Problems with consent

Elizabeth Barrett Browning wrote a wonderful sonnet which opens with this famous line

“How do I love thee? Let me count the ways”

She then lists eight or nine.

Here is the Oxford English Dictionary definition of “consent”

Permission for something to happen or agreement to do something.

I tried to concoct a Browningesque rhapsody to consent but my muse deserted me. Instead, as I often do at such moments, I turned to the GDPR. When describing the lawfulness of data processing, in Article 6 there appears to be three different sets of words  in play, all of which describe what is essentially the same thing, namely

Permission for something to happen or agreement to do something.

Common or garden consent

Article 6(1)(a) refers to situations where the data subject consents to their data being processed. No issues there. A widely and well understood idea. Elsewhere there are references to informed consent but that is really only a way of emphasising what is anyway implied. However, Article 6(1)(a) also has an important tie in with Article 8.

Under the GDPR a child is anyone below the age of 18 but Article 8 lays down conditions which may apply to children aged 15 or less.  Here, in a given country, if 6(1)(a) is relied upon the only consent that may actually be required is that of the child’s parent or carer. Such consent must be verified. Expensive? Messy. Troublesome, although some would say not a bad thing because it seeks to engage a parent or carer in their children’s online life.

Only in those countries that have adopted 13 as the minimum age is there no prima facie  reason to obtain the consent of a parent or carer. The UK is one of those, along with nine others e.g. Denmark,  Sweden, Estonia and Poland.

Contracts

Article 6(1)(b) refers to contracts or steps taken preparatory to entering into a contract. As far as I know in every jurisdiction consent is an essential component of a contract.  In fact in some contexts the word “consent” and “contract” can be interchangeable.

The striking thing about using 6(1)(b), however,  is it allows the company to sidestep the necessity to obtain parental consent, verifiable or otherwise.

It also opens up the intriguing possibility that if the service on offer does not specify a minimum age or, even in a “13 country” like the UK, if the minimum age  stated by the service is below 13, which it could be for any service that is not US-based, any child with a way of paying could properly engage with the service without even a theoretical GDPR legal requirement for there to be any form of involvement by the parent or carer.

There are other aspects of using 6(1)(b) which raise interesting questions. These are discussed below as a footnote.

Legitimate interest

Article 6(1)(f) refers to situations where the company judges it has a legitimate interest in  processing your data and it simply asks you to agree to their stated terms as the basis on which the service is offered. Note that word. “Agree” is  a synonym for “consent” according to the English language’s most authoritative source.

Again the notable consequence of using  6(1)(f) is it, too, allows the company to avoid having to seek  the consent of a parent or carer. While US companies appear always  to be governed by their own COPPA law, which establishes 13 as a floor, non US companies have no such constraint.

Facebook have used legitimate interest to create what is, in effect, a whole new class of membership – one that does not ask a parent or carer to agree to anything.

Narrowing the scope for parental engagement

On one reading of children’s rights it is possible to see how, where legitimate interest or contract are the basis for data processing, children are being given greater agency but I have yet to hear a company argue that as a reason for going down either of those paths. That is probably wise because most people will see it as an undesirable, even surprising, route by which businesses are allowed to reduce the scope for parental involvement in the online lives of their children.

To put that slightly differently, I doubt many people will readily believe that online businesses were intentionally striking a blow for children’s rights when opting for legitimate interest or a contract as the basis of processing children’s data.

Ambiguity as irony

The simple truth is Article 6 delineates three different types of consent and anyone who wishes to argue otherwise has to embrace a series of linguistic contortions. Am I alone in thinking there is something mildly ironic about this in an instrument that enjoins the rest of us to use clear and accessible language?

Do we have a hierarchy of consent from a child protection perspective?

Is it the case that under 61(a), (b) and (f) the child should receive an identical and high level of protection? I raise this point in part because in (f), uniquely,  the data controller needs to consider whether anything they are doing could

(override)…. the interests or fundamental rights and freedoms of the data subject…. in particular where the data subject is a child.

Every data controller is required to carry out a risk assessment for every part of their data processing activities but as far as I can see where legitimate interest is used as the basis of processing data the burden placed on the data controller to “get it right” is higher.

If that is a correct reading of the regulation could someone explain what is the justification for having lower child protection standards which apply to  the other two categories? Why is it that the GDPR only requires parental consent in one out of the three methods by which a child can engage with an online service? What was the thinking behind that?

And is it allowed for a company just to say they are using all three bases allowed in Article 6, without being more specific than that? Don’t they have to explain what the legal basis is for them processing your data? Can they just say “here is a list of laws which allow us to process your data but we are not sure, or we are not going to tell you which one we are using to process this particular piece of data?”

Is consent all it is cracked up to be anyway?

Lots of people in the privacy community argue that consent has been hugely abused by commercial entities. It sounds great – who could be against asking for someone’s consent in respect of anything which affects them? However, the argument goes that “consent complexity” and “consent fatigue” have  actually made “consent” a refuge for scoundrels. Look at  the number of fifty thousand word Ts&Cs in dense legalese that no one does, and very few can, read or understand. The GDPR is an attempt to smoke out these scoundrels. We will see in the coming years how well it succeeds.

Thus, while of course always preserving a person’s right to object to or withdraw from all or part of a service,  or to withdraw their consent from anything to which they previously agreed, perhaps what we should be looking towards is a law, for both free and paid for services, that says companies are allowed to collect defined categories of data and they are allowed to process  that data in defined ways. That sets the default and any deviation from the default should only be lawful if the company can show it has engaged directly with the individual concerned. Tick boxes not allowed. Special attention would need to be given to the ways in which trackers and third party apps operate.

