Happy birthday?

Ten years ago last week things started happening that would bring the world economic order to the edge of collapse.  In many countries banks stopped lending to each other. Liquidity and, with it, new investment all but evaporated. In the UK we had the first run on a financial institution since the middle of the 19th century.

It turned out that for all their self-advertised cleverness the uber rich demi gods of the then finance industry could not undo what they had done. Governments and various international institutions had to step in to prevent the complete breakdown that was otherwise inevitable.   A great many lives were ruined. A worldwide recession began, the effects of which are still with us.  Unsurprisingly there were political consequences. The rise of the populist right and their mirror image on the far left, Brexit and Trump can be traced back to those times and what followed. The promise that was globalisation was turning into something completely different and unwelcome. The elites implicated in the project were severely undermined. At dinner parties bankers would pretend they were in the used car business rather than admit the truth.

How did this happen? There were several reasons but by common consent two were key :

  1. The interdependencies of different sorts of financial instrument had become so complex probably nobody in the world fully understood them and even if they had
  2. The finance industry was a powerful lobby which had convinced politicians to stay off their turf.

Is this ringing any bells?


Posted in Internet governance, Regulation, Self-regulation

Woe, woe and thrice woe

On Monday the Daily Telegraph – a leading UK broadsheet (with a thoroughly conservative pedigree) –  led with this headline:  Home gadgets open to hackers. The story was about the dangers to society in general and our individual well-being in particular, arising from the rapid growth of the internet of things.  The piece came less than two weeks after the FBI issued its warning about the way internet enabled toys – a subset of the internet of things – could pose several specific threats to children.

Not that long ago the press likewise was full of the mirai botnet drama, giving the world a hint of what a large scale hack of connected devices could achieve. “Hint” is the key word.

One of my smarter friends is convinced the arrival and pervasiveness of so many connected machines, performing perhaps intimate or highly personal tasks, maybe linked to our bodies, our homes or our kids, is going to give debates about the internet, indeed the whole technological universe or cocoon which we have constructed for ourselves, a physicality and an immediacy which hitherto has not been present. I think my clever friend is 100% correct in her assessment but is the internet of things truly an “internet issue” or is it, more prosaically, as some insist, “simply” about the design, propagation, and enforcement of adequate security standards? Actually it’s both.

But here we hit up against the first problem. One of the worst crimes anyone can commit in the eyes of tech companies is to “conflate”  what they see as being disparate issues. That’s the sort of thing only low life campaigners, know-nothing journalists and politicians do. Pitying our ignorance we are told the internet is now, in fact, a highly complex and diverse “value chain”  (horrible term) with many different types of businesses of varying sizes, functions and capacities.  We are reminded that no single company….. you know the litany. Yet in the public mind, and perhaps in the mind of a great many policy makers and headline writers, the whole thing is completely intertwined, the one inseparable from and dependent on the other. Why is that? Because that’s how they experience it. If you’re hit by a car, knowing it was because the brakes were faulty rather than it being the result of driver error may bring you some consolation, but not much.

Sitting down to tell someone their operation was cancelled and the hospital closed not because Microsoft or the “internet” did anything wrong but because that particular hospital’s network manager neglected to implement a patch is going to present a challenge.  As another terrorist or paedophile outrage appears to have a connection to cyberspace, as seemingly credible doubts are raised about the legitimacy of this or that election or referendum result “febrile” seems to be the word that best captures the mood.

I don’t think I know anybody who is seriously involved with any aspect of policy development in the technology space who truly believes the current arrangements are stable or sustainable in the longer run. There is a very strong undercurrent of opinion which privately acknowledges the next big cyber catastrophe, or maybe it will be the one after, could bring substantial parts of the internet as we know it crashing down around our heads because enough of the world’s major governments will finally agree to act in concert to insist on changes.  Some companies that are today dominant and seem solid as a rock, could disappear completely or be radically reconfigured pretty much overnight. Bits of the internet could go dark until there is a reboot.

In the face of such complexity the easy and understandable thing is to head for the bunker proclaiming  I am doing my bit, I can’t be responsible for everything. Alternatively, if you are a business, even though you know what may well be coming down the track,  you hunker down and hope it is a very long track. You go for the Travolta-Micawber-Midas strategy: staying alive, hoping that something will turn up while getting richer right up to the moment it all caves in. With a billion dollars in the bank you’ll probably be OK anyway.

