When the law fails

Is it possible to discuss the internet as if it was an experiment? Can we look at some or all of it or are we to believe that, for example, when the Communications Decency Act 1996 (CDA) was passed by Congress and signed into law by President Clinton that everyone involved had a perfect, or even a very good, understanding of what was likely to happen?

I ask because I have just watched the movie “I am Jane Doe” on Netflix. This is about Backpage, an advertising web site that had been instrumental in facilitating the pimping and sex trafficking of an unknown number of children within the USA. Yet even though there was clear evidence of the site helping disguise the true nature of the ads they were very profitably publishing s.230 of the CDA provided an impregnable legal shield.

Backpage appears finally to have ended that aspect of their operations but it looks as if this was largely because of political pressure with no thanks at all being due to the law. The law stepped in to find a way to protect the wealthy owners of Backpage. It couldn’t find a way to bring relief to children. Shame on the law.

It is very hard for me to believe the 1996 legislators (or the First Amendment legislators for that matter) could have foreseen and intended to make it easier for children to be raped 20 times a day, as was the case with one of the victims who appeared in the film. On the contrary. If the 1996 legislators had had even the faintest inkling that their good intentions could be twisted or perverted in this way they would almost certainly have gone to considerable lengths to expand the number of exceptions or qualifications.

We have to be able to do better than this. Yet bodies like the Electronic Frontier Foundation argue

Any changes to Section 230 itself, to make it easier to impose liability on companies for user-generated content, would be devastating to the web as we know it—as a thriving online metropolis of free speech and innovation.

And there we have it. If we try to make it easier to protect children jackboots will soon be marching down Main Street.

I think I can say without reservation or hesitation that the courts can be trusted to distinguish between free speech and innovation and child sex trafficking but s.230 puts up a roadblock.

The Foundation goes on to say

Section 230 “is not some clever loophole” but rather “a conscious policy decision by Congress to protect individuals and companies who would otherwise be vulnerable targets to litigants who want to silence speech to which they object.”

There is a one-word answer to that: baloney. There is no right of any kind to promote or use loopholes of whatever sort to sell children into sex slavery. Wringing your hands, shrugging your shoulders and saying how much you regret that this happens as a result of s.230  or the First Amendment is pitifully inhuman. It must be within the bounds of possibility to devise a form of words that protects free speech, innovation, and children.

Posted in Child abuse images, E-commerce, Internet governance, Pornography, Privacy, Regulation, Self-regulation

More warnings about the Internet of Toys

On Monday the Financial Times carried a report of a new warning from the FBI about the dangers to children and young people arising from

Smart toys made by a slew of companies …increasingly incorporating technologies that learn and tailor their behaviours based on user interactions…

These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.

Information such as the child’s name, school, likes and dislikes, and activities may be disclosed through normal conversation with the toy or in the surrounding environment.

The collection of a child’s personal information combined with a toy’s ability to connect to the Internet or other devices raises concerns for privacy and physical safety. Perhaps even more worrisome to parents, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.

The answer to this and our call has to be Safety by Design, Security by Default. (SDSD). A neat strapline but how do we transform it into a concrete reality?

The FBI say

Parents should examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services.

That sounds remarkably like the advice we get on everything. It is good advice but not good enough. Consumers, parents, and children need an interlocutor to act on their behalf to ensure that appropriate standards are in fact being met without requiring anyone to get out a magnifying glass to read the small print.

I am sure the big toy brands will be thinking about this very deeply. The risk, as ever, is that a small fly-by-night outfit  – invoking the name of the god of innovation – will rush to bring something to market, make a ton of money in a very short space of time thanks to clever marketing, then something dreadful happens because they haven’t paid enough attention to the security features. A child or children are seriously hurt and the whole market in connected toys takes a major hit. Maybe the well is poisoned for a very long time. We’ve already been perilously close to such a scenario.

There is an EU Directive on Toys from 2009 and it does include references to computers, games consoles and the like but as far as I could see it does not mention the internet or privacy. Maybe this needs updating, or perhaps the GDPR provides a sufficient legal basis. Either way there also needs to be a link to something like the CE marking regime so that parents and children have a ready way of knowing that what they may be about to buy or use meets certain basic standards.

Posted in Default settings, E-commerce, Privacy, Regulation, Self-regulation, Uncategorized

As I would have said….

Yesterday I appeared on BBC Radio 4’s “World at One”, the current affairs lunchtime slot. If you download the podcast you’ll find the interview starts at 36 minutes and 55 seconds.

Why was there a story in the first place? That was because yesterday the Government, in the form of Matt Hancock, announced the formal commencement of the Digital Economy Act, 2017.  Bravo! Hancock suggested the age verification elements will be up and running by April next year. That sounds a tad ambitious but let’s hope it’s right.

I was on the BBC to discuss the age verification part of the Act, debating with a representative of the Open Rights Group (ORG).

I am glad the ORG exists. There is no doubt they do valuable and important work, campaigning to safeguard our civil liberties and freedoms across a broad front. I was delighted to hear them say they have no objection in principle to the idea of age verification being used for the purposes of protecting children. This would have been a little more convincing if, from the moment the Bill was published, the ORG had not opposed anything and everything to do with the idea.