Some companies have always been transparent, some achieve transparency, the rest, the majority, have transparency thrust upon them.

Footnote

Contracts present a particular source of  potential confusion

Very large numbers of children now have their own means of paying for things, online and off, so it is wholly illusory to believe that parents are involved in making a great many purchasing decisions with or for their children.  Whether or not we wish it were otherwise is another matter. It is nonetheless the reality.

Yet if you were to ask someone  if they knew the age at which a young person can enter into a contract,  in three out of the four countries that make up the UK most would say 18 straight away. As far as I can tell the same is pretty much true in most EU Member States.

But in England, for example, while there are some  legally binding contracts  (for “necessities”) which persons below the age of 18 can enter into, most of the contracts a minor is likely to enter into online will be what lawyers call“voidable”. That means the child can enforce them if it is to their benefit but they cannot be enforced against the child. Again most EU jurisdictions have similar provisions.

Anyway my point is that the common understanding is that 18 is the age for  “proper”contracts so I think many parents will be astonished to discover that the “voidable route” is being used by companies under Article 6(1)(b) of the GDPR. They will think it is a sneaky lawyer’s trick which they will resent, particularly when they learn that, in practice, it also cuts them out of a particular aspect of their children’s online lives.

I think we would all benefit from greater clarity and certainty about the scope companies have to enter into  commercial relationships with minors in the online world. When we have got that perhaps we will want to amend Article 6(1)(b).

Posted in Age verification, Consent, Default settings, Internet governance, Regulation, Self-regulation

Facebook, ethics and reconstruction

At the moment it feels as if wherever you turn you come across a mea culpa ad from Facebook telling us they are getting serious about returning to their original declared mission. Lots of bad stuff they discovered was happening on their platform will either stop completely or be reduced to the greatest extent possible. This is all good news. Given Facebook’s size, importance and likely longevity it is in everyone’s interests, including their own, for them to emerge from the recent turbulence as a trusted brand. The challenge is huge but it is good that they are trying.

Linked to this reconstruction initiative, maybe as an integral part of it, I noted that, as the company relies ever more heavily on AI, they have recently established a dedicated “AI ethics team” and they are stepping up their efforts in respect of transparency.

In relation to both ethics and transparency Facebook really must  find a way to incorporate an independent element – a way of reassuring a sceptical public and regulators or would-be regulators.

While big platforms such as Facebook are private companies, in our modern world they perform important public functions and therefore they must accept that their actions have to be subjected to levels of scrutiny which are similar to those of public bodies and their behaviour must conform with several widely accepted public interest norms.

Speaking of transparency and ethics

While blowing away the cobwebs the sorry saga of Facebook’s  Safety Advisory Board  also needs urgent attention.  It is from another era. Things cannot stay as they are without casting doubt on much else. Here’s why.

In a court action in a Californian court Facebook’s lawyers described the Board as a source of “independent advice.”

In Congressional hearings the company’s Chief Safety Officer said the same thing. In numerous meetings I have attended, including recently, Facebook employees have nodded reverentially towards the Board as an important source of advice on online child safety within the company.

The implication always is the views of the Board are regularly sought and given great weight in the highest reaches of the business.

Yet we know nothing about how the Board actually functions. Why? Because everyone who is a member signs a non disclosure agreement. Only one organization,  Common Sense Media, has ever been a member and resigned. They did so precisely because they didn’t like feeling gagged or constrained.

The 800 lb Gorilla

If Facebook were some small outfit on the margins none of this would matter, or it wouldn’t matter so much. But it isn’t. Facebook is the 800 lb gorilla. What it does is hugely important, both in and of itself but also because it establishes a model others will follow. If Facebook does something, that sort of gives permission or impels everyone else to do the same. If Facebook doesn’t do it, why should they?

And then there’s the money

Aside from having signed up to an NDA, it looks like a goodly proportion of Facebook’s Safety Advisory Board also benefit financially from their dealings with the company. Whatever their protestations to the contrary this surely undermines any claim Board members or the Board itself might make about being “independent”. In the current climate one wonders why the company persists with it. It just doesn’t add up.

I leave on one side the feelings of resentment and jealousy such arrangements are bound to engender especially among those other groups Facebook talks to from time to time but never rewards financially or in any other way. The whole thing is not right and needs to be completely recast.

Look at Childnet International as an example. It has been a member of the  Safety Advisory Board continuously since the Board was created in 2009.

Last year Facebook awarded Childnet £500,000 to provide an anti-bullying programme in UK schools. I am sure the project is very worthwhile but for a UK NGO, by any standards £500,000 is a gigantic sum of money. Staff salaries and the rent are covered and who wouldn’t be glad of that?

Lots of charities  accept money from business, but rarely will the sums involved reach even 1% of their total revenues. In no sense could there be a reasonable perception that the charity is in any way beholden to the donor. When the amounts or the percentage get very big, that changes. When you have agreed to keep the company’s secrets for nine years on the trot and you take that amount of money………. please fill in the dots yourself.

Then there’s the US-based Family Online Safety Institute (FOSI). Like Childnet it has been a member of Facebook’s Safety Board continuously from the very beginning. Facebook clearly stands by and sticks with its friends. Like superglue.  There is almost no turnover in Board membership.  The only instance I found where someone, having been appointed, later ceases to be a member is the one I mentioned earlier. Everyone else is a lifer.

In the case of FOSI the financial relationship seems to be fully transparent and always has been. Facebook is a paying member of what is, in effect, a trade body. At various points FOSI has had and currently has a senior Facebook employee on its Board and our very own Lord Richard Allen has even been its Chair. Thus, as things stand, when Facebook, Childnet and FOSI are in the room, really people would be entitled to conclude the company has three votes present, not one.