This is precisely why someone somewhere should be thinking about how to construct a  pole of authority that is visibly detached from the vicissitudes of party politics, is not too enmeshed with the turbulence or short-termism of governments or money from the big companies that dominate the space today but can win the respect and attention of each of these elements. Oh, and it should be as international as possible but that should not be an obstacle to getting it up and running asap.

A tall order but those of us who value much, if not most of what the internet has brought to the modern world should really be worried that, right now, a convincing, authoritative alternative narrative which at least has a chance of carrying the day within the liberal democracies is simply not emerging or becoming grounded on a broad enough basis.

OK. So now I am going to go and put on my happy face.

Posted in Internet governance, Regulation, Self-regulation, Uncategorized

Ireland heading for 13

As expected it looks as if Ireland is going to end up with 13 as the age of consent for data purposes under the GDPR. This was the recommendation of Dr. Geoffrey Shannon, the Irish special rapporteur on child protection. It was made to a committee of the Irish Parliament. Apparently, all or most of the Irish children’s organizations supported Dr. Shannon although, according to the Irish Times, he suggested there had not, as yet, been any consultation with children themselves.  Dr. Shannon wants that put right. We can only guess what might happen if children take a view which differs from his.

Will the country of origin rule apply?

As I have remarked in a previous blog, there is a view abroad that the country of origin principle should be applied to the GDPR. If that opinion prevails and Ireland does indeed go for 13 it could render Article 8 a dead letter, or at least reduce its importance considerably. Facebook, Google and many other tech companies are incorporated in Ireland and since their current minimum age is 13 they will be able to insist that nothing changes – not just in Ireland but anywhere in the EU. Even Spain’s existing law (which stipulates 14) and Holland’s (which is 16) in effect would have to be repealed or amended.

Other countries still agonising over where to draw the line can stop bothering. The views of children in those jurisdictions similarly are rendered irrelevant. Businesses that at the moment specify 13 will instantly have a major incentive to relocate to Ireland if their home jurisdiction opts for a higher one.

Businesses based outside the EU

What will happen to online services domiciled outside the EU? Will they be the only ones that have to have variable ages depending on the local decision in a given EU Member State? There would be a certain irony there as they are likely to be smaller concerns who may struggle to find the resources to implement the more complex systems implied by such a position.  Maybe they too will have to relocate to the Emerald Isle.

It’s a funny old world

Back in 2012 when the Commission first published its draft of the GDPR they said there should be a single age for the whole of the EU and that age should be 13. Politicians in the European Parliament and national governments took a different view – that’s how we ended up with what is now Article 8 – but it could be that the Commission’s original position is going to win out in the end anyway, even if by a rather circuitous, unanticipated or unplanned route. This is bound to raise potentially uncomfortable questions about an issue of great sensitivity – a nation’s right to say how its children should be protected.

The arguments in favour of 13

The two strongest arguments in favour of 13 are, firstly, it avoids any possible erosion or compromise of the grooming laws because in no country in Europe is the age of consent to sex as low as 13 and, secondly, it represents the least restrictive of the available options in terms of potentially limiting a child’s  rights to access information or their rights to express themselves. By the way, it does not do away with that latter risk altogether because who is to say that even 13 is lawful under the UNCRC and other binding legal instruments? The actual capacities of the individual child are meant to be the guiding principle and that cannot be determined solely by reference to a fixed age.

However, the latter is a counsel of perfection which is utterly unworkable in the internet age, or rather to make it work would require companies to collect so much extra information about children as to be unacceptable for other reasons.

Thus we are driven back to having to accept fixed ages. They are a practical necessity for the foreseeable future.

The beef

The way this whole thing has been handled has been profoundly unsatisfactory. I have never said I am against 13 being the age, but neither have I said I am favour of it. There should have been large scale, independent research looking at the way in which the modern internet works in the context  of how children and young people relate to it and understand the core, commercial driving principles on which it is based and, above all how they understand  and relate to the privacy dimensions of the new realities of cyberspace.

The idea that 13 was the right age for everything emerged in prehistoric times when, for practical purposes, social media did not exist. Major commercial interests have now coalesced around 13 so they, at least, will be pleased. The rest of us are left wondering what if?


