Only 100

I have written many times about the fantastic work Microsoft did when they developed Photo DNA – the tool that allows law enforcement and other agencies to create a “digital fingerprint” of a child abuse image. This “fingerprint” can then be deployed on a network to detect any re-occurrences of the same image thus either preventing it from being uploaded again or expediting its removal and investigation if it is already being stored there. It’s a great service to the victims depicted in the images and can save a huge amount of police time in several different ways.

Microsoft did not have to create  PhotoDNA. There was no law or regulation obliging them to do so, much less was there a law or regulation saying they then had to give it away for nothing, which is what happens. Microsoft did it because they could and because they knew it would do good in the world. Three cheers, again, for  Redmond.

Now switch to Mexico. The Internet Governance Forum is in session. I am in the audience. A senior Microsoft Executive discloses that 100 organizations are using PhotoDNA.

We know that Twitter, Facebook and Google are three of the 100 because they speak about it in public frequently. When I asked Microsoft for information about the other 97 – who are they, what types of businesses or organizations are in there? – the shutters came down. Confidentiality agreements prevented Microsoft from going into  detail. All I learned was that within the 97 are law enforcement agencies and NGOs. In other words the 97 are not all internet businesses.

Marshalling those super sleuthing skills and powers of deduction for which I am justly famous,  I decided to check out if Microsoft itself might be using PhotoDNA and, sure enough it is. PhotoDNA appears to be  integrated into its Cloud Service so, presumably, that means the Microsoft business is on board, as are the unknown or undisclosed number of Cloud Service customers.

But leaving aside Microsoft’s Cloud Service customers who are covered I am still deeply shocked at the seemingly very low rate of take up of PhotoDNA.

Any and every business that provides members of the public with any kind of online storage facility or transmission mechanism must know that sooner rather than later their services will be used by those who are engaged in child abuse.

That being so, why would they NOT deploy a tool like PhotoDNA?

Every online business should be obliged to take all reasonable and proportionate steps to mitigate all forms of unlawful behaviour that might otherwise take place on their networks even  though, without actual knowledge,  they can never attract substantive liability for  the unlawful conduct or content in question.

I am not suggesting we interfere with or change the rules concerning the liability of intermediaries but just as restaurants must always comply with food hygiene laws, online businesses should be required to do likewise in respect of cyber hygiene.

Posted in Child abuse images, Default settings, E-commerce, Facebook, Google, Internet governance, Microsoft, Regulation, Self-regulation

More progress

About 10.00.p.m. last night the Digital Economy Bill completed its passage through the House of Commons. The key clauses on age verification had initially been tabled by Claire Perry MP with signatures from Members of Parliament from seven different political parties. The great news, previously relayed through my blogs, was that the Government, in essence, adopted Claire Perry’s amendments and made them their own. They went through without demur.

It is clear there are legitimate concerns around the privacy dimensions of how the policy will work in practice but as to the main idea – of using age verification to restrict access to commercial  pornographic web sites – no one expressed any opposition at all.

The Bill now goes to our second Chamber, the House of Lords, where it is likely to occupy their Lordships until mid-February-ish. No doubt there will also be a “run-in” period, as there was when age verification for online gambling was introduced, so it could be yet a while before the new regime finally kicks in.

Almost certainly in the Lords there will be probing around some of the privacy angles but the chances 0f any of  the key parts of the Bill affecting children  being materially altered are extremely close to zero. This was a Manifesto pledge and the elected House has spoken.

Well done Claire Perry and well done the Government and all the political parties that helped get this measure through.

The internet is meant to be all about innovation. This is certainly a major innovative initiative and I am very pleased the UK is taking it. The eyes of the democratic world will be upon us and when we have demonstrated that the approach works, you can be sure many other countries will follow suit.

As I have said before – the internet is a family medium, a children’s medium, just as much as it is anything else, and its rules of the road will have to reflect that. Goodbye Wild West. Hello civilization.

Posted in Default settings, E-commerce, Internet governance, Pornography, Regulation, Self-regulation

Community values trump dead Utopian vision

The debate taking place in the UK about the introduction of age verification for pornography sites is, so to speak, exposing a number of very strange arguments. Some are advanced by people such as the Open Rights Group (ORG) who are flailing around looking for any and every reason to be against the government’s proposals.

