Towards a new internet strategy for the UK

On 27th February Karen Bradley MP, Secretary of State at DCMS announced the Government’s intention to  develop a new internet strategy. As a member of the Executive Board of UKCCIS I was asked for my views.  I reproduce them below.

I pointed out that in the time available it had not been possible for me to consult the children’s organizations with whom I normally work, through CHIS. The note I sent in therefore expressed only my personal views.

End of the Bill

In his speech on the Digital Economy Bill, last Monday night in the House of Lords, Lord Ashton referred to the  Secretary of State’s announcement in the context of there being a need for a wider discussion about the effects of pornography in society as a whole, not solely in respect of children. I would hope there will be an opportunity to contribute to that aspect of the review. I accept it was never envisaged that the Digital Economy Bill was to be a trigger for a wider debate about what sorts of pornography are more or less acceptable, whether being viewed by children or not. However, just because children cannot view certain types of material that have been put  behind an age verification wall, it does not mean that its continued availability to adults does not constitute a threat to children. Such material might encourage, promote or appear to legitimize or condone  harmful behaviours which either directly or indirectly put children at risk.

Of the issues mentioned in the Secretary of State’s statement of 27th February  I will focus on:

  1. Future proofing and technology solutions for online safety
  2. The role of industry in online safety

Future proofing

“Future proofing” is a great idea but it sits ill with the reality  of how Silicon Valley and the  high tech industries generally operate and how they think they ought to operate.

Speed to market and first-mover advantage are often dominant or enormously important concerns in the product development cycle. Novelty, “newness” and built-in or planned obsolescence are major drivers.  “Permissionless innovation” is held out as a defining principle. All this can sometimes get in the way of prudence. Nowhere is this better exemplified than in the case of Facebook.  It was founded around the idea that the company would “ Move fast and break things”. Apparently recently this has been changed to “The fast shall inherit the Earth”. It would be interesting for someone with the time and the inclination to count how many times Facebook has apologised for “getting it wrong”, said it is in “listening mode”, “learning” or something of that kind.

As long as companies believe it is easier and, from a business point of view, better and comparatively risk-free,  to apologise after the event if a problem is discovered than it is to get it right  beforehand we will forever be playing catchup. To some degree there will always be an element of catchup but it feels as if there is  currently a  gaping chasm. It needs to be narrowed, even if it cannot be entirely and permanently bridged.

Duty of care

Under our general laws of negligence everyone is under an obligation to take reasonable care in everything they do but in the technology space a great many factors militate against individuals in the UK  being able to bring enforcement actions, mount claims for damages or require companies to improve their safety performance. For this reason there may be some value in explicitly establishing that all businesses operating in UK markets  have a duty of care to children and that prior to any product launch or revision of terms and conditions of service which will apply or be available in the UK they are obliged to consider the child safety and child welfare aspects of their proposed action and maintain documentary evidence that demonstrates  this has happened. In appropriate circumstances, such evidence could be called upon by a new regulator (see below). A breach could be the subject of a substantial fine or other penalty.

A whole new world is approaching rapidly

Right now we stand on the edge of a major step change in the technological space. It builds on what has gone before but appears to promise a qualitative shift of substantial proportions. Advances in Artificial Intelligence (AI), in the emergence of an algorithmic world, the growth of the “Internet of Things” (including toys)  and in particular the development of Augmented Reality and Virtual Reality applications and associated hardware, are taking us towards a tremendously exciting future but it is completely beyond the scope of a body like UKCCIS even remotely to contemplate being able to maintain any sort of credible or useful public interest oversight. I am not saying I am against us trying but we shouldn’t misrepresent what we could reasonably hope to achieve.

The question of age

In respect of a hugely important set of issues which arise in relation to the implementation of the GDPR, it is acknowledged that the Office of the Information Commissioner will be in the driving seat. There is nevertheless the key question for Parliament to resolve, presumably on a motion to be tabled by the Government,  of what the lower age limit is to be i.e. at what age can a child decide for themselves whether or not to hand over personal data to commercial and other third parties providing Information Society Services? If such a motion is not decided by Parliament ahead of May 2018, we will default to age 16.