I have no complaints whatsoever about the interview on the BBC. It was absolutely fine. It was, however, quite short and a few people who listened in have asked me if I could respond to some of the points that could not be covered fully in the time available. I will do this in form of bullet points rather than a discursive essay.

  • “Educating children about pornography and putting it in context as part of a wider discussion of relationships is better than throwing technology at the problem”.
  • It is ironic that in relation to the internet – this supremely technical environment which has facilitated if not created the difficulty to begin with – the idea of using technology to solve it is a no-no.
  • However, it is not a binary choice. Educating children and young people about sex, sexuality and relationships has always been important and, if anything, the arrival of the internet has made it even more so. For this reason, I very much welcomed the announcement earlier this year that sex education is to be made a compulsory part of the national curriculum. But you cannot “educate” a 9-year-old girl out of the horror of witnessing or being exposed to some of the stuff that is readily available on many of the sites that will be caught by the Digital Economy Act.
  • Thus, here we will be seeing and testing the extent to which technology can contribute to dealing with the problem. If innovation is the life force of the internet why can’t we innovate here?
  • Very similar arguments were made against the introduction of online age verification to deal with gambling web sites. Guess what? The legislation has worked extremely well and the gulag remains on the far horizon. Kids can no longer just tick a box to say they are 18 then go on a web site and blow their pocket money on the horses.
  • And to say that the porn sites are “free” and therefore the analogy with gambling doesn’t work is nonsense. The so-called “free” porn sites – which are the biggest problem – are highly commercial operations. People just pay in a different way.
  • I cannot think of a single large publisher of porn who has ever said they want children to be able to see their stuff, or even that they don’t care one way or another. It’s just that, as with online gambling, until the law required them to do something concrete to keep kids out few of them did.
  • It was said that “Mindgeek” – the biggest porn business on the planet –  will be collecting personal data on millions of people and it could be hacked, thus revealing information about an individual’s sexual preferences, exposing them to blackmail and so on. In addition, this data can be sold to third parties and exploited in any number of other unsavoury ways – presumably without the informed consent of the data subject.
  • First of all, any business of any kind operating within the UK will have to comply with our privacy laws. This means everything stated as a threat or a worry in the previous paragraph would be illegal and our data protection authority could go after them. I am therefore disinclined to believe that MindGeek would behave in that way and this was just empty scaremongering.
  • However, my guess is individual porn companies will find it hard to persuade would-be customers that handing over personal data of any kind to them is a good idea and what will emerge are trustworthy third parties, backed by or involving highly reputable companies,  who will undertake the age verification task. And remember, unlike with gambling, where anti money laundering rules also apply, here the only thing a porn site needs to know before it admits you is “have you been reliably verified as being over 18”?  The site doesn’t need to know your name, your actual age, address or indeed anything else. So the truth is this measure could be privacy enhancing for a great many people who want to view porn. I am sure the government did not intend to help the porn industry in this way but hey.
  • If someone chooses to buy something from a porn site and they have to hand over their credit card details then that is a matter for them and it is outside the scope of the Digital Economy Act (although not the privacy laws).
  • Technical measures could be used to circumvent the Act e.g. VPNs, proxies and TOR.
  • Similar arguments are used against any kind of filtering. You hear people say “kids are smart they can get around anything”. The implication being there is no point trying so let’s just leave things the way they are.  Cui bono?
  • It is true – kids are smart –   but the overwhelming majority of children and young people do not seek to evade filters and other protective measures. Certainly, as they get older, more may give it a go but even here most young people recognise and respect boundaries of this kind. Moreover if someone was to use a VPN, a proxy or TOR they would hardly be able to claim subsequently that they had got into the porn sites by accident or casually.  This alone will act as a restraint. These alternative routes typically require more than a little technical knowledge, application, and patience.
  • My three final points: our law has established a new normative standard.  We are saying to pornography publishers that, actually, it is not OK for you to just put stuff out there, profit from it and take no responsibility for keeping it away from audiences who you say you don’t want and who do not have the maturity to process or deal with it with, potentially, very harmful, lasting effects. Even though filters are or may be in widespread use you, as a porn publisher, have to do your bit to help. It’s now part of the cost of doing business in the UK.
  • The adult world (that’s us) has for a long time said to children and young people stay away from porn – it is unrealistic –  disrespectful of women, it is  violent and damaging, and so on, but actually we made no real attempt to put up any kinds of barriers to show we were serious about it. Policies such as those embodied in the Digital Economy Act, 2017 show we mean it and we are going to try to make it stick, just like we have done or are doing in other areas e.g.  in relation to copyright theft, terrorism and child abuse images.
  • The internet can claim no special privileges. If something is wrong or prohibited in the physical world then as near as we can it should also apply online otherwise the one undermines the other and in the end renders it meaningless.
Posted in Age verification, E-commerce, Pornography, Privacy, Regulation, Self-regulation, Uncategorized

No need to feel powerless

When people ask me what I do I often say I see my role as convincing others there are things that can be done to make the internet a safer and better place. We need to learn from each other, pay attention to the research, refuse to be dazzled by the headlights and speak truth to power. You don’t have to know what a TCP/IP stack is to know something is good or bad, right or wrong. Whatever humans have made can be unmade or altered. Our job, as advocates, is to find ways to mobilise the necessary forces to bring about progressive change.

