience.
  2. The problem is, particularly with all the briefing that has been going on, few people will feel inclined to accept anything at face value. They will worry the Government is in full retreat on age verification, simply taking defensive PR measures in the hope it will soon be quietly forgotten.

It won’t be.

The UK’s reputation as a world leader in online child protection has taken a big hit. But far worse than that kids will remain exposed to stuff that will harm them. That could have been avoided or substantially reduced.

Posted in Age verification, Pornography, Privacy, Regulation | 1 Comment

With steam coming out of my ears

Today was a terrible day for children in the UK and the Government is 100% to blame.

However, because of the drama and uproar over Brexit what the Government has done may struggle to get adequate attention in the media tomorrow and in the next few days. Some say that is precisely why the Government chose now to make the announcement.

Following a Manifesto pledge and publication of a Government Bill, Parliament said it wanted to inaugurate a system to compel commercial online pornography companies to introduce age verification so as to keep children off their sites.

The porn companies didn’t like it, tried to stop it, but the Government’s view prevailed. It became law in the Digtial Economy Act 2017.

Since then a new Regulator has been putting everything in place to ensure the policy works smoothly. They spent millions gearing up and they are ready to go now. Today.

The porn industry likewise spent millions getting ready. They are ready to go now. Today.

New age verification companies and older ones spent millions getting  ready. They are ready to go now. Today.

What did Secretary of State Nicky Morgan do today? She called a halt and kicked the whole thing into the long grass.

Morgan says the policy needs wrapping up with the response to the Online Harms White Paper (OHWP). This means nothing will happen for two, more likely three, or  even four years, conceivably more.

In other words Nicky Morgan has condemned Britain’s children to being exposed to horrific scenes of sexual violence for a further two, three, maybe four  or more years.

Morgan could havetaken a different course by laying the necessary orders before Parliament so they would become operative 40 days from now. She didn’t.

Once the policy was working, if adjustments needed to be made they could have been made as part of the roll out of OHWP but, no.

Weeks into her new job Morgan decides to ignore and override years of work done by other people with a huge amount of knowledge and expertise. You have to ask who got at her? And why?

This is an absolute disgrace. She must be persuaded to change her mind. The children’s organizations are livid and I imagine a lot of other people will be.

The press is already full of suggestions the Government  did this because it no longer thinks the policy will work.  Either someone in Government is briefing against the official policy – not unheard of – or it is the usual mischief makers indulging themselves. What a pity the Government gave them the opportunity.


Posted in Age verification, Regulation, Uncategorized

Is the Internet Governance Forum to be reborn?

At the moment there is a “High Level” review going on within the United Nations.  It was commissioned by the Secretary General of the UN  who appointed Melinda Gates and Jack Ma as co-chairs. With this type of backing it ought to have great potential. The dynamic duo have produced: “the age of digital interdependence“, otherwise known as the “Report of the UN Secretary-General’s High-level Panel on Digital Co-operation” (the Report).

Inevitably the Report covers a lot of territory but in one key section it looks at the future of the Internet Governance Forum (IGF).

The origins of the IGF lie with the earlier Word Summit on the Information Society (WSIS) process, the UN’s initial major foray into internet policy. The first meeting of the IGF was in Athens in 2006. It has met annually since. I wasn’t in Athens but have not missed an IGF meeting since. Some of the thinking behind the IGF initiative contained noble ideas that were very much of their time. Yesterday.

Comments are being sought on the Report (see link above). Below is an edited version of the ones I submitted on behalf of the European NGO Alliance for Child Safety Online.  These comments focus principally on the internet governance aspects.


From the perspective of children’s usage, the internet we have today is barely recognisable when compared with the internet as it existed at the time of WSIS and the beginnings of the IGF. The upside of the growth and the changes in the internet which have taken place since then are readily apparent, but so too is the downside which mutes, dilutes and deflects from what should otherwise have  been a glittering success story.

The problems and difficulties faced by children  in the context of the modern internet can be set out under three broad headings:

  1. Those which pose a direct threat to their well-being or unfairly exploit them.
  2. Those which deny them their legal rights to privacy, to  be heard and to participate in processes which result in decisions on matters which affect them.
  3. Too many children still do not enjoy good quality access to the internet linked to its vital companion, media literacy.

The Report

While the Report is very definitely welcome we are afraid its overall tone and much of its content are rooted in a historic approach which has demonstrably failed children in a number of fundamental respects.

The responsibility of companies

In 2019 the overall impression most people are left with is that while a comparatively small number of companies and their shareholders have profited enormously by building large and successful businesses off the back of the internet explosion, these actors have not devoted anything like the same amount of attention or ingenuity to the problems which are now manifest, including those that are a by-product, an unintended consequence, of their success.

