Careless meets sneaky

A while ago there was an uproar when it emerged that online businesses were, in effect, paying children to exploit their friendship networks to promote certain products, without disclosing they had a commercial relationship with the company that owned the thing they were speaking about so warmly.  Cases  were identified where children were getting paid according to the number of contacts they made thus encouraging them to engage with as many people as possible. This might have led some to connect with strangers.

The Bailey Review commented on it and the UK advertising regulator eventually stepped in to ban the practice but you have to wonder why anybody thought this would ever be an acceptable way to treat kids in the first place.

More recently, in the USA the New York State Attorney engaged with Viacom  (Nickleodeon), Mattel, Hasbro and Jumpstart. Attorney Schneiderman announced that these businesses did not comply with the Children’s Online Privacy Protection Act. That’s the one that limits marketing to under 13s unless a parent has given their consent.

It wasn’t the substantive businesses themselves that were directly in breach but they had allowed third-parties to operate on their sites and these were not  complying. Anyway the outcome was Viacom, Mattel, Hasbro and Jumpstart had to pay a total of $835,000 in fines and agree to a set of reforms. They are now mandated to vet the practices of all third-party services before letting them on their virtual properties.

Should these businesses have thought of this before? Probably, but aside from that two things spring to mind

  1. It took the Attorney General of New York two years to satisfy himself that a breach had occurred then bring his investigation to a conclusion. I do not know a single children’s organization anywhere in the world that has the resources or the alliances which would allow them to get anywhere near acting as a consumer watchdog in matters of this kind. It is not right that we should be so dependent on government agencies.
  2. Do we think the principle illustrated by this case could be extended to the platform providers that allow third-party apps to be sold on or through their services?
Posted in Advertising, Age verification, Consent, Default settings, E-commerce, Privacy, Regulation, Self-regulation

One last heave?

Life was simpler once. Governments in the liberal democracies were content to rely heavily on industry self-regulation as the principal means of addressing some of the problems that began to emerge with the arrival of the internet. Industry by and large loved such an approach. The fewer actual rules or restrictions, the larger the scope they had to innovate and experiment with new business models.

Right out of the traps  many free speech and civil rights groups objected to this approach. They argued if Governments are putting direct or indirect pressure on industry to behave in a certain way in order to deliver on  particular public policy objectives, they should do so openly, making their wishes or intentions known through established public policy mechanisms e.g. legislation and regulations. That way there would be transparency, there would be accountability and the playing field would be as level as it could be, at least in the sense that pretty much everyone would be bound. Compliance should not be à la carte.

My view always was, and remains, what matters is what works.  I don’t have a dog in the at times theological fight over processes.

However,  for all sorts of reasons it is now clear the areas within which internet self-regulation can continue to operate inside the EU are becoming vanishing small. The net neutrality rules, the AVMSD and, grandmother and grandfather of them all, the GDPR, are closing down or narrowing the spaces (maybe not always entirely satisfactorily).  If the Unfair Commercial Practices Directive is ever to be materially enhanced and national data protection authorities  or some other body takes it upon themselves to ensure that big internet platforms are delivering on their implied or stated (but unverified) promises about how they treat children we will more or less have covered all the key bits of the turf.

And yet

Yet even where hard law exists everyone recognises there are issues of interpretation and about establishing best practice which can benefit from open dialogue between a range of interested parties. Then there is the problem of perpetual change.  Every regulatory environment – self or otherwise – is bound to lag  behind real world developments. If they do nothing else, intelligently thought-through voluntary measures can hold the fort until the longer term picture becomes clearer.

This was the backdrop to an important meeting last week in Brussels which is looking forward to the launch, on 7th February next year, of the  Alliance to better protect minors online.  The Alliance will build on the work of the previous  Administration’s CEO Coalition. It was accepted there needs to be mechanisms for monitoring what is achieved under its aegis.

