More problems with ICANN and WHOIS

Almost from the very beginning of the internet, or at any rate from the beginning of the worldwide web, there has been an explicit rule which says that the name, address and contact details of whoever owns or manages a domain must be accurately recorded and published in a way which is accessible to anyone who wants to know. It was repeated in the so-called “Affirmation of Commitments” (para 9.3.1) which for practical purposes is the modern foundational charter of ICANN.

It is a rule honoured more in the breach than in the observance. In a review published a few years ago it was found that of the then 220 million domain names in existence only 23% fully met the accuracy requirement. In other words to find accurate details of who owned a domain was very much the exception rather than the rule.

Why is this so? Because verifying the information given by people buying domain names takes time, costs money and potentially deters people from buying in the first place. Those things can impact adversely on the revenues and profits of Registries and Registrars, and therefore also, ultimately, ICANN itself.

Because of this ICANN has failed to take any meaningful enforcement action to secure compliance with its own rules and, instead, has set in train what feels like an endless cycle of reviews and re-examinations. The longer they can drag it out the longer the money keeps rolling in. If, eventually, they have to move then, c’est la vie, they milked it for all it was worth.  But the rest of the world has paid a terrible price.

Why? Because the volume of fraudulent and criminal misuse of the domain name system has overwhelmed the capacity of law enforcement agencies and other regulators. The amount of time it takes, the cost and complexity of determining who precisely did something which appears to be unlawful, is now so onerous unless it is an egregious instance most cases simply end up in an ever-growing inbox. The bad guys know this and play the odds. Yet it is hard to imagine that if all internet users knew they could be rapidly, reliably and inexpensively identified that there would be quite so much bad or criminal behaviour taking place.

This has nothing to do with being anonymous in the sense that, broadly-speaking, I could hardly care less what names people use when they log on to or use a service. What is important is that people know, rather like the position with car number plates,  if  it is necessary for the purposes of carrying out an investigation,  law enforcement or regulators in their country could quickly get a fix on them if a legitimate request came in which complied with the current rules of their own national law and international law.

However, now it seems a couple of Registries in Holland are saying the GDPR forces them not to publish details of who owns a domain. Their argument is partly technical i.e. if a Registry makes it a condition that a would-be purchaser of a domain name must agree to their personal information being published, as a condition of being able to buy it, that to some degree is coercive or it is called “bundling” and both are forbidden.

For now, ICANN appears to be objecting to this interpretation of the GDPR but I can imagine a great many interests in and around ICANN would be delighted if this Dutch view prevails. It musn’t.

PS: For the avoidance of doubt, in the end, I  guess I am less concerned about the names and addresses of domain name owners being published than I am about the data being accurate and easily and inexpensively accessible to law enforcement and regulators. Of course, it should be possible for consumers, should they be so minded, to check out who owns a site before they engage with it.

Posted in Default settings, ICANN, Internet governance, Privacy, Regulation, Self-regulation

Transparency and evidence

I recently heard  Professor David Finklehor most forcefully make the point about how little independent evaluation is done in the online child protection space. This restricted the opportunities for people to learn from each other, allowing poor or ineffective programmes to continue or even grow while better initiatives might be overlooked.

Then last week at Parentzone’s excellent conference Professor Andy Przybylski made the remarkable claim that only around 30% of the programmes he had looked at or was aware of could be replicated and achieve results similar to those claimed by the authors. The implication of this was clear. There could be a lot of dodgy science going on.

Now we all know that some things are difficult to measure and, applying the precautionary principle,  you don’t need to have absolute certainty about everything before common sense points you towards doing something.  Also evaluation costs money and not everybody wants their work to be looked at too closely by outsiders but without it there is always a risk that the activities in question are little more than a PR gimmick truly designed to serve a different and undeclared purpose or are a money grab with no higher objective than meeting the wages bill. That wasn’t meant to sound as pious as it came out. As a freelance for many years I think I am more aware than most about the precarious nature of this business.

More importantly, though,  the absence of sound evaluations suggests a lack of seriousness.  It is inconceivable that in the field of medical research, for example, or in other areas where public safety or welfare arises, that there would not be repeated testing and assessment before something was given any kind of official blessing or imprimatur, much less recommended to third parties.

Posted in Regulation, Self-regulation

The Green Paper and other things

I have now read all of the Green Paper more thoroughly and there is no doubt in my mind, in terms of its scope and much of its language, it is extremely good.  Of course, at its heart, is the fundamental problem of laws/no laws, to which I referred in my last blog and we’ll see where things end up on that score.