Posted in Age verification, Facebook, Google, Internet governance, Microsoft, Regulation, Self-regulation

When the law fails

Is it possible to discuss the internet as if it was an experiment? Can we look at some or all of it or are we to believe that, for example, when the Communications Decency Act 1996 (CDA) was passed by Congress and signed into law by President Clinton that everyone involved had a perfect, or even a very good, understanding of what was likely to happen?

I ask because I have just watched the movie “I am Jane Doe” on Netflix. This is about Backpage, an advertising web site that had been instrumental in facilitating the pimping and sex trafficking of an unknown number of children within the USA. Yet even though there was clear evidence of the site helping disguise the true nature of the ads they were very profitably publishing s.230 of the CDA provided an impregnable legal shield.

Backpage appears finally to have ended that aspect of their operations but it looks as if this was largely because of political pressure with no thanks at all being due to the law. The law stepped in to find a way to protect the wealthy owners of Backpage. It couldn’t find a way to bring relief to children. Shame on the law.

It is very hard for me to believe the 1996 legislators (or the First Amendment legislators for that matter) could have foreseen and intended to make it easier for children to be raped 20 times a day, as was the case with one of the victims who appeared in the film. On the contrary. If the 1996 legislators had had even the faintest inkling that their good intentions could be twisted or perverted in this way they would almost certainly have gone to considerable lengths to expand the number of exceptions or qualifications.

We have to be able to do better than this. Yet bodies like the Electronic Frontier Foundation argue

Any changes to Section 230 itself, to make it easier to impose liability on companies for user-generated content, would be devastating to the web as we know it—as a thriving online metropolis of free speech and innovation.

And there we have it. If we try to make it easier to protect children jackboots will soon be marching down Main Street.

I think I can say without reservation or hesitation that the courts can be trusted to distinguish between free speech and innovation and child sex trafficking but s.230 puts up a roadblock.

The Foundation goes on to say

Section 230 “is not some clever loophole” but rather “a conscious policy decision by Congress to protect individuals and companies who would otherwise be vulnerable targets to litigants who want to silence speech to which they object.”

There is a one-word answer to that: baloney. There is no right of any kind to promote or use loopholes of whatever sort to sell children into sex slavery. Wringing your hands, shrugging your shoulders and saying how much you regret that this happens as a result of s.230  or the First Amendment is pitifully inhuman. It must be within the bounds of possibility to devise a form of words that protects free speech, innovation, and children.

Posted in Child abuse images, E-commerce, Internet governance, Pornography, Privacy, Regulation, Self-regulation

More warnings about the Internet of Toys

On Monday the Financial Times carried a report of a new warning from the FBI about the dangers to children and young people arising from

Smart toys made by a slew of companies …increasingly incorporating technologies that learn and tailor their behaviours based on user interactions…

These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.

Information such as the child’s name, school, likes and dislikes, and activities may be disclosed through normal conversation with the toy or in the surrounding environment.

The collection of a child’s personal information combined with a toy’s ability to connect to the Internet or other devices raises concerns for privacy and physical safety. Perhaps even more worrisome to parents, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.

The answer to this and our call has to be Safety by Design, Security by Default. (SDSD). A neat strapline but how do we transform it into a concrete reality?

The FBI say

Parents should examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services.

That sounds remarkably like the advice we get on everything. It is good advice but not good enough. Consumers, parents, and children need an interlocutor to act on their behalf to ensure that appropriate standards are in fact being met without requiring anyone to get out a magnifying glass to read the small print.

I am sure the big toy brands will be thinking about this very deeply. The risk, as ever, is that a small fly-by-night outfit  – invoking the name of the god of innovation – will rush to bring something to market, make a ton of money in a very short space of time thanks to clever marketing, then something dreadful happens because they haven’t paid enough attention to the security features. A child or children are seriously hurt and the whole market in connected toys takes a major hit. Maybe the well is poisoned for a very long time. We’ve already been perilously close to such a scenario.

There is an EU Directive on Toys from 2009 and it does include references to computers, games consoles and the like but as far as I could see it does not mention the internet or privacy. Maybe this needs updating, or perhaps the GDPR provides a sufficient legal basis. Either way there also needs to be a link to something like the CE marking regime so that parents and children have a ready way of knowing that what they may be about to buy or use meets certain basic standards.