Does the present state of affairs exist because of inherent, even insurmountable technical difficulties? What part do the values and hence the priorities of the owners of the businesses play in determining such matters? Is it all about money?  Put simply are the economic incentives not properly aligned to draw businesses away from their current ways of working without external prompting e.g. via binding rules and Regulation?

The responsibility of Governments

A similar comment might be made in respect of the Governments and public institutions in jurisdictions which have the largest concentrations of the successful  tech companies within their borders. They have benefitted from the tax take on profits and the wider boost to their economies in terms of the jobs created, but otherwise they have been bystanders as online perils to children developed and multiplied. Have they just yielded to an obvious conflict of interests?

The responsibility of both

In the end it has to be said that while companies, and the internet eco-system of decision making bodies which they dominate, must bear a substantial responsibility for where we are today, Governments, inter-governmental agencies and other public institutions do not escape criticism either, because they failed to find an alternative course of action which would have obliged or led to different and better outcomes.


Multistakeholderism is referred to many times in the Report, but not sufficiently critically. There was a time when multistakeholderism, linked to a belief in and support for the superiority of self-regulation as a way of tackling any emerging difficulties with the new technology, was the only option available. Few politicians, civil servants and police officers and only a small number of civil society organizations and policy makers had any kind of deep understanding of how these new exciting cyber businesses operated. And they, by which I really mean “we” were dazzled by its apparent promise. Or should that be “blinded by the light”? (with apologies to Manfred Mann and Bruce Springsteen).

The cool disrupters who didn’t wear suits

At the beginning of the mass consumer internet, layered on top of the challenges public bodies and others faced in understanding it, the companies at the forefront of the internet revolution somehow managed to identify with a counter cultural, insurgent liberal spirit. They promoted themselves as wholly different types of ventures, principally driven by social goals rather than more traditional commercial ones. They wanted to make life better, overturning old-fashioned clunky, time-consuming and expensive ways of doing things. Since many tremendous products some of the leading firms were providing at that time appeared to be “free” to the end user at the point of use, this helped cement a benign, almost philantropic view of the internet in the public’s and the media’s consciousness.

The new orthodoxy

The new orthodoxy consequently centred on a belief that the only important thing was to keep Governments out of the way. Multistakeholderism meant everyone, all the “stakeholders”, would talk to each other, a consenus would emerge but that was it. Regulation became a dirty word. Innovation  and market forces would take care of everything. This would be a wholly virtuous circle. Industry was not only  given pretty much a free hand, states even went as far as to give them special exemptions from certain types of liability e.g. the EU’s e-Commerce Directive and the USA’s s.230, CDA, 1998.

Multistakeholderism looks good but isn’t working 

The Report remains strongly wedded to the idea of multistakeholderism. Its theoretical attractions are clear but the actual experience of it is a long way from being satisfactory. Multistakeholderism without concrete and deeply embedded measures to ensure a greater equality of arms  between the participants is simply another way of creating a platform which allows those with the deepest pockets to shout loudest and block or delay change while the cash keeps rolling in.

Particularly for children

Turning more specifically to the position of children, there are several excellent references in the Report,  but save in respect of a passing comment  about “children’s agency” (page 17) the document as a whole makes no explicit mention of the importance of children’s rights to participate and their right to be heard in respect of matters affecting them. This subject deserves a much larger exposition, not least because children now constitute one in three of all human internet users.

NetMundial did not even mention children

It is unfortunate that the Report notes with approval the NetMundial statement, a statement in which children are not referred to even once. How did that happen? The same way it normally happens in an unequal multistakeholder environment. When the Netmundial statement was being drafted and adopted nobody was in the  virtual or physical room with a specific brief to watch out for and advance children’s interests. Obviously this does not mean everyone else engaged in the process was hostile towards children or children’s interests. They just weren’t in the process with children’s interests uppermost in their minds or they lacked the expertise, knowledge or confidence to make the case for children in the context of digital technologies in general or internet governance institutions in particular. This must change.

Not just about children’s groups in lower income countries

The Report makes no explicit mention of the practical difficulties of engaging with multistakeholder institutions and environments and how this affects not just groups in the lower and middle income countries but also groups in higher income countries.

Children’s groups usually are faced with a choice. Do they spend scarce time or money helping a child or a family in need of immediate help,  or do they buy an airline ticket to a distant location with expensive hotels so they can visit a conference  centre where they will sit cheek by jowl with representatives of some of the world’s richest companies, against the possibility that somewhere down the line, maybe never or ten years from now,  a digital behemoth might tweak an algorithm? There is only one possible decision a typical children’s group can take. They stay at home.

Similar comments might be made in respect of the deluge of correspondence, conference calls at strange times of the day or night to engage with people you have never met and will never know. All these are part of multistakeholderism in the online space.  Many of the commercial companies that take part hire lobbyists and lawyers or employ staff dedicated solely to such matters.  For the reasons given earlier children’s groups cannot do that.

