Age verification for porn sites a step closer

Today is the formal opening of the 2016-17 Parliamentary Year, normally referred to as the “State Opening”. Her Majesty comes along to Westminster and declares that a new Parliamentary session has begun. She does this by giving  a speech which is written for her by the Prime Minister. It sets out the Government’s legislative programme for the term ahead.  Included within the speech  today is a promise to legislate to introduce age verification for pornographic web sites. Not a surprise at one level, but good to have it confirmed that everything is proceeding as anticipated.

Posted in Default settings, Pornography, Regulation, Self-regulation

Comments please

Let’s assume the age of consent to sex in your country is 16. That is the case in Belgium, Finland, Latvia, Lithuania, Luxembourg, Netherlands, Spain and the UK. Because of the GDPR your national legislature decides to stick with the default age of 16 as the basis of membership of a social networking site.

If, on a social networking site, someone struck up a “friendship” with a person from one of those countries would that mean they could plausibly argue they cannot be guilty of “grooming” because they had reasonable grounds for believing the person they were talking to was of age?

Other countries have other ages but I guess in principle the same point could apply. If the age of consent to sex and the age of consent to data are the same, or the age of consent to sex is lower than the age of consent to data bad guys are handed a pathway they will surely seek to exploit. No?

Most of the EU Member States that don’t have 16 as their age of consent to sex have 14 or 15 but Ireland, Cyprus and Malta have an age of consent to sex that is greater than 16 so I guess whatever they decide on the GDPR this is not going to be an issue for them, or at any rate not in the same way as it will be elsewhere.

There again since we do not anticipate social networking sites will voluntarily introduce age verification it will remain the case that tens of millions of under age individuals are going to be on them so maybe  an expectation will arise that the sites make clear that, whatever the stated minimum age of membership is in country X, no one is entitled to believe they are speaking to someone who actually meets that requirement.

Farce piled on farce.

Here’s another angle. Suppose a great many Member States do stick with the default of 16 and your country opts for 13.  Will that act as a beacon attracting people who want to contact younger individuals? Although there could be an up side to that the down side sounds a bit spooky. Just what are the implications of having a spread of ages? What if the age rules do, in fact, start to be enforced differently between jurisdictions or companies?

Out of this  I suppose one argument in favour of countries adopting 13 as the minimum age for data is in no case is it aligned with the age of consent to sex so would-be groomers would be blocked in that regard. It is also an argument for having as many countries as possible opting for 13 so we are all in the same boat and no single jurisdiction becomes a target for anyone with a preference for younger people. Hey ho. We will all have to remain on guard in broadly the same way.

I am not saying I am coming out in favour of 13 as the preferred single minimum age for every country to adopt but if we get the high level enquiry I have previously called for it would definitely be something they should consider.

Posted in Age verification, Consent, Default settings, E-commerce, Facebook, Internet governance, Privacy, Regulation, Self-regulation

On Trialogues – oops, trilogues

When I was fumbling around in the dark trying to come up with a rational explanation for why, during the Trialogue for the GDPR, none of the actors reached out to any child protection people to test any of the ideas that were being thrown around on the age of consent for young people to hand over data without having to obtain parental consent, I thought maybe there were rules of confidentiality, or at any rate an expectation of confidentiality. I mean the word “Trialogue” sounds sort of intimate and official.

Anyway, there is a service called “Europe Direct” which holds itself out as being able to answer any question about EU institutions, rules and the like. I contacted them.

Today I got a reply.

First they corrected my spelling. It should be trilogue and it isn’t capitalised. After referring me to a couple of important documents setting out what rules there are (see below) here is the crucial bit of the answer

None of (the relevant) rules establish, for individuals engaged in trilogues or their respective institutions, a general expectation or requirement that no external parties are consulted in relation to matters being considered in trilogues.

In other words there were no obstacles – formal or informal – to any individual or any institution involved or represented in the trilogue to reach out to anyone at all.