Thus, if the UK is to depart from the de facto current standard of 13 a great deal of re-writing and re-consideration of all sorts of things will need to happen so, clearly, the sooner everyone knows the longer-term position the better it will be for all concerned.

A related question is how and on what basis the Government will decide what recommendation to place before Parliament about the age limit? What consultation will there be and with whom? Will children themselves be able to have a say? Is there any research evidence which strongly points in a particular direction in terms of the optimal lower age limit? I know of none. Back in the 20th Century, when the Americans came up with 13, social media sites did not exist, or at least not in anything even remotely like they do today.

Has any consideration been given to the online safety and other implications of different countries having different lower age limits?

The role of industry – an obligation to act

 If we are not already there I think we are coming close to the end of the road with the way online child safety policy has been formulated, implemented and monitored hitherto in the UK.  The major social media platforms play a pivotal role in the lives of our children. In that regard, they are in a monopolistic or near monopoly position. Yet there is an almost complete lack of transparency in respect of the way in which  they operate in relation to children’s safety. Quick to say sorry, slow to reveal. It is true we know they do some excellent work in relation to child abuse images and detecting paedophile behaviour but there is a lot more to online child safety than that. Bullying and children’s concerns about inappropriate content also loom large.

How much do these businesses spend on child safety as opposed to, say, lobbying and corporate hospitality?  How many people do they employ in carrying out moderation as opposed to government relations? Wouldn’t knowing that give us some idea of the real priority attached to child safety?

Late last year the Children’s Commissioner for England asked Facebook and Google a number of questions about children’s use of their service and they both declined to reply. This has happened before, at least in respect of Facebook. A few years ago, at the end of several months of discussion and negotiations with the UKCCIS Evidence Group, Facebook finally said (paraphrasing) “We will not give you any information we are not legally obliged to publish. It could be commercially sensitive and we have to take account of things like the rules of the New York Stock Exchange”.

A new regulator

We need a body with legal powers to compel online businesses to answer questions which are relevant to determining how they are addressing online child safety issues. In the face of evidence that things continue to go wrong we cannot forever be asked to take everything on trust.

Such a body could also play a role in developing and keeping under review the broader and emerging online space in respect of the online child safety agenda. It could perhaps replace  some or all of the functions of the UKCCIS Executive Board and become a new, well-resourced, independent focal point for online child safety with the capacity and the obligation to keep tabs on new and emerging technologies specifically in the context of online child safety.

This regulator could issue codes of practice which would have legal force, establishing standards against which businesses are held accountable. In lots of ways the internet industry has matured. It has become central to the way modern societies work. It cannot expect to be left outside the same sort of oversight rules that apply in practically every other area of importance in our communal life. “Internet exceptionalism” is an idea whose time has not come.

When the last Government asked Ofcom to enquire into the operation of the “Big Four’s” filtering policies Ofcom merely asked the ISPs to provide them with information. Ofcom did not seek to verify the information it was given, neither did it try to determine if it told the whole story. Ofcom did not seek to explain why there were differences in outcomes as between the “Big Four”. This is not satisfactory but it was all Ofcom felt it could do given it had no legal powers to do more.

Preserve the immunity but narrow its scope

Microsoft recently confirmed that it was only aware of around 100 businesses and other organizations (this included law enforcement bodies) worldwide that were availing themselves of their (free) PhotoDNA technology for fighting against the distribution or storage of child abuse images on their networks or services. A depressingly low number.

To combat this degree of lethargy or apparent indifference we need to narrow the scope within which the principle of immunity under the eCommerce Directive can be maintained. In other words, while leaving the overriding principle of immunity intact – it would be wrong for anyone to be held liable for something where they had no knowledge of it – we should nevertheless institute a new law or rule which says, having regard to available technologies, online businesses  must take all reasonable and proportionate steps to ensure their networks or services are not being used for unlawful purposes and also shows that they are taking reasonable and proportionate steps to enforce their own Terms and Conditions. If Ts&Cs can be published but there is zero serious effort to ensure they are honoured it is tantamount to being a deceptive practice. Relying so heavily on users reporting breaches isn’t working well enough. I understand that AI is seen as being a possible route to salvation. Let’s hope that works – and quick.