Money talks

Even Governments and inter-governmental institutions can be at a severe disadvantage as compared to the commercial entities which have a major stake in the business opportunities presented by the internet.

It is unlikely there will ever be a completely level playing field as between governmental and inter-governmental bodies, civil society and business, but at present the field is tilted so far in favour of business interests it makes a mockery of the very idea of multistakeholderism.

The Multistakeholder Advisory Group (MAG)

The MAG is the body charged with organizing the annual IGF meeting. There are two major flaws in the arrangements currently pertaining to its selection and operation.

  1. The selectors favour individuals  or organizations already “dug in” to the IGF environment. The complexity and arcane nature of the language used does not help attract new people or groups. Neither does the financial and time costs of participation.
  2. The process of selecting members of the MAG is obscure and the credentials of those seemingly there to represent particular constituencies appear often not to be scrutinized with any great care. Neither is the efficacy of MAG members’ reporting back to or working with their constituency.


The document devotes a section to the “Distributed Co-governance Architecture” (“COGOV).  While its recommendations in respect of  how future arrangements  might be better reconfigured are welcome they are nevertheless imbued with a profound sense of unreality. Elements of COGOV are absolutely central to many of the issues the report discusses elsewhere. They are not in any sense marginal or minor.

While the Report notes how difficult it is to trace any concrete connection between the IGF and any real world consequences for the way the contemporary internet is run, that is absolutely not the case with, for example, the IETF, ICANN and IEEE.


Decisions they take can have very direct and immediate real world consequences yet there is little doubt their decision making processes are very heavily influenced by the commercial interests that engage with them. Look, for example, at the way DNS over https evolved within the IETF.


The way ICANN has intentionally downgraded the importance of maintaining the accuracy of WHOIS data suggests they never had any real intention of honouring the promise they made when they signed the Affirmation of Commitments in 2009.

While there are many ways in which the DNS can be exploited by bad actors undoubtedly one of them relies upon the ease with which they can acquire a sub-domain without having to render any robust proof of their real world identity and contact details. Whatever the rules might be about how and by whom WHOIS data are accessed, it is hard to imagine a single sub-domain would be used to distribute or promote child sex abuse material if the owner or person linked to it knew their true real world details had been captured and stored by anyone, anywhere on the planet.

In 2012 ICANN decided to allow the creation of new gTLDs .Bank, . Pharmacy, and . Insurance eventually emerged as Verified Top Level Domains. They are called “verified” because the entity responsible for them enquires about the credentials, qualifications and suitability of persons or companies seeking to acquire a sub-domain under one of those headings. This severely restricts the possibility of bad actors being able to pass themselves off as legitimate but when it came to the creation of .kids, zero meaningful stipulations  or restrictions were made to try to protect children from being drawn towards  sub-domains within .kids that might be owned or operated by persons who wish to harm children.

IGF and IGF Plus

While also acknowledging its then zeitgeisty utopian underpinnings, a key reason why the IGF was created in the first place was to avoid a diplomatic rupture between States involved in the WSIS process in respect of how parts of the internet were to be managed at a global level.

There was never any intention of allowing the IGF to be anything more than a talking shop. Talking shops have their value, no doubt, but  to say they are linked in any meaningful way to questions of “governance” is dubious.

The IGF today is a bit like a cross between a trade fair for people who work in and around internet policy questions and going back to University for a week where a vast array of interesting seminars are laid on by lots of equally interesting people who are there to deliver papers or participate in the discussions. Marvellous but not “governance” by any commonly understood meaning of the word, or rather if it has any impact on “governance” it is incredibly diffuse and tenuous and perhaps of much less importance than discussions which take place elsewhere in other forums.

Whether it is necessary to have such elaborate or expensive mechanisms to organize a week of seminars linked to a trade fair must be moot but it would be a pity if the annual gathering disappeared because there is nothing else like it.

Thus the proposals to create an “IGF Plus” are welcome, but they fall a long way short of what is needed if the public interest across the whole internet governance eco system is to be adequately safeguarded.

Posted in Internet governance, Regulation, Self-regulation

On encryption and child protection

A company is normally driven by a desire and a legal obligation to build “shareholder value”. In the case of one company, Facebook, Mark Zuckerberg owns a majority of the voting stock so when looking at its big decisions we are not talking about a “company” in the way it is generally understood. We are talking about decisions taken by one person.

In recently leaked transcripts of an internal staff Q&A session Zuckerberg acknowledged that it is only because he owns a majority of the voting stock he is still in post because “some of the things I have done would otherwise have got me fired several times over.”

This uncomfortable fact of ownership and control matters hugely at the moment because Facebook, meaning Zuckerberg, has announced an intention to introduce end-to-end encryption (e2e) for Facebook Messenger.