Now let’s be clear – there is nothing wrong with companies seeking and paying for expert advice or asking you to undertake a project.  I have worked for many different outfits over the years. I keep my CV  as up to date as possible and online , covering both paid and unpaid work.

Confidentiality based on a professional relationship  is widely understood and accepted but the habit of big companies flattering NGOs or  individuals by inviting them in for consultations or briefings where signing an NDA is a requirement really should stop or  only  happen on an exceptional basis. Facebook wouldn’t expect its lawyers or accountants to give them free advice. Why should it be any different where child protection is at issue?  I’m going to stop signing NDAs like that.

What is it that needs to be kept secret?

And what is it about protecting children online that needs to be kept secret anyway? Like airlines in respect of air safety I thought it was established that online businesses don’t compete on issues connected with children’s welfare.

Obviously I get that the media can sensationalise and twist things but if Facebook cannot trust people’s judgement they shouldn’t be talking to them in the first place. Asking people to sign an ostensibly binding, or any rate an intimidating, NDA is wrong. It has certainly worked in the case of Childnet. Not once in nine years has anyone from there ever said a word or even vaguely hinted to me about what goes on at Board meetings and the NDA gives them a perfect excuse.

This kind of behaviour  on the part of Facebook calls into question other initiatives where we are told the industry is “working together” to address online child safety. Working together but not talking openly together?

Shine a light

Why are the Advisory Board’s agendas not published? And minutes? Can we be told who decides what items go on the agenda and on what basis? Can and do Board Members place items on the agenda or do they only react to matters the company brings to them? If so how does the company make its choices? How many of Facebook’s  most senior  management team have ever attended meetings of the Board and how often?

Outside of Board meetings how is advice sought from Board members? Are there any examples of where Facebook has been deflected from a course of action because of interventions, objections or recommendations made by the Board or Board members? Has Facebook ever initiated a course of action based on an idea that came first from a member of the Board?

To go back to my earlier point, Facebook  may legally be a private company but it operates in very public places. People have a reasonable expectation of transparency, maybe particularly where child safety matters are being discussed.

How do they manage the day job as well?

Given the apparently large number of people employed within Facebook on child safety related matters, how do they relate to the Board or Board members? And with the gigantic scale of operations of Facebook how the heck do Board members cope anyway? They all have day jobs. Doesn’t this arrangement invite the suspicion that the whole thing is window dressing?

If Facebook wants to continue to“reach out”  in search of advice and guidance it should do so in a more credible and professional way e.g. like it does with lawyers and accountants – hire people and make it a condition of doing so that they avoid any possible semblance of a conflict of interests.

Or at the very least, as part of its transparency initiative every time it makes an award, gives a contract or provides any other kind of benefit to an NGO that sits on any of its committees or Boards or has any kind of ongoing relationship with the company the amount or nature of the benefit should form part of a transparency report.

But let Facebook have the last word

Here is an extract from Facebook’s “Code of Conduct” on corporate governance. The code applies to employees of Facebook or any of its affiliates or subsidiaries. Are Childnet and FOSI “affiliates”? Even if strictly-speaking they aren’t, the logic of the code is clear.

This is what it says in the section headed  “Conflict of Interests”

…..Facebook Personnel should attempt to avoid actual or apparent conflicts of interest…. For example, a conflict of interest may occur when you or a family member receive a personal benefit as a result of your position with FacebookA conflict of interest may also arise from your personal relationship with a customer, supplier, vendor, competitor, business partner, or other Facebook Personnel, if that relationship impairs or may be perceived to impair your objective business judgment

And in the section headed “Serving on Boards and Investing in Other Companies”…..

We encourage Facebook Personnel to be active in industry and civic associations. However, Facebook Personnel who serve on boards of directors or advisory boards of any entity or organization are required, prior to acceptance, to obtain approval from the Conflicts Committee.

Any passive investment of not more than two percent (2%) of the total outstanding shares of a publicly traded company is permitted without Facebook approval, provided that the investment is not so large financially (either in absolute dollars or percentage of your total investment portfolio) that it creates the appearance of a conflict of interest. ( emphasis added).

I could hardly have put it better myself. The same principles should be applied in every area of the company’s dealings.

 

Posted in Facebook, Internet governance, Regulation, Self-regulation

Establishing new international norms

I felt hugely honoured when, a couple of years ago, the Council of  Europe invited me and two of my brilliant colleagues, Professor Sonia Livingstone of the LSE and Professor Eva Lievens of the University of Ghent,  to act as expert advisers to the Committee of Ministers in drawing up recommendations on “children’s rights in the  digital environment”.  

These recommendations do not have legal force but, given the diverse nature of the Council of Europe’s membership, and the thoroughness and professionalism of their processes, they do represent an important advance  in the creation of new international norms.  New norms can, in time be reflected in new laws but long before that they start to shape and reflect changing attitudes, typically being rooted in current best practice among industry leaders. For that reason I am very proud to have been associated with the final outcome document which appeared on Monday.

I won’t try to summarise the whole thing here.  It is all definitely worth looking at. I will, however, pick out a few of what were, for me, key  developments.