One area where there was broad agreement was in respect of the need for continued self-regulatory activity is in the field of education and awareness. Combatting bullying receievd special mention as did promoting good netizenship. True enough even here we  already see the state or its proxies assuming more and more responsibility but there is little doubt that both Governments and public alike can reasonably expect the industry to pitch in, helping to ensure children and young people themselves, their parents and teachers as well as other members of the children’s workforce are up to speed. The good news is large parts of the industry fully accept their continuing role and responsibility in these areas. The challenge is to reach out to more industry players to get them to sign up.

Watch this space.




Posted in Default settings, E-commerce, Regulation, Self-regulation

ICANN refuses to explain

Regular readers will know about the application made by the .Kids Foundation to ICANN to be allowed to run the proposed new .kids gTLD.  ICANN gave a contract to the Economist Intelligence Unit  (EIU) to help them assess the bid.

I have been around the child protection, children’s rights  and child welfare space for several years. I had never heard the EIU’s name mentioned as an authority in connection with anything to do with children. Had I missed something? I contacted the EIU. They refused to discuss it. The EIU referred me to ICANN.

In their reply to my questions ICANN told me

….the EIU was chosen because it offers premier global business intelligence services.

Not a convincing opening line given the nature of my enquiry but ICANN went on to quote from something called the Panel Process document, in particular the following:

The EIU is the business information arm of The Economist Group, publisher of The Economist. Through a global network of more than 500 analysts and contributors, the EIU continuously assesses political, economic, and business conditions in more than 200 countries. As the world’s leading provider of country intelligence, the EIU helps executives, governments, and institutions by providing timely, reliable, and impartial analysis.

The word  child  or  children  have yet to make an appearance. In fact they never do.

Then comes this

The evaluation process respects the principles of fairness, transparency, avoidance of potential conflicts of interest, and non-discrimination. Consistency of approach in scoring applications is of particular importance. In this regard, the Economist Intelligence Unit has more than six decades of experience building evaluative frameworks and benchmarking models for its clients, including governments, corporations, academic institutions and NGOs. Applying scoring systems to complex questions is a core competence.

I added the bold to that word transparency since it is clear it is singularly lacking.

ICANN then gave me some more cut-and-pasted quotes

  • All EIU evaluators undergo regular training to ensure full understanding of all CPE requirements as listed in the Applicant Guidebook, as well as to ensure consistent judgment. This process included a pilot training process, which has been followed by regular training sessions to ensure that all evaluators have the same understanding of the evaluation process and procedures.
  • EIU evaluators are highly qualified, they speak several languages and have expertise in applying criteria and standardized methodologies across a broad variety of issues in a consistent and systematic manner.
  • Language skills and knowledge of specific regions are also considered in the selection of evaluators and the assignment of specific applications.

So I wrote back with only one further question

Did you satisfy yourself that the EIU had (the necessary expertise) or did you simply rely on the EIU’s general assurances (that they had)…..?

Answer came there none.

I doubt the EIU has much of a clue about children and the online space thus, to be clear, I think they were wrong to accept a contract to work in  an area that is outwith their competence but equally ICANN should not have offered them the work without satisfying themselves the EIU  could do it properly.

Children’s interests are marginalized or overlooked once again.

Posted in Default settings, E-commerce, ICANN, Internet governance, Regulation, Self-regulation

Anonymity and porn

S1 (1) of the Obscene Publications Act, 1959, defines what constitutes a criminally obscene article. In the Court of Criminal Appeals in 2002, in the case of  R v Perrin, in the context of  material published on the internet, failure to take steps to prevent children from viewing such material was seen as a key ingredient in determining whether or not an offence under the Act had been committed.

However, to the best of my knowledge, since Perrin there have been no prosecutions of web site owners who publish pornography without an age verification mechanism in place. Why? Because of the practical and jurisdictional issues of enforcement. The relevant sections of the  Digital Economy Bill, 2016, can therefore be viewed as a pragmatic attempt to find a solution to fit modern circumstances. Yet some people are raising concerns. I understand why, but their fears are unfounded.