12 million reports in 2018

In 2018 Facebook Messenger’s automated systems identified, deleted and reported 12 million instances of child sex abuse related activity or material. Any images of child sex abuse thus detected typically were gone within minutes or hours. Bravo.

Yet this will end if Zuckerberg persists with his plans.

In anticipation of introducing e2e on Messenger Facebook said

“We are working to improve our ability to identify and stop bad actors across our apps by detecting patterns of activity or through other means, even when we can’t see the content of the messages, and we will continue to invest in this work.”

Any alternative approach which maintains or improves on the status quo in terms of protecting children will be welcomed by everybody. Anything that changes the status quo in the wrong direction will not be. If Facebook cannot actually see the content, it is difficult to imagine how, for example, they will be able to spot illegal images, therefore they will not be able, as now, to delete or report them in fast time or prevent their further distribution. This will compound and expand the harm already done to the child in the image and limit the possibility of her or him being rapidly identified and located in real life.

The alternative being offered

As a way of ameliorating the freely acknowledged adverse impact of going encrypted, I understand, inter alia, Facebook is suggesting that where they find behaviour which suggests a connection with a bad actor the individual’s account will be closed down. Let’s not dwell on the obvious implications of this. They are not the main point.

In addition, seemingly Facebook will hand over to law enforcement the metadata of the person. 12 million reports? A deluge of data will be added to the pre-existing deluge.

Has Zuckerberg had an irony bypass?

The irony of Facebook seeking to position itself as a champion of privacy will not be lost on those who have documented its persistent failures in that field. But already Zuckerberg’s strategy is paying dividends. Just look at the long list of free speech and similar organizations that have signed a letter praising Facebook’s decision and urging them on.

Few people will believe Zuckerberg’s Damoscene moment was prompted by anything other than a calculation about the future profitability of the good ship Facebook. Here’s my analogy. None of the porn companies and online gambling outfits active in the UK market wanted to introduce age verification until everyone did. They didn’t want less fastidious competitors to eat their lunch.

Similarly here, Zuckerberg has seen the likelihood of e2e services growing in importance so he has to find a way to move his major messaging services (Instagram gets caught up in this as well) into that space as quickly as possible.

If there is a sustained, public fight to bring that about, so much the better. The company once seen as the enemy of privacy will be able to burnish its reputation as a champion of it. Brilliant. But wrong. Wrong in principle but also wrong because it is too short-sighted.

Zuckerberg’s potential or actual motives, in truth, are irrelevant. What matters is the idea itself. It is a bad one that will not survive although it may not disappear quickly. Why? Because Facebook’s decision will prompt the US Congress to start off on a path which ultimately will lead to new, bi-partisan Supreme Court-friendly laws limiting what US-based entities can do with encryption, at least on mass messaging services. But before getting to that point Facebook and other businesses could find their devices and services banned in many different countries. Not all of these will be totalitarian dictatorships.

“Back doors” are a bad idea.

And here is the point: nobody I know wants or supports the creation of “back doors” into encrypted services. That implies the police, security services or others, could covertly access a person’s account without proper authorisation, be that a warrant or a court order. Such an approach is completely beyond the pale. But right now courts are issuing orders and they have no effect. Subpoenas and warrants are ignored or are not capable of being acted upon. That is not right. It is a trend that must be halted and reversed.

It was these sorts of concerns that were behind the US Government’s decision to call a conference yesterday under the title Lawless Spaces: Warrant-Proof encryption and its impact on child exploitation cases . Senior Ministers from the UK and Australia attended. I cannot recall any event like it devoted to the protection of children online.

Cynics say the US and other governments are showing fake concern about children when what they are really about is an undeclared intention to get to a position where they can spy on any and all of us in the online world as easily as they can in the physical world. Even if that were true it would not obviate the need to address the point about harming children, unless you are willing to accept that children are collateral damage, a sacrifice to be made on the altar of a different cause.

Companies or organizations providing encrypted services must be required to maintain the means whereby, on production of a properly authorised warrant or court order, they can produce a clear version of every piece of content they helped transmit. The businesses don’t have to hand over the decryption keys to anyone. They can do it all themselves.

Private organizations and the public interest

It is completely unacceptable for companies, or indeed any other types of private organizations, to decide that it is ok to create spaces which are completely beyond the reach of the law. Society is entitled to take a view on the balance to be struck between the public interest and the private interest. Facebook isn’t.

We should not base every decision we make about the internet solely on the basis of whether or not it helps or hinders paedophiles or puts children at risk without regard to any other factors. But equally I completely reject the idea that the protection of whistleblowers, political dissidents and the like trumps any and all other considerations. It’s back to that question of balance and who decides how and where to strike it.

The pendulum has swung too far. It is time for a correction.

Posted in Child abuse images, Facebook, Privacy, Regulation, Self-regulation