Last week’s  edition of The Spectator (a publication of the Thinking Right)  came out on Friday. It could hardly have been clearer in terms of calling for legal restraints or obligations to control the internet giants. The previous day in the Guardian the same businesses were likened to cars without brakes, saying they must be reined in. Let’s overlook the mixed metaphor and just accept the spirit of it.

Beyond that Jenkins produced this memorable paragraph

The internet is passing through the robber baron phase of capitalism, as manufacturers did in the 19th century. Then, as now, governments were too scared to regulate companies, which grew big and arrogant, and collapsed. I bet this happens to the internet.

It is becoming increasingly difficult to find anyone to speak in favour of the status quo unless, of course, they are in one way or another a client of it or hope to be.

Returning to the Green Paper, there are a couple of surprising omissions and a few issues that will probably generate more heat than light but, as usual with something like this, I am going to be consulting with all the children’s groups in the UK’s Children’s Charities’ Coalition on Internet Safety before responding in detail. So watch out for a blog nearer 7th December – which is the closing date for comments.

Posted in E-commerce, Facebook, Google, Internet governance, Regulation, Self-regulation, Uncategorized

One more visit to the Last Chance Saloon

Today saw the launch of the long-awaited Green Paper (consultative document)  setting out the UK Government’s thinking on what a new internet safety strategy might look like. Containing almost 60 pages of densely written text, it pretty much covers the entire online child safety and child welfare horizon plus a couple of extra bits e.g. fraud and older people. In addition, while online dating sites and hate speech have not, historically, been part of the children’s internet agenda, the fact is they definitely are now so well done to all for including them.

I am not going to try to sum up everything in the Green Paper today but here are three  of what I think are key headlines:

  • The Digital Economy Act, 2017, requires a Code of Practice to be developed to guide or at any rate describe how social media platforms are expected to behave across a broad spectrum of issues. This we already knew. What the Green Paper makes clear is that this could become linked to sanctions regime to ensure compliance. Gulp!  I must have missed that but the key word there is “could”.   We shall see.  Sanctions, or the threat of them, certainly seem to be doing the trick in Germany.
  • A levy is to be established to fund awareness raising and preventative activity although here it is clear they would really like it to be voluntary. What is unclear is if the expectation is that, if such a levy were to be established, would it simply siphon off funds companies are already spending e.g. on initiatives such as  Internet Matters or would it go into a kitty that the Government would control\/
  • Without wishing to diminish the importance of either of the above, for me the truly encouraging bit of the Green Paper concerned what the Government are asking for in terms of transparency.

We simply do not know the truth about the real scale and nature of what is happening to children and young people on the different platforms and how well, or otherwise, the companies responsible are addressing them, within what timescales and so on. And just to make it clear, the we here is not just policy wonks, it is parents, teachers and children and young people themselves.

Given the absolutely central role the internet plays in all our lives it is no longer acceptable for companies to ask everybody to take everything on trust. With great power comes great responsibility and with great responsibility also comes a need for accountability.

There can be no real accountability without transparency.  The transparency dimension is also to be voluntary but on the  Today programme on Radio 4 this morning Karen Bradley MP, Secretary of State  with responsibility in this area, was quite clear (paraphrasing)

If this voluntary approach does not work we will legislate.

I guess I have a rather world-weary sense that that’s where we are going to end up so I am disappointed we didn’t take that final and inevitable step now. Instead, we are making one more visit to the Last Chance Saloon. Apologies for mixing metaphors but I am reminded of the boy who cried “wolf!”.

And was it a coincidence that just as the Green Paper emerges today we learn that Ofcom, or at any rate its CEO finally seems to accept both that the internet can be regulated and that the big internet platforms are in fact publishers?

The wind has been blowing in this direction for quite a while but when even conservative-old Ofcom starts tacking you sense that it looks like turning into a gale.

Closing date for comments on the Green Paper is 7th December.

Posted in Default settings, E-commerce, Facebook, Google, Internet governance, Microsoft, Regulation, Self-regulation

The Holy Father takes a stand

I have had several comments, ranging from the wry,  sarcastic, through astonished, to utterly disbelieving or critical about my having attended a conference organized by the Catholic Church to discuss child abuse. In Rome of all places! At a time when two senior officials of the Catholic Church are awaiting trial or investigation in relation to child abuse.

As someone who was brought up a Catholic, attended a Jesuit school and has two cousins who are Catholic priests, I think I can claim some sort of, at least minimal, insight and I know with absolute certainty that the massively overwhelming majority of Catholics, and above all the clergy and the leadership, are righteously angry with the individuals within the Church who betrayed the trust placed in them by children. More than once reference was made to child abuse being a “sacrilege” and in Catholic-speak it doesn’t get much stronger than that.