In the recent debate on the  Digital Economy Bill Liberal Democrat MP Tom Brake made the following point

I agree that denying children access to online pornography is essential, as is ensuring the privacy of adult users of legal adult sites….

In a similar vein the former Secretary of State, John Whittingdale, said

The other big issue covered by the Bill is pornography….and age verification. The Bill does not specify how age can be verified, and I must say that I am not entirely sure how the providers will do that. It will not be sufficient to include the question “Are you 18?”, along with a box to be ticked……

We must bear it in mind that the content that is being accessed is perfectly legal. Of course it is right for children to be prevented from accessing it, because that can be harmful, but it is legal content for adults……

There are a number of things to be said about this.

First of all at the moment unless someone takes special measures to prevent their browsers from handing over any information about them or their machine then it is extremely likely that in the mere act of visiting a porn site, even if you do not buy or actively download anything, you are in truth handing over data about yourself. This compromises your anonymity. I leave aside the possibility of any third-party surveillance that might be taking place on top of that.

Moreover unless Messrs Whittingdale  and Brake want to argue we should get rid of the existing real world laws altogether they need to convince us why, if it were to come down to a straight choice,  they might think it more important to protect adults’ rights to access porn anonymously than it is to keep harmful content away from kids.

Technology to the rescue

However, the good news for Brake and Whittingdale is that nobody has to make such a choice. Remember, unlike gambling sites a porn company does not need your bank or credit or debit card details or your home address. Porn sites only have to establish that you are 18 or above.

Technologies already exist which can prove someone is over 18 without revealing anything else at all.  In this sense the technology could be seen as being privacy enhancing.

Of course the companies that own the age verification systems have to do an initial verification of your age so it is vital that they are trustworthy and secure to the nth degree. There are several ways in which it can be established whether or not that is the case e.g. the Information Commissioner’s Office could tell us.

Posted in Age verification, E-commerce, Pornography, Privacy, Regulation, Self-regulation

Age verification takes another step forward in the UK

The Digital Economy Bill 2016 has just completed its 2nd Reading in Parliament. This is the first major step in the British legislative system. The 1st Reading is largely a formality. The 2nd is where the broad principles and policies behind a measure are debated.

The Bill passed with no votes against. It now goes to Committee where it will undergo line by line scrutiny. However, it is clear from the discussion that at least in respect of the child protection aspects of the Bill, most notably the clauses introducing compulsory age verification for pornography sites, there is an extremely wide  and supportive consensus.

The Government did not indicate that it had modified its position from that set out in the original draft. In other words they did not say they intended to introduce any legal compulsion  to withdraw payments and other ancillary support services  from non-compliant sites. Neither did they say they intended to give the proposed new regulator a power to compel access providers to block persistently non-compliant sites.

Yet many MPs from all parties urged the Government to consider doing just that and in his excellent summing up for the Government  the Minister, Matt Hancock, indicated that it would be necessary to revisit these matters in Committee and that he was keen to reflect on the views which had been expressed by the House.

It’s a long road ahead. Good points were made about privacy concerns that could arise if age verification becomes compulsory but I am certain they can all be answered openly and in a way that will satisfy even the most hardened sceptic.



Posted in Age verification, Default settings, E-commerce, Pornography, Privacy, Regulation

Hilary Clinton declares support for online child safety

There is a human dynamo in Washington DC called Donna Rice Hughes. She is the woman who has persuaded a number of big American Corporations to restrict access to porn on WiFi that they provide in public places. Donna was gracious enough to acknowledge the UK origins of this idea but now she has gone a huge step further.

Earlier this week Donna announced that Hilary Clinton has given her support to the Child Internet Safety Pledge. Much of what is contained in the Pledge will be very familiar to UK, European and some other national audiences but within the US  this is verging on revolutionary, so Donna’s achievement is all the more remarkable for that.