They simply chose to keep it all buttoned up.

The basic document describing trilogues is here and there is a related one affecting the Parliament only which is here. But as I said, neither of them presented any obstacles to external consultation or discussion.

You live and learn. I hope I never have to write about  this again.

Posted in Regulation, Self-regulation, Uncategorized

The challenges of a new orthodoxy?

Last Monday EU President Juncker said he thought the EU had been meddling in matters which more properly should be dealt with by individual Member States. He went on to say

We were wrong to over-regulate and interfere too much

If this is going to become the new orthodoxy we can anticipate a growing drive to say anything and everything to do with children and young people, or at any rate a very great deal, should be dealt with by Member States. How all that will be squared with  and play out in relation to a Digital Single Market and universalist notions of children’s rights will be interesting, challenging and messy.

It is undoubtedly true that, in the past, parts of the children’s lobby have looked to Brussels to require action on issues which certain Member States otherwise showed every intention of ignoring for as long as possible if not forever. I am thinking in particular about the (excellent) Directive on combating the sexual abuse and sexual exploitation of children and child pornography (sic)

Maybe those days are over, or at any rate are going into hibernation.

Either way, and against the background of the farce with the GDPR, it does make you wonder what role there could or should be for bodies such as the CEO Coalition and other formations which are supposed to be looking for EU-wide multi-stakeholder voluntary solutions to the many remaining problems children and young people face in cyberspace.

My hunch is, if the DSM remains a dominant driver – which I think is likely to be the case – there will be an increased emphasis on looking at issues that have a bearing on the operation of the market rather than narrowly child welfare or child development aspects.

Quite how you can do one without the other or how you resolve the tensions is where another bit of messiness will creep in.

Posted in Default settings, E-commerce, Internet governance, Regulation, Self-regulation, Uncategorized

We need the conversation to begin soon

The GDPR passed its final, formal hurdle earlier this week. It went through un-amended and will become law in mid 2018.  There were only a handful of votes against  it, one of those being registered by Anna-Maria Corazza-Bildt who said 

…..we missed a big opportunity to protect our children online.

Corazza-Bildt chairs  the European Parliament’s Interservices  Group on Children and, if I had one, she would definitely be on my Christmas Card list. Bravo AMCB.

Speaking yesterday at an event organized in Dublin by Google and Facebook (yes I was there too) Corazza-Bildt was very clear about where she thought the blame for the GDPR’s failure to protect children adequately should lie. There were two principal culprits. First

The Taliban of online privacy led by Jan Philipp Albrecht

Albrecht was the Rapporteur on the GDPR. This gave him a key role in respect of the GDPR from the beginning to the end of the entire process.  According to Corazza-Bildt Albrecht had a number of his own and his Party’s key objectives which he wanted to secure in the negotiations that took place around the measure.

He could only fight so many battles and he decided children’s rights wasn’t going to be one of them. They were sacrificed.

Next in Corrazza-Bildt’s firing line was the Trialogue process itself. She said towards the end, in respect of children, it was chaotic, but from the moment it began it was opaque and allowed Member States to disguise their lack of interest in children’s rights or their opposition to what Corazza-Bildt thought were the necessary amendments to the original text.

And now a bit of good news

I met with Claude Moraes, Chair of the LIBE Committee. He accepted the force of the central point I made about the poor consultation processes with child protection experts which had surrounded the adoption of the GDPR and, above all, he grasped the significance of the absence of an impact assessment in relation to the Commission’s original proposal to make 13 the minimum age.

It might be going too far to say Moraes apologised for what had happened but he certainly acknowledged there was a need for the whole age and the internet issue to be thoroughly examined and debated. Moraes was clear it was now so late in the day there was zero possibility of the GDPR being radically amended or held up but he gave an undertaking to write to the Commission raising the points we discussed.

Moraes was as good as his word and in what is otherwise a sorry mess, he comes out of this with great credit. I am putting him on my potential Christmas Card list too. I reproduce here a copy of the letter that went to Commissioner Jourova.