All of the Catholics I know have also been hugely disappointed by the dreadful mistakes the Church as an institution sometimes made in relation to their handling of a number of cases of child abuse when they came to light.  I don’t want to put words in anyone’s mouth but I have an inkling the energetic way in which the Catholic Church’s senior leadership is attacking the problem of child abuse today, particularly within the Church, is at least in part motivated by a desire to expiate and atone for the sins of their collective past.

And if we won’t sit down with the Catholic Church, who will we sit down with? I cannot think of a single institution that has brought adults and children into close proximity that has not experienced exactly the same problems and challenges as those which have beset Catholic bodies. Secular and religious organizations alike have let down kids. Secular and religious alike now know that unless you actively intervene to safeguard children abuse will almost certainly happen and you will not be able to escape the moral and possibly also the legal responsibility for it.

Of course the fall from grace, so to speak, is all the more spectacular, wounding and depressing in an institution such as the Catholic Church which unambiguously founds itself on deeply held ethical principles but the hard-headed fact is the Catholic Church is populated by humans, with all their attendant frailties, failings and weaknesses. If we had forgotten that once, we will never do so again.

Yet it remains the case that the Catholic Church in general, and Pope Francis in particular, exert a unique authority in the world so the fact that they are taking up spiritual arms in the fight for a better internet for children is an event of enormous importance. I was both honoured and delighted to be part of it.

The conference

I have never been to anything like it before. There were several notable absences,  and I have no way of knowing how they came about – could have been simply diary clashes – but otherwise there was an astonishing spread of leading researchers and child protection advocates from across the world. It would be invidious to single out anyone in particular but I was particularly pleased to be able, for the first time, to listen to Michael Seto. I was even more delighted when, by chance, we ended up in the same workshop and could carry on a more direct conversation.

Many of the other speakers I had both met and heard before and it was great to see them again but one complete newbie for me was Professor Elizabeth Letourneau from John Hopkins University. She confidently asserted that child sex abuse is preventable. In Letourneau’s view the problem is too few policymakers believe that and, as a result, do not invest sufficiently in preventative strategies. Individual children and society as a whole consequently pay a much bigger and more terrible price further downstream.

The Declaration of Rome

The major outcome of the conference was the Declaration of Rome which Pope Francis put his name to yesterday morning. Because this was, as it were, both a statement by a religious leader and also a Head of State the wording had been chewed over and worked- on days, possibly weeks, before. Would I have written it differently if it was entirely down to me? Almost certainly, but even so I could not have improved on statements like these, addressed as they were

To the parliaments of the world to improve their laws to better protect children and hold those accountable who abuse and exploit children.

To leaders of technology companies to commit to the development and implementation of new tools and technologies to attack the proliferation of sex abuse images on the Internet, and to interdict the redistribution of the images of identified child victims.

To government agencies, civil society and law enforcement to work to improve the recognition and identification of child victims, and ensure help for the massive numbers of hidden victims of child abuse and sexual exploitation.

To governments, private industry and religious institutions to undertake a global awareness initiative to make citizens in every country more alert and aware regarding the abuse and sexual exploitation of children, and to encourage them to report such abuse or exploitation to appropriate authorities if they see it, know about it or suspect it.

The Declaration of Rome – Part 2

Everybody who attended the conference was assigned to a workshop. Within them there was a rich and varied set of debates and discussions where several quite detailed and specific points were sharply expressed.

These will be reflected in a further statement or supplement to the Declaration of Rome and this will also carry the full weight of Papal authority.

My search engine tells me that crossing fingers probably had pagan origins so it might be inappropriate to invoke it here. But if it wasn’t, that’s what I’d be doing. Watch this space.

Posted in Child abuse images, Default settings, E-commerce, Regulation, Self-regulation

We needed a shout. We got a whimper

Last week the Commission of the European Union issued a press release with a headline which is a little at odds with the contents. Here it is

Commission steps up efforts to tackle illegal content online.

In fact the press release only speaks specifically about terrorism-related items and hate speech. The associated Communication picks up on and refers to a wider range of issues, including child abuse material, but even here there is an acknowledgment that this latest initiative was motivated by the terrorist acts that took place in different EU Member States earlier this year and last.

What are we to conclude from this? The politicians are focused on terrorism, the Commission staff have a broader vision? Hmmm.

Obviously I am pleased more seems to be getting done about terrorism and hate speech but maybe I am also feeling a bit concerned that children are slipping down the ladder. We shall see.

The Communication is (obviously) the more substantial of the two documents.  It is an excellent summary of a range of  EU initiatives and measures which impact on the area of illegal and highly undesirable content but its language is resolutely stuck in the frame of self-regulatory co-operation i.e. the very system that brought us to the present state of affairs.  For companies famed for “getting ahead of the curve” when it comes to technology that will make a buck, with one or two honourable exceptions they always seem not only to be behind the curve but only to start moving forward towards par when pushed by screaming headlines and the politicians’ inevitable follow through. This does not inspire confidence or trust.