Overview

Member States should:

  1. review their legislation, policies and practice to ensure that they are in line with the recommendations, principles and further guidance set out in the appendix of this recommendation, promote their implementation in all relevant areas and evaluate the effectiveness of the measures taken at regular intervals, with the participation of relevant stakeholders;………
  2. require business enterprises to meet their responsibility to respect the rights of the child in the digital environment and to take implementing measures, and encourage them to co-operate with relevant State stakeholders, civil society organisations and children, taking into account relevant international and European standards and guidance;……

Here are a number of examples of some of the major points in the appendix referred to:

Major emphasis on children’s rights

The appendix details each of  the principal elements of the UNCRC and goes on to put the issue of access squarely on the agenda

Access

  • Access to and use of the digital environment is important for the realisation of children’s rights and fundamental freedoms, for their inclusion, education, participation and for maintaining family and social relationships. Where children do not have access to the digital environment or where this access is limited as a result of poor connectivity, their ability to fully exercise their human rights may be affected.
  • States should ensure that access to the digital environment is provided in educational and other care settings for children. Specific measures should be taken for children in vulnerable situations, in particular children living in alternative care, children deprived of liberty or whose parents are deprived of liberty, children in the context of international migration, children in street situations and children in rural communities. In particular, States should require online service providers to ensure that their services are accessible by children with disabilities.
  • Connectivity and access to devices, services and content should be accompanied by appropriate education and literacy measures, including those which address gender stereotypes or social norms that could limit children’s access and use of technology.
  • States should ensure that terms and conditions that are associated with the use of a device which can connect to the internet or that apply to the provision of online services or content are accessible, fair, transparent, intelligible, available in the child’s language and formulated in clear, child-friendly and age-appropriate language where relevant.

Data, age and age verification

  • Recognising that personal data can be processed to the benefit of children, States should take measures to ensure that children’s personal data is processed fairly, lawfully, accurately and securely, for specific purposes and with the free, explicit, informed and unambiguous consent of the children and/or their parents, carer or legal representative, or in accordance with another legitimate basis laid down by law. The data minimisation principle should be respected, meaning that the personal data processing should be adequate, relevant and not excessive in relation to the purposes for which they are processed.
  • Where States take measures to decide upon an age at which children are considered to be capable of consenting to the processing of personal data, their rights, views, best interests and evolving capacities must be taken into consideration. This should be monitored and evaluated while taking into account children’s actual understanding of data collection practices and technological developments. When children are below that age and parental consent is required, States should require that reasonable efforts are made to verify that consent is given by the parent or legal representative of the child.
  • In relation to the processing of children’s personal data, States should implement, or require relevant stakeholders to implement, privacy-by-default settings and privacy-by-design measures, taking into account the best interests of the child. Such measures should integrate strong safeguards for the right to privacy and data protection into devices and services.
  • Specific measures and policies should be adopted to protect infants from premature exposure to the digital environment due to limited benefits with respect to their particular physical, psychological, social and stimulation needs.
  • States should require the use of effective systems of age-verification to ensure children are protected from products, services and content in the digital environment which are legally restricted with reference to specific ages, using methods that are consistent with the principles of data minimisation. (emphasis added)
  • States should take measures to ensure that children are protected from commercial exploitation in the digital environment, including exposure to age-inappropriate forms of advertising and marketing. This includes ensuring that business enterprises do not engage in unfair commercial practices towards children, requiring that digital advertising and marketing towards children is clearly distinguishable to them as such, and requiring all relevant stakeholders to limit the processing of children’s personal data for commercial purposes.

Protection and safety

  • Taking into account the development of new technologies, children have the right to be protected from all forms of violence, exploitation and abuse in the digital environment. Any protective measures should take into consideration the best interests and evolving capacities of the child and not unduly restrict the exercise of other rights.
  • There are a number of areas of concern for children’s healthy development and well-being which may arise in connection with the digital environment, including but not limited to, risks of harm from:

–           sexual exploitation and abuse, solicitation for sexual purposes (grooming), online recruitment of children for the commission of criminal offences, for participation in extremist political or religious movements or for trafficking purposes (contact risks);

–           the degrading and stereotyped portrayal and over-sexualisation of women and children in particular; the portrayal and glorification of violence and self-harm, in particular suicides; demeaning, discriminatory or racist expressions or apologia for such conduct; advertising, adult content (content risks);

–           bullying, stalking and other forms of harassment, non-consensual dissemination of sexual images, extortion, hate speech, hacking, gambling, illegal downloading or other intellectual property infringements, commercial exploitation (conduct risks);

–           excessive use, sleep deprivation and physical harm (health risks).

Child sex abuse material

  • Mindful of available technologies and without prejudice to the principles of liability of internet intermediaries and their exemption from general monitoring obligations, States should require business enterprises to take reasonable, proportionate and effective measures to ensure that their networks or online services are not misused for criminal or other unlawful purposes in ways which may harm children, for example in relation to the production, distribution, provision of access to, advertising of or storage of child sexual abuse material or other forms of online child abuse.
  • States should require relevant business enterprises to apply hash lists with a view to ensuring that their networks are not being misused to store or distribute child sexual abuse images.
  • States should require that business enterprises and other relevant stakeholders take promptly all necessary steps to secure the availability of metadata concerning any child sexual exploitation and abuse material found on local servers, make them available to law-enforcement authorities, remove these materials and, pending their removal, restrict access to such materials found on servers outside of their jurisdiction.