I hope Jourova moves swiftly and brings together the right people.  If a Blue Ribbon Commission could reach some sort of consensus within a reasonable time-frame it might help in the debates which will take place at Member State level with regard to the age option they go for.  It might also assist in (at least) two further ways:  with issues of interpretation as the GDPR comes to be implemented and to encourage the new EDPS and national DPAs to become more engaged as well as the wider privacy community.

Then there’s the new e-Privacy Directive, promised for next year. Will age and the internet raise its head there?

Posted in Age verification, Default settings, E-commerce, Internet governance, Location, Regulation, Self-regulation

All eyes on Brazil

Dr Paul Watters of the University of Massey in New Zealand is unquestionably the world’s leading authority on the grubby realities of piracy web sites. These sites try to portray themselves as modern day Robin Hoods attacking big corporations so they can give stuff away to the little guy.

Watters shows what the great bulk really are: highly commercially motivated criminal enterprises intent on lining the pockets of the small number of villains who own them.

But why should someone like me – who is principally concerned with online child protection – care about piracy sites? Watters shows why. These piracy sites are magnets for millions of children but when they go to the sites they find themselves  in a horrible environment, immersed in and surrounded by ads for prostitution, sex toys, hard core pornography and much worse as well. Then there’s a whole bunch of malware which can destroy their own and their family’s computers or other connected devices or rip them off, and likely both.

ECPAT International recently commissioned Dr Watters to carry out a study of piracy web sites in Brazil. His conclusions couldn’t have been clearer. It was published in December as a strong call to action to protect Brazilian children.

What has happened since? Shameful politics and delay is the answer.

The Brazilian House of Representatives’ Committee of Enquiry on Cybercrimes  held hearings and issued an excellent report which, among many other things, recommended that, following a court order , piracy web sites containing illegal content should be blocked. An increasing number of democracies around the world do this. Blocking these sites is a valuable tool that helps protect kids and keep their families safe.

However, to listen to some of the opposition being expressed to the Committee of Enquiry’s proposals you would think we are only days away from the end of civilization as we know it in Latin America’s largest country. Dr Watters’s diligent, painstaking research seems to count for nothing as the usual suspects in the internet industry try to avoid their responsibilities.

I hope that everyone concerned with children’s best interests makes their views known to Brazil’s elected representatives. We need to get behind the CPI’s recommendations and not be deflected by smoke and mirrors. 

Brazil has a proud tradition of energetic engagement in debates on internet freedom and online rights although when the NetMundial statement was adopted in Sao Paulo in 2014 somehow children and young people failed even to get a mention. Let’s not overlook children’s and young people’s interests again.

Posted in Child abuse images, E-commerce, Pornography, Regulation, Self-regulation

Poor process, bad outcomes

Later this week a new edition of the Better Internet for Kids (BIK) Bulletin will be published, with a focus on data protection.  I was invited – together with various other stakeholders – to share my views on the upcoming General Data Protection Regulation (GDPR), from a children’s rights and online safety perspective. What follows is my contribution.

On behalf of the European NGO Alliance for Child Safety Online (eNACSO) I recently spent a couple of days in Brussels talking to people who had been closely involved in writing the GDPR.  Here I report on what I learned from those conversations. It adds to my earlier commentaries.

It is a shocking story.

To recap

In January, 2012, the Commission of the European Union  published a consultation document setting out a detailed proposal for  the GDPR. This followed a “pre-consultation consultation” which started in 2009. The GDPR was a long time coming and that made what  happened to children and young people at the 59th minute of the 11th hour all the more surprising and disappointing.

The Commission told the world the GDPR is a vital building block in a larger, strategic plan to develop an EU-wide Digital Single Market (DSM). Whichever way you look at it there is no doubt the GDPR is a monumental legislative achievement of the highest importance yet in respect of children’s rights and online safety it is seriously flawed.