In her quote in the press release Commisioner Jourova hints at the prospect of a more muscular, legislative approach if this latest push does not deliver so one is left with a sense that such a scenario may only be one bad set of headlines away. Everything feels flimsy, provisional and contingent. We needed  a shout. We got a whimper.


Transparency is mentioned quite a lot. Here is the key excerpt

Online platforms should publish transparency reports with sufficiently detailed information on the number and type of notices received and actions taken, as well as the time taken for processing, and the source of the notification. These reports should also include information on counter notices, if any, and the response given to these. The Commission encourages the publication of this information on a regular basis and at least once per year.

Good luck with that. When we last discussed something like this with Facebook in the UK they told the Government unequivocally they would not release any information they were not legally obliged to publish.

Assuming that little problem can be solved the Communication still does not make clear how the Commission will satisfy itself everything that can reasonably be done is being done, not just in relation to items reported.

For example will companies include in their transparency reports details of content they found as a result of their own proactive searching?

I applaud the Commission’s obvious enthusiasm for companies becoming more proactive in finding bad stuff on their platform and in making a greater effort to enforce their own terms and conditions of service. I can only express the hope that the Commission has correctly interpreted the law. They say there are no issues with the immunity guaranteed by the eCommerce Directive but, er, they would wouldn’t they? Yet they are not a court.

Finally, it is made clear throughout that the main focus of the Communication is and has been the larger platforms. The smaller guys were in their minds, we are told, but they will be looking at that dimension separately. Good. And remember this: Europe in general and one country in it in particular, Holland, are now the largest sources of online child abuse images in the world How did that happen? You cannot lay it at the door of Facebook, Google,  Microsoft or Twitter. On the contrary, two of those companies, Microsoft and Google, have developed tools which, if more widely deployed or used, could have helped us all avoid that badge of shame.


Posted in Default settings, E-commerce, Facebook, Google, Internet governance, Microsoft, Regulation

Watch out Canada and Mexico! Watch out world!!

Regular readers will be aware of what has been going on with the Backpage saga in the USA. It’s all about the way s.230 of the ironically-named Communications Decency Act, 1996, appeared to be providing a shield for companies like Backpage to facilitate child sex trafficking and other forms of child sexual exploitation.

A Bill proposed by Senators Portman, a Republican,  and Blumenthal, a Democrat, is trying to amend the law, inter alia, to resolve uncertainties which seem to have arisen about the proper construction of s.230. The Portman-Blumenthal Bill would make it crystal clear there is no immunity of any kind for anyone knowingly aiding and abetting companies like Backpage.

The Bill is doing well but there is a long way to go before we can say for sure that the forces of sweetness and light are going to win.

Now park that. We’ll come back to it.

A rumour reaches my ears

Earlier this week I heard an astonishing rumour. Yesterday it was confirmed to be a fact.

So now we know that, even as reform is being debated on the hill, tech firms are lobbying the Trump White House to have a s.230 lookalike incorporated into the NAFTA trade discussions that are going on in a separate part of the forest.

That is chutzpah on stilts.

Watch out Canada and Mexico. Watch out world.

The effect of what the tech firms are doing would be to export a s.230 regime, as is, to poor old Canada and Mexico. And, of course, if this idea makes any headway, it raises the prospect that the same businesses will try to get it included in yet more trade deals with other countries or trading blocs.

Knowing how keen British Prime Minister May is to conclude a post-Brexit trade agreement with the USA that makes me worry. Parochialism aside it should make everyone worry, whatever country they live in, if they have an existing trade agreement with the USA or might be trying to secure one.

At a stretch, could it also mean that whatever befalls the Portman-Blumenthal Bill if a clause makes it into the NAFTA Treaty that will ,er, “trump” the then status quo? No. Surely it couldn’t. Could it?

And global standards? Only when it suits us 

Here’s my other take on this: I have lost count of the number of times, in venues such as the IGF and ICANN, representatives of tech companies and their numerous allies and surrogates have genuflected at the altar of global standards which are the product of a careful, deliberative, evidence-based, multi-stakeholder, bottom-up dialogue and process.

Yet here we see an obvious willingness to ditch that idea altogether in favour of exporting  a hard and very US-centric position.

Words (almost) fail me.

Meanwhile, the Attorney General of the State of California is talking a lot of sense. He is asking the tech industry to sit down with him and others to chart an agreed way forward.

Here’s hoping.

Posted in Default settings, E-commerce, Internet governance, Regulation, Self-regulation