Posted in Default settings, E-commerce, Privacy, Regulation, Self-regulation, Uncategorized | 1 Comment

As I would have said….

Yesterday I appeared on BBC Radio 4’s “World at One”, the current affairs lunchtime slot. If you download the podcast you’ll find the interview starts at 36 minutes and 55 seconds.

Why was there a story in the first place? That was because yesterday the Government, in the form of Matt Hancock, announced the formal commencement of the Digital Economy Act, 2017.  Bravo! Hancock suggested the age verification elements will be up and running by April next year. That sounds a tad ambitious but let’s hope it’s right.

I was on the BBC to discuss the age verification part of the Act, debating with a representative of the Open Rights Group (ORG).

I am glad the ORG exists. There is no doubt they do valuable and important work, campaigning to safeguard our civil liberties and freedoms across a broad front. I was delighted to hear them say they have no objection in principle to the idea of age verification being used for the purposes of protecting children. This would have been a little more convincing if, from the moment the Bill was published, the ORG had not opposed anything and everything to do with the idea.

I have no complaints whatsoever about the interview on the BBC. It was absolutely fine. It was, however, quite short and a few people who listened in have asked me if I could respond to some of the points that could not be covered fully in the time available. I will do this in form of bullet points rather than a discursive essay.

  • “Educating children about pornography and putting it in context as part of a wider discussion of relationships is better than throwing technology at the problem”.
  • It is ironic that in relation to the internet – this supremely technical environment which has facilitated if not created the difficulty to begin with – the idea of using technology to solve it is a no-no.
  • However, it is not a binary choice. Educating children and young people about sex, sexuality and relationships has always been important and, if anything, the arrival of the internet has made it even more so. For this reason, I very much welcomed the announcement earlier this year that sex education is to be made a compulsory part of the national curriculum. But you cannot “educate” a 9-year-old girl out of the horror of witnessing or being exposed to some of the stuff that is readily available on many of the sites that will be caught by the Digital Economy Act.
  • Thus, here we will be seeing and testing the extent to which technology can contribute to dealing with the problem. If innovation is the life force of the internet why can’t we innovate here?
  • Very similar arguments were made against the introduction of online age verification to deal with gambling web sites. Guess what? The legislation has worked extremely well and the gulag remains on the far horizon. Kids can no longer just tick a box to say they are 18 then go on a web site and blow their pocket money on the horses.
  • And to say that the porn sites are “free” and therefore the analogy with gambling doesn’t work is nonsense. The so-called “free” porn sites – which are the biggest problem – are highly commercial operations. People just pay in a different way.
  • I cannot think of a single large publisher of porn who has ever said they want children to be able to see their stuff, or even that they don’t care one way or another. It’s just that, as with online gambling, until the law required them to do something concrete to keep kids out few of them did.
  • It was said that “Mindgeek” – the biggest porn business on the planet –  will be collecting personal data on millions of people and it could be hacked, thus revealing information about an individual’s sexual preferences, exposing them to blackmail and so on. In addition, this data can be sold to third parties and exploited in any number of other unsavoury ways – presumably without the informed consent of the data subject.
  • First of all, any business of any kind operating within the UK will have to comply with our privacy laws. This means everything stated as a threat or a worry in the previous paragraph would be illegal and our data protection authority could go after them. I am therefore disinclined to believe that MindGeek would behave in that way and this was just empty scaremongering.
  • However, my guess is individual porn companies will find it hard to persuade would-be customers that handing over personal data of any kind to them is a good idea and what will emerge are trustworthy third parties, backed by or involving highly reputable companies,  who will undertake the age verification task. And remember, unlike with gambling, where anti money laundering rules also apply, here the only thing a porn site needs to know before it admits you is “have you been reliably verified as being over 18”?  The site doesn’t need to know your name, your actual age, address or indeed anything else. So the truth is this measure could be privacy enhancing for a great many people who want to view porn. I am sure the government did not intend to help the porn industry in this way but hey.
  • If someone chooses to buy something from a porn site and they have to hand over their credit card details then that is a matter for them and it is outside the scope of the Digital Economy Act (although not the privacy laws).
  • Technical measures could be used to circumvent the Act e.g. VPNs, proxies and TOR.
  • Similar arguments are used against any kind of filtering. You hear people say “kids are smart they can get around anything”. The implication being there is no point trying so let’s just leave things the way they are.  Cui bono?
  • It is true – kids are smart –   but the overwhelming majority of children and young people do not seek to evade filters and other protective measures. Certainly, as they get older, more may give it a go but even here most young people recognise and respect boundaries of this kind. Moreover if someone was to use a VPN, a proxy or TOR they would hardly be able to claim subsequently that they had got into the porn sites by accident or casually.  This alone will act as a restraint. These alternative routes typically require more than a little technical knowledge, application, and patience.
  • My three final points: our law has established a new normative standard.  We are saying to pornography publishers that, actually, it is not OK for you to just put stuff out there, profit from it and take no responsibility for keeping it away from audiences who you say you don’t want and who do not have the maturity to process or deal with it with, potentially, very harmful, lasting effects. Even though filters are or may be in widespread use you, as a porn publisher, have to do your bit to help. It’s now part of the cost of doing business in the UK.
  • The adult world (that’s us) has for a long time said to children and young people stay away from porn – it is unrealistic –  disrespectful of women, it is  violent and damaging, and so on, but actually we made no real attempt to put up any kinds of barriers to show we were serious about it. Policies such as those embodied in the Digital Economy Act, 2017 show we mean it and we are going to try to make it stick, just like we have done or are doing in other areas e.g.  in relation to copyright theft, terrorism and child abuse images.
  • The internet can claim no special privileges. If something is wrong or prohibited in the physical world then as near as we can it should also apply online otherwise the one undermines the other and in the end renders it meaningless.
Posted in Age verification, E-commerce, Pornography, Privacy, Regulation, Self-regulation, Uncategorized