Entering into the spirit of the “post-truth age” which we all now seem to be living in, neither is the ORG averse to rearranging or distorting the facts. For example, in their opening salvos they spoke about the government planning to ban “erotica”. Untrue.  That word does not  appear anywhere in the Digital Economy Bill.  Moreover the BBFC is the body that will have the responsibility for implementing the legislation, and they know where to draw the line between erotica and pornography even if the ORG doesn’t.

We were told every type of pornography site is being hit. Incorrect. Only commercial sites operating on a significant scale will be subject to the legislation. Anyone who read the draft legislation would have seen that. The words are clear. So either ORG didn’t read the Bill or they did and chose to misrepresent the position.

Then in an interview in The Guardian we were informed that if Parliament passes the Bill with the age verification clauses in it we will be putting ourselves alongside Turkey and Saudi Arabia. Excuse me? In Saudi Arabia the intention is to deny access to pornography to everyone. That is not the case here. All the UK is trying to do is restrict access by children, in accordance with our existing laws.  Trying to establish guilt by  the smear of association is a desperate tactic at the best of times but when it is also based on a fiction it just seems, well, pathetic.

However, if only by accident the ORG has hit on a couple of points where I think they are on to something. One I agree with, the other I most decidedly do not. Let’s go with the latter first.

There are four types of pornographic material circulating on the internet. One is straightforwardly and indisputably illegal: child abuse images, and we already have a good way of dealing with them.   They are not at issue here.The second  is material which can be viewed in public cinemas or bought over the internet. It has been classified as 18 by the BBFC. Sites displaying this type of material will be caught by the new law. That’s logical.

Next is material which has been rated R18. Under our current law this should only be sold on the premises of licenced sex shops to persons over the age of 18. Yet it is always available online on commercial pornography sites. It shouldn’t be but given the practical difficulties – the very reasons why the Bill has been brought forward  – there have never been any prosecutions. It is a law honoured in the breach more than in the observance.

In the case of R 18 the UK government, in effect, is proposing to liberalise the law because in future such material will be lawfully available online on sites which have age verification. I’m ok with that.

Finally we have material which is so extreme or disgusting that the BBFC refuses it any kind of classification or it is illegal anyway under some other heading. I am not going to go into detail on a family show but if you want to know more you could do worse than look here.  Henceforth this will be known as “prohibited material” and it looks like it too will have to go before a porn site can be given the age verification seal of approval although I can see there is a legitimate case to be argued about what should and should not be included in the “prohibited” category.

I know the internet utopians hate to hear this but the internet today is a family medium or a family service as much as it is anything else and the rules of the road are going to have to reflect that.  John Perry Barlow’s vision hasn’t worked. That shimmering image has evaporated. Get over it and don’t blame child protection advocates.

The argument is about the supremacy of community values  over techno-determinism. The UK should be able to have the internet it wants for its children. I believe that up to now the UK has been failing in its legal  obligations to protect children by not having an age verification law of the kind being proposed. But, hey….that will soon be behind us so let’s not dwell on it.

Where do I align with ORG and its friends?

The core of my argument is around protecting children from age inappropriate material. On questions of privacy I think any and all solutions which are to be deployed to carry out age verification should be privacy friendly, privacy compliant and scam-proof. Although I am a member of the BBFC’s children’s viewing advisory panel  I am not privvy to their plans or thinking on this aspect but I would very much like to see some sort of arrangement  emerge which involves the Office of the Information Commissioner being given a role in deciding which age verification solutions are acceptable and which are not. I have grave reservations about simply using credit cards.

Posted in Age verification, Child abuse images, Default settings, E-commerce, Internet governance, Pornography, Privacy, Regulation, Self-regulation, Uncategorized

The finishing line is in sight!

The Digital Economy Bill is nearing the end of its passage through the House of Commons. When the Bill becomes law the UK will have an Age Verification Regulator (AVR). It will be the British Board of Film Classification , a trusted, respected, independent organization, over 100 years old, and well versed in making decisions about how to describe or classify different types of content in the interests of protecting children.

The AVR will be able to require commercial pornography publishers to introduce age verification so as to ensure persons under the age of 18 will not normally be able to view their wares. Among other things this will catch the so-called “free” sites which, in reality, are highly commercial. Failure to comply  with the age verification rules could attract a fine of £250,000 or 5% of the business’s turnover, whichever is the greater. Suppliers of ancillary services e.g. payments providers and advertisers are expected to cut off persistently non-compliant sites.

However, since all of the main sites are based overseas what if they just ignored the fine and found other ways of collecting revenues?