Risks and impacts on the rights of the child

  • States should require business enterprises and other stakeholders to undertake due diligence in order to identify, prevent and mitigate their impact on the rights of the child in the digital environment.
  • States should require business enterprises to perform regular child-rights risk assessments in relation to digital technologies, products, services and policies and to demonstrate that they are taking reasonable and proportionate measures to manage and mitigate such risks.
  • States should encourage business enterprises to develop, apply and regularly review and evaluate child-oriented industry policies, standards and codes of conduct to maximise opportunities and address risks in the digital environment.
  • Recognising that parents, carers and others may rely on an online service’s stated terms and conditions of service as a guide to the suitability of that service for their child, being mindful of available technologies and without prejudice to the liability of internet intermediaries, States should require business enterprises to take reasonable, proportionate and effective measures to ensure that their terms and conditions of service are enforced. (emphasis added)

Domain names for country code top level domains

  • When awarding a contract or license to an entity to become the registry for a country code top-level domain, States should include clear requirements to have due regard to the best interests of children. Such requirements should cover, for example, a clear prohibition by the registry of the registration or use of any domain name which advertises or suggests that child sexual abuse material may be available on any domain within the registry’s purview and the establishment by the registry of mechanisms to ensure this policy is enforced, including by registrars and registrants. The same requirements should apply to the registration of generic top-level domains.
  • Where a registrant proposes to establish or renew a site or service targeted at children or used by children in substantial numbers within their country code domain, States should ensure that the registry or other competent authority requires registrants to put in place appropriate child-protection policies. This may include, for example, requiring that neither the registrant nor anyone employed by the registrant in connection with delivering the service or in managing any data generated by the service has been convicted of acts of sexual exploitation or sexual abuse of children or other relevant offences.

Let’s hope these practices are implemented by every government in the world in respect of their own country codes and that the practice is taken up  by other Registries as well as ICANN itself.

Posted in Age verification

Draft submission to the NTIA

Below is the first draft of a letter I am working on for several children’s groups. It is in response to the US Government’s request for “comments and recommendations” on its international internet policies and priorities.

If you think I have missed anything or can suggest how the letter might be improved please let me know. And of course please feel free to use any or all bits in whatever submissions you might decide to make.  The closing date is 17th July.

Dear NTIA

Thank you for this opportunity to submit comments and recommendations on the future of the US Government’s  International Internet Policies and Priorities. We apologise for the length of our response but you have identified a set of issues which are immensely important to children all over the world.

One in three human internet users is a child

One in three human internet users is a child. In parts of the developing world this can rise to around one in two. Thus, whatever else one might believe, imagine or want the internet to be it is unquestionably a medium for children.

Multistakeholderism has failed children

Multistakeholderism has egregiously failed to ensure children’s interests are fully and properly taken into account in international bodies and at gatherings where internet policies are discussed or decided. Here we single out in particular the IGF and ICANN. Both were specifically mentioned by  you in your call.

The IGF failed children

NETmundial was an IGF sponsored initiative of considerable importance.  It took place in Brazil in 2014.  In the final communiqué  there are references to three international treaties:  the Covenant on Civil and Political Rights, the Covenant on Economic, Social and Cultural Rights, and the Convention on the Rights of Persons with Disabilities. The Convention on the Rights of the Child was overlooked or ignored. There is not one word about children in NETmundial. Not one.

There were not enough children’s voices at NETmundial to press for their rights to be recognised and while doubtless no one present in São Paulo wished any harm to come  to children when they go online, neither were children’s interests front and centre of why anyone made the trip. Why were there not enough children’s voices? Partly for a very practical reason: money. Or rather the lack of it.

Multistakeholderism is a slogan not a policy

Multistakeholderism is a wonderful idea that has simply not worked, at least not for  kids.

Corporate interests with a business reason for being involved in the affairs of ICANN and the IGF have no trouble being fully engaged stakeholders. Typically they send lawyers, accountants, lobbyists, Government relations staffers , or all of the above, to watch over or advance their  interests or deal with the mountain of correspondence, conference calls and papers which the associated processes generate.

The ICANN bureaucracy now also constitutes an interest in these matters and, self-evidently, they are very well placed to preserve and extend their institutional perquisites.

Few can match the resources available to the corporates. Even national Governments, law enforcement agencies and long-established international bodies  have difficulty finding the funds and the people to enable them to keep up.

While children’s organizations recognize the importance of the internet in young people’s lives, it is grotesque, in effect,  to ask them to choose between spending their hard-earned and scarce cash helping an abused child in the here and now or providing a training programme for parents or teachers on how to help their children stay safe online, and flying to the other side of the world to sit in a swanky conference centre for a week surrounded by diplomats, civil servants and individuals representing some of the richest and most powerful companies on Earth who are having a discussion which might produce something three years down the road. Or it might not.

Something must be done  to create a more level playing field.

The lack of resources available to children’s organizations  to participate in NETmundial and similar is simply a reflection of a lack of serious interest on the part of those with the power to change things. Lip service costs nothing. Effective action does.

Remote participation is a poor substitute for being in the room

Remote participation  at events such as NETmundial may give the appearance of engagement, someone somewhere can tick a box,  but it is a very poor substitute for being physically present when complex, often quite nuanced issues of policy are being debated  by people who don’t already know each other in one way or another.

And how, realistically, does anyone get meaningfully involved in negotiating  the wording of a final communiqué or stay on top its iterations if they are eight thousand miles and five time zones away?

But it is not just attending meetings that matters. There is also the enormously time-consuming, labyrinthine “intersessional” procedures linked with bodies such as ICANN and the IGF.

ICANN is failing children

One of ICANN’s key self-declared tasks is “keeping the internet secure”. It has definitely not been keeping the internet secure for children. In that respect it is suggested ICANN is in breach of  its obligations under international law as well as under US Federal and California state laws requiring any and every organization to have regard to the best interests of children in any and all decisions affecting children.