The current principle of immunity was first introduced in the USA in 1996 and taken up in Europe in the eCommerce Directive of 2000 in order to protect fledgeling businesses from being sued while they innovated in good faith. It, has, however, become an alibi for inaction, a refuge for scoundrels. So far from being fledgelings some online businesses are now fully grown condors.

Even new start-ups are acting in an environment which is completely different from that which prevailed in the mid-to-late 1990s and the early part of “noughties” when several of today’s giants began their lives. That said it should still be recognised that we expect more of larger companies than we do smaller ones. Proportionality matters. Small businesses deserve more protection from liability than large ones, providing such latitude is not abused or interpreted as giving them a licence to be reckless or not care at all.

The international dimension

 The UK Government, rightly, is widely acknowledged to be a global leader in the online child protection space as evidenced, for example, by its role in establishing and funding the WePROTECT Global Alliance. I think there would be some value in having, say, an annual report on the activities undertaken by the Alliance, detailing progress.

HMG also participates in major internet governance institutions such as ICANN and the IGF where, again, an annual report may be both valuable and interesting. I think this is especially true in respect of ICANN whose performance in respect of online child safety has been somewhere between woeful and outright neglectful or positively dangerous.

Posted in Advertising, Age verification, Default settings, E-commerce, Facebook, Google, ICANN, Internet governance, Microsoft, Pornography, Privacy, Regulation, Self-regulation | 1 Comment

Pornography, age verification and related matters

At the end of February, the Government announced that sex education was to become a compulsory part of the national curriculum. Apparently, among other things,  sexting, self-generated images and the harms associated with pornography are to be addressed within the new arrangements that schools will be making.

Yesterday evening the age verification part of the Digital Economy Bill received its final outing in the House of Lords so I think we can confidently say we have reached an important point of inflection. The government deserves to be congratulated for moving forward on both fronts in step in this way.

When, exactly, the age verification law will come into effect has still to be determined and it is also the case anyway that because the Lords changed the Bill it has to go back to the Commons to see if they agree. I think it is likely they will but unless and until that has happened we should all keep the champagne on ice.

In relation to the age verification provisions, it will, of course, be vital to monitor the efficacy of the new arrangements. As the various clauses came under intense scrutiny in the Lords a few rough edges were revealed in terms of the definitions to be used in relation to the sorts of material which the Regulator ought to disallow on a site that wants to be accepted as being an age verified site.

However, in responding to various points coming from the opposition parties the Minister made two telling comments:

  1. We absolutely do not intend to create a regime that unintentionally legitimises all types of sexually explicit content as long as age verification controls are in place. We are most definitely not saying that material not allowed under other legislation is allowed if age verification is in place.

    That is why (we make) it absolutely clear that content behind age verification controls can still be subject to criminal sanctions provided by existing legislation.

  2. But we concede that there is unfinished business here. Having protected children, we still need to examine other online safety issues ….. my department is leading cross-government work on an internet safety strategy that aims to make the UK the safest place in the world to go online. 

The Minister, not unfairly, made the further observation that the prime focus of Part 3 of the Bill had been to achieve a higher degree of online child safety by establishing an age verification regime for commercial pornography websites. This is a world first for a liberal democracy and goodness knows there is much that needs to be done to get it all working properly and in a privacy-respecting manner.

It was never envisaged that the Bill was to be a trigger for a wider debate about what sorts of pornography are more or less acceptable, whether being viewed by children or not.  But just because children cannot view certain types of material, because they are behind an age verification wall, it does not mean that its continued availability to adults does not constitute a threat to children. Such material might encourage, promote or appear to legitimize or condone  harmful behaviours which either directly or indirectly put children at risk. That was most certainly the view expressed by several Peers who tried, unsuccessfully, to get the House of Lords to adopt a more expansive remit. Nevertheless, in the cross-government exercise to which the Minister referred perhaps these matters can be looked at with a view to bringing in new legislation if necessary.

However, to return to the Minister’s remarks about  ….We are most definitely not saying that material not allowed under other legislation is allowed if age verification is in place.