However, if I did have a little, perplexed wobble of late it concerned the emergence of cryptocurrencies and the blockchain. I can see their potential to do many good things but how on Earth would we address them when deployed on the dark side? Thankfully the International Center for Missing and Exploited Children has rescued me and brought me towards the light.

In Cryptocurrency and the block chain: Technical Overview and Potential Impact on Commercial Child Sexual Exploitation the following  appears

…..this report is meant to provide….. a primer on cryptocurrencies such as Bitcoin, Ethereum and Monero, as well as their underlying technologies, and the implications of these technologies for commercial child sexual exploitation. It is intentionally written in informal and non-technical terms in order to provide a basic background in this rapidly-advancing and technical field, and assumes that most readers have limited or no familiarity with the inner workings, risks, benefits and implications of cryptocurrency.

For which we are all truly grateful.

And here is the good news

.…. the utility of Bitcoin and its even-less-widely-used cousins is still quite limited outside the borders of the Bitcoin universe. This means that, sooner or later, many users will attempt to spend their bitcoins with a mainstream online or brick-and-mortar merchant that accepts them, or convert them into more easily-spent (currencies) such as dollars or euros. At these connection points between the Bitcoin universe and the “real world,” there is an informational and investigative choke point that can reveal or point the way toward the one key datum not available from the blockchain: the user’s identity. These chokepoints should be seen as a key opportunity for the investigation and prosecution of child exploitation that involves the use of Bitcoin and the blockchain.

With this reassuring ending

Cryptocurrencies do make the job of battling commercial child sexual exploitation a bit different and a bit more challenging than in the past, but the same was true of e-Gold, PayPal and a dozen other payment systems when they first emerged. Some, like e-Gold, fought the law, and the law won. Some, like PayPal, aggressively took the fight to offenders and are now recognized as world leaders in this effort. If leading organisations continue to engage with the industry…. there is absolutely a body of data, tools, expertise, goodwill and willing volunteers that can continue to bring the fight to abusers.


Posted in Child abuse images, E-commerce, Internet governance, Privacy, Regulation, Self-regulation, Uncategorized

Definitions of pornography to be debated

On Monday Baroness Howe published details of her latest legislative assault in defence of children. It takes the form of the Digital Economy Act 2017 (Amendment)(Definition of Extreme Pornography) Bill and is accompanied by a rather full explanatory note in the form of a blog which I commend to you.

As Lady Howe tells it there would have been no need for her new Bill if, during the last Parliament, the Government had stuck to its guns with the original version of the definition of prohibited material. But they didn’t.

There is no doubt matters got heated and confused towards the end of the previous discussions. How anyone could have thought there was even a possibility of anything in the (then) Digital Economy Bill cutting across the role or functions of the IWF is beyond me but when the General Election was called any possibility of resolving the issue satisfactorily flew straight out of the window.

Quite what will happen to Lady Howe’s new Bill as such we can only guess at. With the upcoming Internet Safety Strategy Review, the Digital Charter and all points North, South, East and West, not to mention Brexit, GDPR and the AVMSD we are all in for a busy time. However, in one form or another, the issues raised will have to be addressed so the sooner we do that the better it will be.

In her blog Lady Howe specifically refers to the issue of Computer Generated Images (CGI). Having seen some CGI in a war game recently I was absolutely convinced the characters were being played by human actors. They weren’t. They were CGI. Add to that the improvements in Augmented and Virtual Reality and we can see where the next wave of threats are coming from.  We need to be ready yet, as of now, if these sorts of materials are housed on servers based overseas, for practical purposes nothing happens to them. They remain fully accessible within the UK. That is wrong and we need to put it right in the months ahead.



Posted in Child abuse images, Regulation, Self-regulation

Neutrality? Er…probably

I support the protests being mounted today against proposed changes to the net neutrality rules in the USA but pardon me if I do so with an ironic smirk.

So here are a number of fiercely capitalist enterprises complaining about allowing the price mechanism to determine the sort of internet access an individual consumer receives. Markets don’t always know best or produce the best results? Who knew? This is Bolshevism. Where will it all end?

And, of course, when the EU addressed net neutrality it sought to ban businesses from managing traffic to shield children from inappropriate content.

As they might have asked in Judea: “What has net neutrality ever done for us”? Allowed the internet to become dominated by a handful of winner-take-all monopolies who are now worried that access providers could undermine their current dominance. To do so in the name of protecting the interests of small businesses sort of wins a prize. For what exactly I haven’t yet decided. Chutzpah maybe?Answers on a postcard please.

Posted in Regulation, Self-regulation

GDPR update on Article 8

Poland’s and Sweden’s Data Protection Agencies are both recommending 13 to their national Parliaments. Final decisions not taken yet.

Posted in Uncategorized