Last night the UK Government announced it will table an amendment to the Digital Economy Bill giving the AVR the power to mandate ISPs and other access providers to block persistently non-compliant commercial pornography sites. This mirrors what we do already with copyright infringing sites as well as sites containing child abuse images and terrorist materials.

In making this announcement the Government can be heartily congratulated on fulfilling its 2015 Manifesto pledge.

The misinformation and hysteria of the measure’s opponents has plumbed new depths of irresponsibility.  For example, anyone who bothered to read the Bill will see no sex education web site will be closed down or blocked as a result of this measure. Neither will small or amateur, non-commercial sites be affected. When everything has calmed down and we have had a chance to see that nobody’s free speech rights have been curtailed maybe we can revisit the issue.

In reality all the Government is doing is legislating to make it possible to enforce what is already the law of England. Here is an extract from the Crown Prosection Service web site. It contains advice issued following the decision in the Court of Criminal Appeals in R v Perrin.

where children are likely to access material of a degree of sexual explicitness equivalent to what is available to those aged 18 and above in a licensed sex shop, that material may be considered to be obscene and subject to prosecution. This applies to material which is not behind a suitable payment barrier or other accepted means of age verification, for example, material on the front page of pornography websites….. EWCA Crim 747 [2002].

The problem has been because the overwhelming majority of pornography sites are based overseas there was no practical way in which our law could be made to stick. Since Perrin there have been zero prosecutions of overseas pornography web sites for failure to comply with age related rules. The Digital Economy Bill simply introduces a regime which can work in a very straightforward and practical way that is well understood by everyone in the internet industry and is easy to explain to others.

The ironic or paradoxical outcome of the new age verification regime is that porn users’ privacy will in future be even better protected than it is now.

Posted in Age verification, Default settings, E-commerce, Internet governance, Pornography, Privacy, Regulation, Self-regulation

Careless meets sneaky

A while ago there was an uproar when it emerged that online businesses were, in effect, paying children to exploit their friendship networks to promote certain products, without disclosing they had a commercial relationship with the company that owned the thing they were speaking about so warmly.  Cases  were identified where children were getting paid according to the number of contacts they made thus encouraging them to engage with as many people as possible. This might have led some to connect with strangers.

The Bailey Review commented on it and the UK advertising regulator eventually stepped in to ban the practice but you have to wonder why anybody thought this would ever be an acceptable way to treat kids in the first place.

More recently, in the USA the New York State Attorney engaged with Viacom  (Nickleodeon), Mattel, Hasbro and Jumpstart. Attorney Schneiderman announced that these businesses did not comply with the Children’s Online Privacy Protection Act. That’s the one that limits marketing to under 13s unless a parent has given their consent.

It wasn’t the substantive businesses themselves that were directly in breach but they had allowed third-parties to operate on their sites and these were not  complying. Anyway the outcome was Viacom, Mattel, Hasbro and Jumpstart had to pay a total of $835,000 in fines and agree to a set of reforms. They are now mandated to vet the practices of all third-party services before letting them on their virtual properties.

Should these businesses have thought of this before? Probably, but aside from that two things spring to mind

  1. It took the Attorney General of New York two years to satisfy himself that a breach had occurred then bring his investigation to a conclusion. I do not know a single children’s organization anywhere in the world that has the resources or the alliances which would allow them to get anywhere near acting as a consumer watchdog in matters of this kind. It is not right that we should be so dependent on government agencies.
  2. Do we think the principle illustrated by this case could be extended to the platform providers that allow third-party apps to be sold on or through their services?
Posted in Advertising, Age verification, Consent, Default settings, E-commerce, Privacy, Regulation, Self-regulation

One last heave?

Life was simpler once. Governments in the liberal democracies were content to rely heavily on industry self-regulation as the principal means of addressing some of the problems that began to emerge with the arrival of the internet. Industry by and large loved such an approach. The fewer actual rules or restrictions, the larger the scope they had to innovate and experiment with new business models.

Right out of the traps  many free speech and civil rights groups objected to this approach. They argued if Governments are putting direct or indirect pressure on industry to behave in a certain way in order to deliver on  particular public policy objectives, they should do so openly, making their wishes or intentions known through established public policy mechanisms e.g. legislation and regulations. That way there would be transparency, there would be accountability and the playing field would be as level as it could be, at least in the sense that pretty much everyone would be bound. Compliance should not be à la carte.

My view always was, and remains, what matters is what works.  I don’t have a dog in the at times theological fight over processes.