Does this mean that if the Regulator finds any such material it must require it to be removed? It would look very odd indeed, would it not, if a web site owner were ever charged with breaking the law for publishing material found on an age verified web site when that same site had been given the green light under a system ushered in by an Act of Parliament? Hey ho. It all adds to the gaiety of the nation.

Posted in Default settings, E-commerce, Pornography, Regulation, Self-regulation, Uncategorized

Stockholm Syndrome and the internet

Stockholm Syndrome describes how hostages can eventually come to adopt the values or point of view of their captors.  Having just returned from ICANN 58 in Copenhagen I am convinced there is a lot more of it about than I had suspected hitherto.

Where else could you hear someone say? “Shame we couldn’t sort this out here in Copenhagen.  The agenda just got super-squeezed. Let’s try and do it in Johannesburg.”

Yes. Johannesburg is where ICANN 59 will be held but via matter-of-fact, deadpan statements of this kind it’s made to sound like we can all just hop on a bus tomorrow morning and meet round the corner in Costa Coffee.  Easy-peasy. What’s the flap? This is routine, ordinary everyday stuff.

But of course it isn’t. In fact “doing it in Johannesburg” means waiting three months, spending hundreds of pounds, for some it will be thousands of pounds,  and probably it requires another week of your time. You pretty much have to be a civil or public servant of some sort,  an academic with an interest in the field, work for a tech company, be a paid lobbyist or be independently wealthy and leisured to be able to be so casual about “doing it in Johannesburg”.

The process itself looks like it has become the justification for carrying on the process and a great many of the captives, not all,  are now indistinguishable from their symbiotic masters.  There is a network of working parties, review groups, committees, and so on which make Byzantium seem like a lean and mean racing machine. To any but those within the priesthood ICANN is as transparent as Mississippi mud.

Stockholm Syndrome is also the only explanation I can come up with for the following (summarised) conversations I had with a couple of perfectly decent, in fact highly agreeable and  (otherwise) extremely smart ICANN stalwarts.

Me: Seems like unless you are actually in the room and shouting, your interest will just get overlooked.  That’s not because everybody else is bad or against it, it’s just that they are there with their own agenda and there are limits to how far, out of the kindness of their hearts, they can deviate from that to help out on an issue  not front and centre for them or rather not front and centre for whoever is paying for them to be there.

One of the Other People: (OTOP) That’s true. It’s just how things work around here.

Me: Writing and submitting papers, trying to connect remotely I guess can be better than nothing but it’s still second best by a long chalk. You can’t beat being in the room. Then there’s the benefits of networking and serendipity. Not possible if you’re not there.

OTOP: You got that right. It’s just how things work around here.

Me: There are clearly major child protection interests at stake in a number of the decisions ICANN’s Board takes.  Yet I struggle to see much sign that ICANN’s leadership are in the least bit interested in any of them. Look what happened with the Russian version of .kids.

OTOP: I agree but you need to get people involved  in the ICANN processes to make sure ICANN makes what you think are the right decisions.

Me: The children’s groups are working in all sorts of ways helping all sorts of needy children and their families so you are saying I need to get them to divert their attention from those matters to help ICANN do the right thing by children?

OTOP: Yes

Me: Many of the children’s organizations are struggling as it is. We’re not like the banks, insurance companies and pharmaceuticals people who have money coming out of their ears to hire lawyers, lobbyists, staffers and who knows who else to do the needful to make sure their interests are properly safeguarded within ICANN e.g. by going to all the meetings, reading the papers and tracking all the things that are going on.

OTOP: Well it’s just how things work around here.  Many people who participate in ICANN are volunteers.

Me: Really? I’m sure I saw at least one report showing that, in fact,  a very high proportion of people who took part in the policy-making bits of ICANN were actually paid in one way or another by a business or organization with a tech interest. 

But anyway  are you saying that bad decisions can be taken by ICANN simply because children’s advocates cannot afford to come to all these meetings or find the volunteers or other resources to participate in the extremely lengthy processes ICANN has established?

OTOP: That’s possible I suppose.

Me: Doesn’t that mean this is a bad system?

OTOP: Well that’s how it works around here.