No need to feel powerless

When people ask me what I do I often say I see my role as convincing others there are things that can be done to make the internet a safer and better place. We need to learn from each other, pay attention to the research, refuse to be dazzled by the headlights and speak truth to power. You don’t have to know what a TCP/IP stack is to know something is good or bad, right or wrong. Whatever humans have made can be unmade or altered. Our job, as advocates, is to find ways to mobilise the necessary forces to bring about progressive change.

However, if I did have a little, perplexed wobble of late it concerned the emergence of cryptocurrencies and the blockchain. I can see their potential to do many good things but how on Earth would we address them when deployed on the dark side? Thankfully the International Center for Missing and Exploited Children has rescued me and brought me towards the light.

In Cryptocurrency and the block chain: Technical Overview and Potential Impact on Commercial Child Sexual Exploitation the following  appears

…..this report is meant to provide….. a primer on cryptocurrencies such as Bitcoin, Ethereum and Monero, as well as their underlying technologies, and the implications of these technologies for commercial child sexual exploitation. It is intentionally written in informal and non-technical terms in order to provide a basic background in this rapidly-advancing and technical field, and assumes that most readers have limited or no familiarity with the inner workings, risks, benefits and implications of cryptocurrency.

For which we are all truly grateful.

And here is the good news

.…. the utility of Bitcoin and its even-less-widely-used cousins is still quite limited outside the borders of the Bitcoin universe. This means that, sooner or later, many users will attempt to spend their bitcoins with a mainstream online or brick-and-mortar merchant that accepts them, or convert them into more easily-spent (currencies) such as dollars or euros. At these connection points between the Bitcoin universe and the “real world,” there is an informational and investigative choke point that can reveal or point the way toward the one key datum not available from the blockchain: the user’s identity. These chokepoints should be seen as a key opportunity for the investigation and prosecution of child exploitation that involves the use of Bitcoin and the blockchain.

With this reassuring ending

Cryptocurrencies do make the job of battling commercial child sexual exploitation a bit different and a bit more challenging than in the past, but the same was true of e-Gold, PayPal and a dozen other payment systems when they first emerged. Some, like e-Gold, fought the law, and the law won. Some, like PayPal, aggressively took the fight to offenders and are now recognized as world leaders in this effort. If leading organisations continue to engage with the industry…. there is absolutely a body of data, tools, expertise, goodwill and willing volunteers that can continue to bring the fight to abusers.


Posted in Child abuse images, E-commerce, Internet governance, Privacy, Regulation, Self-regulation, Uncategorized