The .kids saga

In 2012 ICANN decided to expand the number of available generic Top Level Domains (gTLDs). This resulted in the creation of over 1,000.  ICANN agreed “.kids” would be  one of them. For .kids in the English language there were three bidders: Amazon, Google and the .Kids Foundation. Six years later a decision on who should be awarded the contract to be the Registry for .kids in English has still not been taken. This gives some indication of the priority attached to children’s interests within ICANN.

Yet .kids has been let in Cyrillic script. Upon learning this the Moscow-based entity that won the contract to be the Registry was contacted. The following questions were put. The entirety of the relevant text follows:

  • Do you make any stipulations about who may buy a .kids domain name e.g. nobody with criminal convictions, or convictions for child sex offences? And if you do, do you carry out any checks to make sure the people meet those criteria?

Answer: No.

  • Do you make any stipulations about who may work for a business or organization operating a .kids domain name e.g. nobody with criminal convictions, or convictions for child sex offences? And if you do, do you carry out any checks to make sure the people meet those criteria?

Answer: No.

At the time of writing there is no information suggesting anything untoward has happened with any Cyrillic .kids websites, but it should be noted that the volume of sales so far has been low (1,500 at the last known count).

Concerns of the kind alluded to in the questions above should never have been left open in the way they were. This is because a domain such as .kids is guaranteed, sooner or later, to attract the attention of paedophiles. They go where children go. That being  so  ICANN’s  failure  to  insist  on  and insert in the Registry Agreement even  the  most  rudimentary safeguards, commonly found elsewhere and not infrequently required by law, is tantamount to criminal negligence.

And even if it is not that, it is clearly at odds with an overriding duty to have regard to the best interests of children.

Moreover, stipulations  about  ownership  and  operations  have nothing at all to do with the nature of any content that might appear on a website. No free speech concerns arise.

ICANN typically responds by saying its key policy is only to require relevant entities to abide by applicable national laws in the jurisdictions concerned. That is not a tenable position. It is a breach of direct and unavoidable obligations to children which cannot be delegated or left to chance.

Not to put too fine a point on it ICANN is, in reality, inciting paedophiles and other criminals to look for a jurisdiction with the fewest limitations on what they can do or a jurisdiction or Registry where enforcement is known to be non-existent.

ICANN has consistently argued it will not concern itself with the content of web sites.  But they should enforce their own contracts. However, is it anyway not beyond the powers of ICANN to declare, as an inflexible policy, that it will disregard or deliberately fail to act within the scope of its ostensible powers to curb or bear down on persistent conduct which it knows leads to illegal outcomes?

No advice about children’s best interests was sought or obtained.

In correspondence ICANN has acknowledged that when it came to deciding who would be awarded the contract to be a .kids Registry, and on what terms, they did not seek, obtain or consider any expert advice in relation to what might be in the best interests of children.

Neither were any  extra or specific requirements  imposed within the application or assessment processes used to decide who might become the .kids Registry. In effect .kids was looked at in the same way as .grocery, .London, .cruise, .baseball and so on.

GAC advice ignored

ICANN’s Governmental Advisory Committee offered quite specific advice on children’s interests in respect of the new gTLDs being created.  This was ignored. True enough it was issued after the  creation process had started but it was nevertheless still well within a timescale that would have allowed ICANN to act, were it so minded.

Ignoring GAC advice appears to have become, for some elements within ICANN,  something to take pride in, a way to demonstrate ICANN’s independence from “political interference”. In so doing they assert that they are the best judges of the public interest whereas, in reality, what they are reflecting is their own view about what they think is in their own  business or institutional interests.

It was different for . bank, .pharmacy and .insurance

As part of the same process that created .kids, .pharmacy, .bank and .insurance also became new gTLDs. However, here, fearful of the consequences of bad actors being able to buy and run websites which implied a link to legitimate pharmaceutical, banking or insurance related activities, interested businesses combined to establish what are now known as “Verified Top Level Domains”.

To buy a domain within any of these categories, individuals or entities must first go through a pre-approval process to determine they are fit and proper.

How did the banks, pharmacies and insurance companies manage this?

It happened because the banking, insurance and pharmaceuticals industries had an established presence within ICANN and therefore knew what was going on, what the deadlines were etc. and had the financial wherewithal to employ the necessary lawyers, lobbyists and staffers to deliver this highly desirable outcome.

The children’s organizations had and have no similarly endowed or entrenched interlocutors but that does not give ICANN permission to put children at risk or disregard their best interests.

It is truly shocking no one within ICANN accepted they had an obligation to ensure children’s interests were properly safeguarded. They could have insisted .kids be created as a  Verified Top Level Domain. They didn’t.

Child sex abuse material

Down the years the lion’s share of child sex abuse material (csam – aka child pornography) on the internet has been found within just two domains: .com and .net.

In 2018 the IWF reported that around 70% of all CSAM reported to it in 2017 was found within .com and .net. Those proportions were pretty much identical to 2016 and many years  previous to that. .com and .net are both owned by the same company, Verisign, based in Virginia. Verisign is the largest single contributor to ICANN’s funds.

Astonishingly, among the new gTLDs established under the 2012 process the IWF also discovered that over 1,000 domains  appeared to have been created solely to distribute csam. This was up from 272 the year before. These are relatively small numbers but any one of these domains could be responsible for distributing millions of illegal child sex abuse images.

ICANN chose money over safety and security

It was open to ICANN to decline to expand the number of available domains under the new gTLD process until they were satisfied they could not be misused in precisely the way they have been. They didn’t choose that route. They chose to bring in more cash and in so doing added to the already existing and well known problem of csam being distributed over the internet.