It has long been my view that, in terms of the online child safety, the single most important jurisdiction in the world is the USA, but it is also one of the toughest because of the highly specific  (and for us  very unusual) prevailing political and legal context.

Almost any steps forward for online child safety in the USA will have a huge multiplier effect and redound to the benefit of youngsters across the globe. Clinton signing up may be a harbinger of just such a development. Fingers crossed.

I am not going to dwell on the fact that Donald Trump has also signed the same pledge. I am just going to shrug my shoulders and say it’s not my fault he got this right. However, part of Donna’s point is that for the first time ever the Presidential candidates of both major parties have signed up to the same agenda in relation to online child safety.  That’s quite a coup and perhaps only a DC insider such as Donna could have pulled it off.

Watch this space.


Posted in Child abuse images, Pornography, Regulation, Self-regulation

Value- free technology? I don’t think so

The idea that technology is or can be value free has always struck me as being absurd. Whoever invents a particular application, piece of equipment or a platform has certain objectives in mind and these, in turn,  must have been shaped by their personal attitudes or beliefs or their business aims, often both.

A classic and very un-Olympian example of the latter variety was presented to me several years ago when I attended an IETF workshop. The participants were concerned with developing the protocols to allow browsers to collect and transmit geo-location data from connected devices. I pointed out there would be a number of social consequences attaching to such a development, both good and potentially bad, but almost to a man (repeat, man) the assembled technicians declared they had been sent to the workshop by their employers (mainly big technology companies) to reach an agreement not debate social policy. They didn’t quite say we’re only following orders but it was close.

A recent article in New Scientist  ( “Digital Discrimination”, 30th July – behind a pay wall) shows what can happen when otherwise or supposedly neutral  technologies are allowed to do their thing.

Take the case of Gregory Seldon, a 25 year old black man who lives in the USA. He wanted to make a trip to Philadelphia. Using AirBNB he spotted a particular place, tried to book but was informed it had already gone. Seldon carried on looking and saw that the same location was, in fact, still being advertised for the same dates. Suspicious, he created several new profiles which indicated the applicant was a white man. They were all told the apartment was available.

Seldon Tweeted about his experience on #airbnbwhileblack. The floodgates opened with more or less identical accounts streaming in from all across the country.  It emerged that three academics at Harvard (Edelman, Luca and Svirsky) had found people with names that were primarily thought of as being associated with African Americans e.g. Tanisha and Tyrone were 16% less likely to be accepted as guests on AirBNB than people with names like Brad and Kirsten.

The good news is AirBNB accept they have a problem and are actively seeking a solution but there seems little doubt this goes a lot wider and deeper than social media platforms.

Anupam Chandler, a Professor of Law at UC Davis believes discrimination can be “baked into” the data that form the basis of algorithms thus technology could become a “mechanism for discrimination to amplify and spread like a virus”.

Stands to reason I suppose. Typically algorithms are based on observed patterns of pre-existing behaviour. If that behaviour has a racist (or other) bias then, absent any countervailing measures, the algorithm will simply replicate and thereby, at the very least, sustain it in the future. That would be bad enough but the network effect is likely to give new legs and a new scale to the phenomenon thereby making it worse. In such circumstances it is just not acceptable to say (something like) “it’s not our fault society is riddled with racists (or with sexism)….all we are doing is devising systems which (hand-wringing) unfortunately racists  and sexists are using”.   The logic of this argument is that society needs to deal with racism  and sexism and  technologists are merely hapless, helpless victims of sad circumstance.  Baloney is the least offensive word I can come up with to describe what I think about that argument.

In this connection I was pleasantly surprised to discover that (our old friend) the GDPR has specific provisions which require technology companies to take steps to prevent discrimination based on personal characteristics such as race or religious beliefs. It also creates a “right of explanation”, enabling citizens to question the logic of an algorithmic decision. How easy it will be to enforce this provision is debatable, but it’s not a bad start.



Posted in Default settings, Internet governance, Regulation, Self-regulation