The final text was adopted at the LIBE Committee on 17th December, 2015. It still has to be ratified. This is expected in May although an amendment is being discussed which might put that date back by a month or two.

Substantial, inexcusable and unacceptable

There are positive features in the GDPR which will benefit children and young people, the right to be forgotten likely being the best known, but at the same time the GDPR’s shortcomings are substantial, inexcusable and unacceptable. The EU constantly tells us it takes children’s and young people’s issues seriously. This episode paints an entirely different picture.

The two problems


  • The GDPR completely fails to address the fact that millions upon millions of children across Europe, including very young children, have become and remain members or users of social media sites and other online services which are not meant for them.
  • Article 8 of the GDPR makes 16 the default minimum age at which a young person can decide for themselves whether or not to join online services such as Facebook. Up to that age parents will have to give permission. This limitation breaches Articles 12 and 13 of the UN Convention on the Rights of the Child.

Article 12 speaks of States’ obligations to guarantee a child who is capable of forming his or her own views the right to express those views freely in all matters affecting the child 

Article 13 uses similar language: The child shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of the child’s choice

Note the absence of any reference to an age limit or the need for parental consent.

How has this come about?

Part of the answer to that question connects to the opaque, calculated and in the end extremely hurried processes followed. Low rent politics drove decisions. Evidence and principles played no part.

The EU hands over policy-making to the USA?

In relation to the minimum age at which a young person can decide for themselves whether or not to join an online service the Commission originally proposed 13. However, no impact assessment was carried out to explain or justify it. In the wider study published by the Commission at the time the draft GDPR was released it merely said (at page 67) their choice of 13 took

“…..inspiration…..from the  current  US  Children  Online  Data Protection Act (sic) of 1998 and are not expected to impose undue and unrealistic burden (sic) upon providers of online services. “(bold added for emphasis).

The US law in question is actually called the Children’s Online Privacy Protection Act (COPPA.) It was intended to protect children (for these purposes defined as persons below the age of 13) from commercial exploitation. This Federal law made 13 a legal requirement for every US-based company e.g. Facebook and Instagram and explains why 13 had become a de facto standard in a great many countries. From that point of view it is not hard to imagine why Commission officials thought 13 would get an easy passage. Turns out they got that very wrong.

Nevertheless, we have to ask if the Commission routinely sub-contracts its policy-making functions to Washington DC? COPPA predates the social media explosion that emerged from the development of Web 2.0. It is widely acknowledged to be hopelessly out of date and ineffective in a number of key ways.

Whatever the reason, the Commission’s failure to carry out their own, independent impact assessment in respect of 13 was an egregious error. But it was not the result of carelessness or a lack of resources. It was part of a deliberate strategy.

More than merely ironic

As we shall see the lack of a proper impact assessment was going to have considerable consequences. This is more than merely ironic because in the GDPR itself Article 33 expressly requires everyone else to carry out a data protection impact assessment which takes into account the nature, scope, context and purposes of any proposed data processing where that data processing is likely to result in a high risk for the rights and freedoms of individuals. Children and young people are individuals. And they have rights.

Refusing to face the issue

How do we explain the decision not to undertake an impact assessment? It seems right at the beginning everyone on the inside track in the Commission and others elsewhere anticipated that the age thing was going to be tricky.

Remember the current (1995) Directive had been silent on the point. This time around there was some support for maintaining such a stance but a majority finally accepted that was now untenable.

The Commission’s reason for not doing a risk assessment was therefore simple. A risk assessment would only draw attention to the problem, so why do one?

Rather than face any national or other sensitivities around age and debate them openly – there could even be a question about whether the EU had competency in this space – the plan was to finesse (read “manipulate”) the process. Officials believed they could pull it off and end up with what they wanted: 13. Did the conversation go like this?

The age business could mess up and delay everything so let’s leave it until as late as possible, after we have made lots of progress with all the other stuff.  If we get the timing right everyone will be fed up with the GDPR.  They’ll want it done and out of the way. They’ll have to agree something. 13 is the only show in town. Hold your nerve. Keep your eye on the glittering prize.