If only WHOIS worked as it was meant to

Accurate data about the identity and contact details of persons who own or operate web sites are meant to be contained in the WHOIS database, but they aren’t and the volume of crime which has resulted has now overwhelmed the capacity of police services around the world. In the UK the police won’t even look at an online fraud case if the amount involved is less than £100,000 and we have lost count of the number of times law enforcement has said they cannot arrest everyone suspected of committing online crimes against children.

Yet it is hard to believe, for example, that even one web site would be engaged in distributing csam if the  identities and contact details of the persons buying the domains in the first place, or registering them later, had been robustly verified.  This is what is supposed to happen under the Registry and Registrar agreements ICANN issues but does nothing to enforce.  By turning a blind eye ICANN helps crooks and harms children.

It  seems that among Registries, Registrars and ICANN staff  it is widely believed that effective measures to reduce the scope for criminal abuse of domains e.g.  by properly checking who people are, would would cost too much money and put off would-be purchasers of new domain names. This would reduce the volume of sales, therefore hit revenues, eat into profit margins and therefore also threaten ICANN’s revenues.

The thing Registries and Registrars care about most is  simple: having systems in place to ensure they get paid. Everything else is, as they see it, an  “unnecessary”overhead cost, an administrative annoyance.  Not their problem. Perhaps, in cahoots with ICANN, they hoped by stealth and over time WHOIS would  quietly fade away and die.

This is one reason why the current debacle over the GDPR is so unfortunate. The EU and the European Data Protection Authorities,  through the Article 29 Working Party, have not covered themselves in glory. By their lack of understanding of what is at stake they have played straight into the hands of those elements within ICANN who would happily get rid of WHOIS completely.

By the way, although this is nothing to do with ICANN, the same principle  – know your customer – should also apply to anyone providing hosting or any form of online storage or publishing service.

ICANN duped the Feds

Last time it was checked only about 23% of entries were  correctly entered. In other words accuracy was the exception rather than the rule.

The  minute ICANN was free of the Affirmation of Commitments it took steps to downgrade WHOIS. They never had any intention of honouring the solemn promise they gave in the Affirmation. They signed the  Affirmation agreement quite cynically, solely to get out from under. They duped the Feds.

It is happening again right now. People are investigating how to remove ICANN from the potentially troubling clutches of the courts of California and the USA by establishing ICANN’s global HQ in a non-US jurisdiction. Doubtless they will hunt for the jurisdiction which presents the least likelihood of ever “interfering”.

With such a low level of trust and confidence in ICANN there will be a great deal of apprehension attaching to anything as large and fundamental as changing the entire legal basis on which it operates.

The offer of a PDP

In correspondence and discussions ICANN officials would not accept they had any specific or particular responsibilities towards children. They merely suggested children’s organizations should try to initiate a “Policy Development Process” (PDP) within which our ideas could be discussed by the ICANN “community”.

PDPs are the traditional way in which policies are aired and debated within ICANN prior to the ICANN Board reaching a determination.

An ICANN PDP can last several years. It was pointed out the children’s organizations simply do not have the resources that would allow them to engage in one. ICANN appeared unmoved.

More importantly, the implication of a PDP is ICANN believes it has a discretion in relation to the position of children. The contrary view, advanced here, is ICANN has a legal obligation to act.

Ball of confusion

George Bernard Shaw famously said all professions are a conspiracy against the laity. ICANN has taken this to new heights.

It has erected a redoubt of obscure, expensive and protracted processes all of which combine to discourage new entrants, preserve the status quo or slow down the rate of change to the greatest extent possible, always in favour of the financial interests of Registries, Registrars and ICANN itself.

As if to prove the point about their arcane ways, in a press statement issued to The Times of London on 4th April 2017 ICANN said the following

“ICANN is a unique institution that is governed via a bottom up, consensus-driven multistakeholder model. As a result, ICANN staff cannot unilaterally impose guidelines or requirements on registries, registrars  or other stakeholders in a topdown manner. Policy recommendations are developed and refined… in a “bottomup” multistakeholder, open and transparent  process…”

“Bottom up, consensus-driven multi-stakeholder model” might mean something to the initiated but in the end it is simply a method of working that counts for nothing if all it produces is mayhem or evil.

Speaking of the “ICANN community” is an attempt to give an undeserved democratic patina to what is, in reality, a collection of entities with a material interest in the affairs of ICANN. And not being part of one of those insider groups means ICANN can and will trample on your rights or concerns.

The ICANN “community” should include stakeholders without loud voices, deep pockets, big muscles and time to fly around the world to attend ICANN gatherings. Equally, it should include many more people whose livelihoods are not likely to be affected by the outcome of decisions ICANN might make.

There is nothing wrong, and a great deal that is right about ICANN wanting to talk to as many people as possible before making a decision, but ICANN is not a modern-day Pontius Pilate, able to dodge any responsibility for its own actions by referring to a “community” that only exists within their own self- constructed and self-serving bubble.

Finally, isn’t the rather palpable point that ICANN is in a position to make the internet safer or less safe for children? So far, they have failed to do everything they reasonably could to protect children.

Principal recommendation

The US Government should use its influence to ensure multistakeholderism works as originally envisaged and in ways which guarantee children’s interests are fully represented and supported at all relevant stages and levels in key internet governance institutions. Alternatively, if the US Government concludes that that is not possible within current frameworks,  it should look for and promote an alternative model.

 

 

Posted in Internet governance, Regulation, Self-regulation

I am not getting over excited about this….

The National Telecommunications and Information Administration (NTIA) is a key bit of the US Government.  It has just announced a review of  its “International Internet Policy Priorities” . It wants comments by 2nd July.

The  terms of reference make clear that pretty much everything is up for discussion including privacy and security,  emerging technologies, multi-stakeholderism, the operation of ICANN, the IGF etc.