However,  for all sorts of reasons it is now clear the areas within which internet self-regulation can continue to operate inside the EU are becoming vanishing small. The net neutrality rules, the AVMSD and, grandmother and grandfather of them all, the GDPR, are closing down or narrowing the spaces (maybe not always entirely satisfactorily).  If the Unfair Commercial Practices Directive is ever to be materially enhanced and national data protection authorities  or some other body takes it upon themselves to ensure that big internet platforms are delivering on their implied or stated (but unverified) promises about how they treat children we will more or less have covered all the key bits of the turf.

And yet

Yet even where hard law exists everyone recognises there are issues of interpretation and about establishing best practice which can benefit from open dialogue between a range of interested parties. Then there is the problem of perpetual change.  Every regulatory environment – self or otherwise – is bound to lag  behind real world developments. If they do nothing else, intelligently thought-through voluntary measures can hold the fort until the longer term picture becomes clearer.

This was the backdrop to an important meeting last week in Brussels which is looking forward to the launch, on 7th February next year, of the  Alliance to better protect minors online.  The Alliance will build on the work of the previous  Administration’s CEO Coalition. It was accepted there needs to be mechanisms for monitoring what is achieved under its aegis.

One area where there was broad agreement was in respect of the need for continued self-regulatory activity is in the field of education and awareness. Combatting bullying receievd special mention as did promoting good netizenship. True enough even here we  already see the state or its proxies assuming more and more responsibility but there is little doubt that both Governments and public alike can reasonably expect the industry to pitch in, helping to ensure children and young people themselves, their parents and teachers as well as other members of the children’s workforce are up to speed. The good news is large parts of the industry fully accept their continuing role and responsibility in these areas. The challenge is to reach out to more industry players to get them to sign up.

Watch this space.




Posted in Default settings, E-commerce, Regulation, Self-regulation

ICANN refuses to explain

Regular readers will know about the application made by the .Kids Foundation to ICANN to be allowed to run the proposed new .kids gTLD.  ICANN gave a contract to the Economist Intelligence Unit  (EIU) to help them assess the bid.

I have been around the child protection, children’s rights  and child welfare space for several years. I had never heard the EIU’s name mentioned as an authority in connection with anything to do with children. Had I missed something? I contacted the EIU. They refused to discuss it. The EIU referred me to ICANN.

In their reply to my questions ICANN told me

….the EIU was chosen because it offers premier global business intelligence services.

Not a convincing opening line given the nature of my enquiry but ICANN went on to quote from something called the Panel Process document, in particular the following:

The EIU is the business information arm of The Economist Group, publisher of The Economist. Through a global network of more than 500 analysts and contributors, the EIU continuously assesses political, economic, and business conditions in more than 200 countries. As the world’s leading provider of country intelligence, the EIU helps executives, governments, and institutions by providing timely, reliable, and impartial analysis.

The word  child  or  children  have yet to make an appearance. In fact they never do.

Then comes this

The evaluation process respects the principles of fairness, transparency, avoidance of potential conflicts of interest, and non-discrimination. Consistency of approach in scoring applications is of particular importance. In this regard, the Economist Intelligence Unit has more than six decades of experience building evaluative frameworks and benchmarking models for its clients, including governments, corporations, academic institutions and NGOs. Applying scoring systems to complex questions is a core competence.

I added the bold to that word transparency since it is clear it is singularly lacking.

ICANN then gave me some more cut-and-pasted quotes

  • All EIU evaluators undergo regular training to ensure full understanding of all CPE requirements as listed in the Applicant Guidebook, as well as to ensure consistent judgment. This process included a pilot training process, which has been followed by regular training sessions to ensure that all evaluators have the same understanding of the evaluation process and procedures.
  • EIU evaluators are highly qualified, they speak several languages and have expertise in applying criteria and standardized methodologies across a broad variety of issues in a consistent and systematic manner.
  • Language skills and knowledge of specific regions are also considered in the selection of evaluators and the assignment of specific applications.

So I wrote back with only one further question

Did you satisfy yourself that the EIU had (the necessary expertise) or did you simply rely on the EIU’s general assurances (that they had)…..?

Answer came there none.

I doubt the EIU has much of a clue about children and the online space thus, to be clear, I think they were wrong to accept a contract to work in  an area that is outwith their competence but equally ICANN should not have offered them the work without satisfying themselves the EIU  could do it properly.

Children’s interests are marginalized or overlooked once again.

Posted in Default settings, E-commerce, ICANN, Internet governance, Regulation, Self-regulation