Me: ICANN has a duty of care to children. It should not leave children’s safety to chance. It should be part of ICANN’s mission as an institution to ensure, at the very least, it does no harm to children and I might even hope for a more positive attitude.

Meanwhile ICANN’s paymasters continue to prosper.

 

Posted in Default settings, ICANN, Internet governance, Regulation, Self-regulation

A ridiculous state of affairs

Back in 2004 BT surprised the world when it announced Cleanfeed, a mechanism for restricting access to urls known to contain child abuse images. Not long after that Pennsylvania wanted to mandate local ISPs to deploy filters. One of the free speech groups opposed this and took the State to Federal Court.  Part of the group’s  objection was that filters tended to overblock so there was a risk of unintended, unwarranted  and therefore unjustifiable censorship.

However, the whole point about Cleenfeed was its pinpoint accuracy. It could block the identified url with no danger of overreach. The Attorney General of Pennsylvania had heard about  Cleanfeed and asked BT if it could have a copy of the plans to produce in court to prove how blocking could be achieved without any injury being done to legitimate free speech interests. BT declined to co-operate on the entirely understandable grounds that publishing the technical details of their scheme in open court would simply help the wrong people find ways around them (even quicker than they were likely to do anyway). The Attorney General’s office contacted me to see if I could get BT to budge. I couldn’t. Pennsylvania lost the case.

It has happened again.  FBI agents have found a way to disentangle the TOR network to identify individuals who were swapping or downloading child abuse images. They brought a case against Jay Michaud and at first instance secured a conviction.  However, in an appellate court the judge asked the FBI to show how they had obtained their evidence. The FBI will not do that so they have dropped the action.

I fully appreciate the dangers of justice going behind closed doors but, equally, there should be scope for prosecutors to disclose their methods to an appropriately qualified, sceptical judge i.e. one with technical knowledge or one who has technical knowledge readily available to her or him. After all, the only point at issue is whether or not the chain of evidence holds up to prove beyond all reasonable doubt that it was the accused and nobody else who did the particular acts and that the evidence has been properly obtained.

Bad hackers and other crooks will do quite enough damage without the courts giving them a helping hand.

Posted in Child abuse images, Regulation, Self-regulation, Uncategorized

The GDPR lands in the UK

In January the UK’s data protection authority –  the Information Commissioner’s Office (ICO) – issued its first formal account, an overview, of how it was interpreting the GDPR and how it saw matters proceeding from there. I’m sorry I didn’t blog about it at the time. I missed it in amongst everything else that was going on that month.

On Thursday of this week the ICO published a consultation document on a key part of the GDPR – the issue of consent.

It opens with the definition of consent taken from the GDPR itself (Article 4, 11)

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

That should be easy then.

Anyway, the specific point about children is made in the paper on page 27

We’ll be developing further specific guidance on children’s privacy. It will include more detail on identifying an appropriate lawful basis for processing children’s data, and issues around age verification and parental authorisation. (emphasis added).

Comments are sought on the draft and the closing date is 31st March. I’m guessing that drafting the specific guidance referred to will take a little longer than that but, either way, the starting gun has gone off.

Posted in Age verification, Consent, Default settings, E-commerce, Regulation, Self-regulation

Two important new reports

The International Center for Missing and Exploited  Children has long been a key part, actually a unique part, of the global family of NGOs focusing on the eradication of child sex abuse, both generally but also very specifically within the online environment where it has zoomed in on the distribution of child sex abuse materials. In that context ICMEC has been monitoring the ways in which countries have been adapting their legislative and legal frameworks to meet the challenges of cyberspace.

ICMEC’s first report on the state of the nations was in 2006 and late last year they published the 8th edition. We see yet more progress, slow but steady. 127 different nations have “refined or implemented new anti-child abuse images laws since 2006”. I have no doubt at all that the mere fact ICMEC is on the case provides a significant incentive for some governments to get their act together because they do not want world opinion to mark them down as backward or indifferent towards the protection of children.