ICANN

Here is question D  on page 3:  “Should the IANA Stewardship be unwound?” That is code for saying  “Is ICANN working?. When we left it the way we did, did we get it right? Could things have been set up better?

There are voices off reassuring all of the vested interests  in and around ICANN that the status quo is safe, there is no intention to reintroduce “direct rule” and effectively bring ICANN back under the closer supervision of the Department of Commerce. However, once the political ball starts rolling there is no certainty about exactly where it will stop.

IGF

Here is question G: ” Are there barriers to engagement at the IGF? If so, how can we lower these barriers?”

I urge everybody with an interest in online child safety and children’s rights to let the NTIA know what you think. This could turn out to be a golden opportunity to correct or improve a few points based on actual evidence of how things have been working.

ADDRESSES: Written comments may be submitted by email to iipp2018@ntia.doc.gov. Comments submitted by email should be machine-readable and not be copy-protected.

Written comments also may be submitted by mail to the National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Attn: Fiona Alexander,Washington, DC 20230.

 

Posted in Default settings, E-commerce, Internet governance, Privacy, Regulation, Self-regulation, Uncategorized

More news about ICANN and WHOIS

In  a recent blog I mentioned that, on behalf of the UK’s children’s organizations, I had written to the Chair of the Article 29 Working Group expressing concerns about the way the GDPR was being interpreted in respect of WHOIS data.  Remember WHOIS is the database law enforcement agencies and different elements of the internet security industry have used since the internet’s year dot to combat online crimes of every kind as well as a wide variety of scams.

The problem with WHOIS is that  maintaining it as an accurate and up to date record represents a cost and a lot of bother to Registries and Registrars. They would rather be shut of it altogether. As long as the punters pay for their domains why  should they care?  Registries and Registrars are ICANN’s effective paymasters  so ICANN is forever kicking the can down the road whenever WHOIS gets a mention. (John – aren’t you being a little harsh? Maybe, but I was provoked. Btw it is not a good idea to talk to yourself in public like this. People will get entirely the wrong/right idea).

Anyway I have had a message  from the Chair of Article 29 saying that a full reply is on its way (watch this space) but the same message also pointed me toward a statement  issued last week by Article 29.

Two interesting snippets from the statement:

Article 29 say they have been “offering guidance” to ICANN on the matter of WHOIS since  2003. They go on to note, however, that

ICANN’s GDPR compliance process appears to have been formally initiated in the course of 2017, which may be part of the reason why stakeholders are concerned over the entry into application of the GDPR on 25 May 2018.”

Ouch. Does this speak to ICANN’s arrogance or incompetence? Perhaps both.

Finally Article 29 points out that no data protection authority has the power to suspend or delay the implementation of the law but adding

“Data protection authorities may, however, take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving…complaints.”

The match is not over but I would say Article 29 won that set hands down.

Posted in Internet governance, Privacy, Regulation, Self-regulation

Time is up

In yesterday’s blog I suggested that by responding in the way it did to the arrival of the GDPR, ICANN, in effect, pressed the self-destruct button. ICANN is now set on a path which will eventually lead to its abolition or radical reform. The process will be long, painful and fraught, with many scares, twists and turns.  What comes out the other end need not, in every respect, be as good as what we have now.  But the ball is already rolling.

ICANN did what it did because it could do no other. It is thoroughly dominated by vested interests willing to slow down or obstruct potential changes to the status  quo  if they believe the changes threaten their profitability.  If change is, nevertheless, eventually to be forced upon them they will find a way to live with it but they would like that day to be as far distant as possible. Meanwhile bank balances continue to expand.

This strategy has been remarkably successful up to now.  To get away with it ICANN, the powers within it and their ideological fellow-travellers have relied on six key factors:

  1.  A willingness to portray and project themselves as defenders and champions of free speech, artistic expression and civil rights, fighting on behalf of “the little guy”, “the oppressed, unpopular  or misunderstood minority”,  “the  political dissident”,  the “whistleblower”,  warding off the improper,  even evil, predations of  national Governments, the police and security services.
  2. A willingness to project themselves as a wilful and determined engine of economic growth and technological innovation.
  3. Which in turn feeds on and encourages a belief that if Governments step into  any part of the internet space to regulate it high tech companies will not invest and this will harm national prosperity and impede human progress in various indeterminate ways
  4. The very real practical and political difficulties of getting  heterogeneous and geographically distant national Governments and  international institutions to agree on almost anything.
  5. A willingness to encourage and exploit the idea that the technical complexities of the internet  are immense. This intimidates  and scares off a great many politicians and civil servants in the Governments  and international institutions referred to above.
  6. It has a similar effect on mainstream journalists who would otherwise be a reliable ally in exposing cant and hypocrisy. Look how much (rare) effort went into getting Cambridge Analytica into the public domain. Any story that seems nerdy and remote will struggle to capture an editor’s attention and comprehension.

Yet the dominant forces within ICANN are businesses who sell domain names or derive income from their sale. It is not a very complicated idea.

The parallels with what has been happening within the UK over the  past few years are striking but, having written several blogs where the phrase ” drinking in the Last Chance Saloon” has appeared it was no surprise to hear the Secretary of State say in a Tweet,  “the era of asking nicely is over.” Matt Hancock, for it was he, was across all the  UK newspapers and current affairs programmes this morning promising legislation.  See the full announcement here.

The devil will be in the detail but the ball is already rolling. Where have I heard that before?

 

Posted in Age verification, Child abuse images, Default settings, E-commerce, Internet governance, Regulation, Self-regulation