The results of absence

Perhaps inevitably, because there was no impact assessment, when it came under attack there were no robust arguments to hand to defend or justify 13 as the minimum age. Simply saying that’s the way the Americans have been doing it for years so we’ve all got used to it clearly didn’t cut any ice.

In early December, 2015, as everybody thought the process was indeed drawing to a close, disaster struck.  16 suddenly appeared from nowhere (again with no impact assessment attached to it) and supplanted 13. Word of this leaked. A media storm broke out. Everyone involved then went into an undignified, panic-driven flip flop. A frantic scramble took place to change policy.  48 hours later a new one emerged. Young people’s interests were sacrificed on the altar of expediency amidst worries about a few here-today-gone-tomorrow headlines. At no point did the parties to the GDPR negotiations seek any expert counsel on what the policy ought to be.

Not one but four

What have we ended up with? Not one age – which makes some kind of sense if building a DSM is the overarching objective, but four ages.

As already noted the GDPR makes 16 the default age but Member States now also have an option to choose 15,14 or 13 instead. Absent any evidence justifying them 16 and 15 will be impossible to defend within the terms of the UNCRC. Still, the menu does seem to have diverted the media’s attention. Mission accomplished.

Balancing the differences, resolving the tensions

How do we balance a laudable desire to protect young people from commercial exploitation with their undoubted right to express themselves? Are commercial exploitation and its associated data collection practices the only relevant factors to be considered anyway? Not everything that matters on the internet is about money. Other things being equal within any single jurisdiction is it right to have but one age governing every aspect of young people’s privacy?

Erecting new internal barriers

In other areas the EU is intent on tearing down internal barriers. Here it is erecting them. Why? The menu of 16, 15, 14 or 13 cannot be about subsidiarity. Those ages do not fit with every Member State’s existing data protection laws (the ones the GDPR is otherwise harmonising).  I know of two large countries that will have to change their law if the GDPR remains as it is, the UK being one of them.

If things stay as they are it is not hard to predict what will happen. The mighty US companies will lobby country by country for 13 (their status quo). They will win in some and lose in others. The temptation to stay with the default of 16 is likely to be the path of least resistance but it will be interesting to see how the balance pans out and learn what that teaches us about EU decision-making.

Is the EU happy to contemplate or encourage the emergence of diverging youth cultures within the Union? Isn’t that the obvious implication of the decision they have made? The ramifications of such a development are potentially quite profound. They should be talked about not allowed to creep in under the radar.

And the non-compliance?

The non-compliance problem among children was acknowledged by the Commission (at page 23 of their study) back in 2012. Now it is a great deal worse. Look  at the levels of non-compliance with current age rules shown in a recent study published by the BBC.  75% of 10-12 year olds in the UK have social media accounts with sites or services which specify a minimum age of 13. Glance also at the work of EU Kids Online showing similar high levels of non-compliance across the whole Union in 2011. All of the percentages will have gone up since.

The GDPR does nothing to address this. On the contrary without any corresponding requirement to carry out age verification, by setting higher age limits the GDPR will teach or entice even larger numbers of children to misrepresent their age so as  to get into the otherwise forbidden places where children will believe all the best things are going on.

This sorry tale does not point to failings on the part of a particular individual or European Institution. Rather it points to a systemic or collective failure.

We have to find a way to ensure things like this cannot happen again.


You want more?

Originally this blog was substantially larger (nearly twice the length of this billet doux). I  was thinking about publishing a follow up to incorporate the additional material but, really, what else is there to say? If there is truly anyone out there who feels they still need more information about the GDPR please get in touch. I will send it to you and recommend a good therapist.


Posted in Age verification, Consent, Default settings, E-commerce, Facebook, Google, Internet governance, Privacy, Regulation, Self-regulation | 7 Comments