The 8th edition reports that, out of the 196 countries surveyed (the full membership of the United Nations) 82 have “sufficient legislation” to allow for a good enough or adequate national framework. In 2006 (on a slightly smaller number of countries) the number was 27. Whereas in 2006 95 countries had “no legislation at all” specifically addressing child abuse images, by 2016 this was down to 35. However, 50 countries still do not criminalize the knowing possession of child abuse images, regardless of the intent to distribute. Clearly there is a great deal still to do.

The second important report also comes from ICMEC. Entitled “Framing Implementation” it recognises that having the right legal framework is a  necessary  condition but it is not in itself sufficient.  What counts is what happens on the ground.

ICMEC’s starting point here was the 161 countries which, in November, 2015, reported they had anti-child abuse images legislation in place. ICMEC devised a 7-point standard to allow them to form some sort of judgement as to whether or not individual countries were seriously engaged. The results make interesting reading. For example  51 countries say they have no reporting mechanism for addressing child abuse material to the proper authorities and 50 countries reported that they provided no services for victims. I repeat: there is still a great deal to do.

Posted in Child abuse images, Regulation, Self-regulation

A Disgraceful Dereliction of Duty

ICANN is the global ruling body for the worldwide web. It is an independent organization but every government in the world, including the UK’s, can influence its decisions through something called the Government Advisory Committee (GAC). The Brits have been particularly active on the GAC yet when it came to sticking up for children’s rights and children’s  interests, in a particularly important instance we had almost zero impact.  ICANN went ahead regardless. Maybe it’s time to review the level and nature of our engagement with ICANN. Sad to report the Economist Intelligence Unit (EIU) appears to have been a willing accomplice in ICANN’s disgraceful dereliction of duty in the case stated. How? Why?  Read on.

The Domain Name System

One of the things ICANN does is decide on domain names. A domain is signified by the letters immediately to the right of the dot as in “.com.” Ultimately ICANN makes the bulk of its money through the sale of new web addresses to us, the public, businesses and so on. In the jargon, we are known as “Registrants” and ICANN has an obvious interest in there being more of them.

Every domain has a “Registry”. For .uk, for example, it is Nominet. In the case of country level codes (.uk is again an example) in effect national governments decide who is going to be the Registry. For all the others – the vast majority – ICANN makes the decision, often following a competitive process that ends in an auction. One domain sold for a reported US$ 90 million and there are rumours of even larger sums in the offing. Owning a Registry can be extremely lucrative.

The law of contract rules

An entity becomes a Registry for a particular domain when it is awarded a contract to operate it by ICANN. Typically, once awarded a contract to be a Registry the Registry will then enter into agreements with potentially thousands of businesses known as Registrars who do the actual selling to Registrants.

ICANN requires the Registry to pass on certain terms to Registrars who must also pass them on to the Registrants.  The initial high-level contract between ICANN and the Registry is, therefore, crucial.  Inter alia, it sets out minimum standards for how the domain should be run. ICANN enforces its rules vis a vis the Registries and the Registries enforce theirs vis-a-vis Registrars and Registrants as appropriate. Simple law of contract.

Explosive growth in domains

Historically there were only a handful of domains e.g. .com, .net and .org but back in 2012 ICANN decided to promote a major expansion. One of the new ones it gave the green light to was “. kids”. Are alarm bells ringing in your head? Wouldn’t that be a domain that would be likely to lead to the creation of websites and services which, in turn, are probably going to have a specific appeal to or orientation towards, er, children?

No concessions to children

Clearly there is no issue of principle in relation to creating a domain for children. But perhaps, like me, you might have expected ICANN to insist that certain additional safeguards or requirements were built into the contract with whoever won the competition to become the .kids Registry? You’d be wrong.

No modifications or adjustments of any kind were made on the application form or in the associated processes to recognise or accommodate the fact that here we were pretty much exclusively discussing children. Applicants for .kids were required to submit the same information as applicants for .bank, .insurance, .pharmacy, .Wales and the rest. This is where the trouble began although that isn’t the whole story. Not by a long chalk. But first a short diversion to the immediate trigger for this blog.

A muck-up in Moscow

Who the Registry should be for .kids in the English language has still not been decided but I recently discovered that ICANN had awarded the contract to be the equivalent of .kids in Cyrillic script. It went to a Russian organization.  Phonetically the Russian .kids is called “. deeatey” (that being an approximation of how you pronounce the Russian word for “kids”).

I contacted the Russian Registry. I reproduce below the full script of the relevant part of an email exchange I had with them.

Do you make any stipulations about who may buy a .kids domain name e.g. nobody with criminal convictions, or convictions for child sex offences? And if you do, do you carry out any checks to make sure the people meet those criteria?

No.

Do you make any stipulations about who may work for a business  or organization operating a .kids domain name e.g. nobody with criminal convictions, or convictions for child sex offences? And if you do, do you carry out any checks to make sure the people meet those criteria?

No

The Economist Intelligence Unit blunders in

I haven’t been able to determine when, exactly, the Russian  .kids contract was awarded. The timing could be important. Enter the EIU.

How does the EIU get mixed up in this? In relation to .kids in the English language, there were three bidders to become the Registry: Amazon, Google and a children’s charitable organization in Hong Kong. Under ICANN’s complicated rules the charity’s application was separately assessed. Rather than ICANN doing the assessment itself, it paid the EIU to look at the papers.  Now I have been in the online child protection, child rights, child welfare space for quite a while and I have never heard the EIU mentioned in that context. Not for anything. Not once.

I asked the EIU if they had anyone on their staff with any expertise in children and the online world. They refused to answer on the grounds of client confidentiality. I’m guessing that’s a “no” because if they did have access to such a resource they would simply have said “yes” or something approximating to “yes” or they could have left some doubt as to whether or not the answer might be “yes”. Alas that was not the case despite the fact that, elsewhere, ICANN insists all processes should be “transparent”. Perhaps that should be corrected to say “transparent except where the transparency might cause embarrassment.”

Now, of course, it is true that the Russian Registry could have chosen to set its own detailed standards in relation to the matters I raised but they didn’t, whereas if ICANN had insisted they would have had no choice. If the EIU had seen the papers relating to .kids in English and had any knowledge or background in child protection it would have spotted this lacuna and drawn it to the attention of ICANN – whether it was asked to do so or not.

Thus if the EIU submitted its report to ICANN before ICANN awarded the Russian contract then the EIU must bear some of the responsibility for the Muscovite muck-up.

Horses for courses

ICANN should never have asked the EIU to look at anything to do with children and the online space and the EIU should never have agreed so to do because it is outwith their realm of expertise. Come to think of it does ICANN have any in house knowledge of online child protection and child welfare matters or ready access to such knowledge? Is that the root of the problem? If they know nothing about a subject how can they give a contract to someone else in such a way as to ensure they at least get it right on their behalf? Moreover, to go back to the matter of transparency, why is everyone reluctant to come clean about who did what for whom and when?

I have spoken to Google and Amazon. One or other is likely to be awarded the contract eventually, and, of course, they are seized of the importance of these issues and their responsibilities should they be the eventual winner. They will do the right thing. But that’s not really the point.

ICANN messed up elsewhere

In the same round in which .kids was created other groups objected to the way in which the application process did not meet the specific needs of their sector or situation. The banks, insurance companies and pharmaceuticals people spent millions of pounds and thousands of hours negotiating, lobbying and litigating to get Registry agreements that were fit for purpose. Children’s organizations do not have the money to enable them to do that. Look what happened. Children were marginalized and overlooked yet again, and perhaps put in danger as a result.

If governments cannot protect children who can they protect?

Which brings us back to the role of governments. If they cannot be effective interlocutors on behalf of children where does that leave us, and them?

Most galling of all is ICANN’s and the EIU’s arrogance in refusing to engage. They were both at fault and should feel ashamed of themselves. They had a duty of care to children and they failed to discharge it.

Footnote: there are plenty of web addresses that also pitch directly to children but do not end in .kids (in any language). Maybe logically the arguments I have set out here should apply equally to them? I have no problem with that but my rather obvious point is in this instance ICANN itself is proposing to intervene directly by promoting the creation of a wholly new space which is almost entirely about children.

 

 

 

 

 

Posted in Default settings, E-commerce, ICANN, Internet governance, Regulation, Self-regulation | 1 Comment