Article 29, WHOIS and ICANN contd.

Join ICANN and see the world. Last Thursday in Vancouver the ICANN Board gave its response to Article 29’s and the Government Advisory Committee’s  representations about the GDPR, which comes into effect in less than one week. In essence ICANN stuck two fingers up at both of them:  Governments and privacy regulators.

In a world in which the internet plays such a central, even all-pervasive role, and driven as it is by the financial self-interest of Registries, Registrars and the co-dependent ICANN bureaucacy, ICANN has no authority or legitimacy to tell Governments and lawfully appointed regulators to get lost. But they just did.

So mark 17th  May 2018 in your diary.  It could turn out to be the day ICANN finally pressed the self-destruct button. Don’t ask me what the outcome will be as the whole edifice starts slowly to unfurl. “Messy” is the only word that springs to mind.  But unfurl it will. In the end democratic Governments will have their way, and undemocratic ones will fly in on their coat tails, grateful they didn’t have to do any of the heavy lifting.

So what was decided?

A “Temporary Specification” (TS) was approved by the ICANN Board and it will now be incorporated into all Registry Agreements.

It does not require the email of the Registrant to be visible to the public. That removes an important tool used hitherto on a large scale  by law enforcement and the wider internet security industry.

The TS does not require a distinction to be made between legal or natural persons i.e. between private individuals and companies or other organizations.

Here are  the main provisions

What will disappear from public view?

  • Registrant and technical/admin contact name
  • Registrant address
  • Registrant and technical/admin contact email address
  • Registrant and technical/admin fax and/or phone numbers

How do you get access to what will become non-public data?

To enable WHOIS users to contact Registrants:

  • Registries must direct users to the registrar for a method to contact the registrant.
  • Registrars must create an anonymised email or a web form to enable users to contact the registrant, and the technical and admin contacts. There is no requirement that a unique email address be attributed to each registrant, which would have enabled users to identify other domains registered by the same registrant.
  • Registrars must offer registrants an opt-in to have their data included in a public WHOIS, and they may (note “may) offer an opt-in for admin and technical contacts.

Registrars and registries are required to provide reasonable access to non-public data to third parties with legitimate interests, “except where overridden by interests or fundamental rights and freedoms of data subjects”.  Quite how “legitimate interests” will be defined and how they will be acknowledged as having one is yet to be defined.

Registrars are also required to provide access where “the Article 29 Working Party/European Data Protection Board (comprising the EU Member States’ data protection authorities), a relevant court, applicable legislation or regulation provides guidance that the provision of data to specified classes of users is lawful”.

There is no uniform or centralized mechanism at this time to get access to such data, though the ICANN Board is urging the  “ICANN community” to come up with a model expeditiously.  No deadline has been set. No one knows when this will happen.

Please can we have more time?

The US Government  has called for a ” short- term suspension” of  GDPR enforcement  and the Registrars  have made a similar request.

Although Article 29 has no authority to suspend anything, individual DPAs could, in practice, decide not to take out enforcement  proceedings.

I guess  deferment  or  suspension has a great deal of practical appeal although there is bound to be a degree of hesitation and scepticism because of ICANN’s behaviour so far. Everybody knows ICANN has a unique talent for making sure nothing happens quickly. The world must run at their pace and everybody else can whistle.  Yet hubris is charging at speed over the virtual hill.

Posted in Default settings, Internet governance, Regulation, Self-regulation, Uncategorized

Article 29, WHOIS and ICANN

In less than ten days time, on 25th May, the GDPR becomes law in every EU jurisdiction.  Officially, the GDPR began its journey towards this state of grace in 2012,  when the European Commission published its draft proposal, although to my certain knowledge informally the discussions about what it should say began in 2010. Probably they got going even earlier than that.  The GDPR completed the legislative processes in early 2016 although the final shape was clear before the end of 2015.

No surprises

It would therefore be hard for anyone to argue they were surprised to discover that a new set of rules was about to come into force. Yet only  hours away from the commencement huge arguments are going on about the proper meaning of the GDPR in relation to the WHOIS database. In fact only two days ago ICANN issued yet another note on the subject but it is a note with no conclusion as it insists various (vital) matters  have still to be discussed within “the community”.  By that they mean among themselves. This opens up the possibility that large parts of the database will “go dark” on or shortly after 25th May.

WHOIS should be up to date, accurate and accessible

From the very beginning  of the modern internet WHOIS was meant to be an up to date, accurate and publicly accessible database of who owns and operates web sites.

It long ago ceased to be that. Last time I checked only about a  quarter (23%) of WHOIS entries were fully accurate in the way they were meant to be. In other words accuracy was the exception rather than the rule.

I can see a case where, in exceptional circumstances, certain data for certain sites might be withheld from routine public scrutiny e.g. by allowing the use of privacy or proxy services, but the key word there is “exceptional” and even if withheld from public view the information that is stored should be accurate.

ICANN has shown zero interest in or sense of urgency about putting things right i.e. in improving the level of accuracy within WHOIS. On the contrary they have come up with a litany of excuses, essentially for delaying doing anything meaningful. For example, they go on about the “changing  nature of the internet” and how this requires them to “look again at the role and purpose of WHOIS.” OK. But accuracy is accuracy whichever way you cut it. One senses the major constituent parts of ICANN would be entirely content if the only information anyone needed to collect and keep was that which allowed them to receive payments and that should be privy only to them.

As long as the money keeps rolling in

If the Registries, Registrars, and ultimately ICANN, keep getting the money from the sale of domains why should they care? If bad guys do bad things with the sites they provide that’s a problem for the cops or someone else, not them. I exaggerate for effect, but not by very much.

The upshot? WHOIS has been getting ever more inaccurate.

Yet it remains an important source of information for law enforcement and the wider online security industry. Crooks and fraudsters of all kinds still have to register some details and these can often provide vital clues for investigators to follow.

Will WHOIS “go dark”?

As already mentioned, right now there is a severe risk that WHOIS will “go dark” on or about 25th May, certainly to the wider internet security industry but possibly also even to cops. Probably not all top level domains will be equally affected but a great many could be.

Just so we are clear what that means: a source of data previously available to law enforcement for the purposes of investigating crime will no longer be there. Why? Because ICANN did not think this was important enough to get everything sorted out in time.

ICANN has  come up with a proposed scheme which would provide what they call “layered” access  to various interests but this requires an accreditation scheme to be established and no one knows how long that would take. Even  a short hiatus could be a huge boon to wrongdoers.

Hello multistakeholderism 

Thus does ICANN’s arrogance stand out. Governments and legislatures can change whatever laws they like. Multistakeholderism means ICANN will consider how to respond as and when it suits them. And if it doesn’t suit them then that’s just tough. ICANN floats above us all.

Article 29 have not being playing it too cleverly either. For more on that please read the letter the UK’s children’s charities have sent to the Chair of Article 29. It will also be going to the UK’s Information Commissioner’s Office and I hope sympathisers in other EU Member States will consider writing to their DPA in a similar vein.

I will leave you with this thought.

WHOIS and ICANN were never discussed at political level

In the  original proposal for the GDPR ICANN and WHOIS were not mentioned.  Neither are they mentioned in the final text or in any of the Recitals. In fact I can find no record of ICANN or WHOIS being discussed or referred to at any point as the measure progressed through the legislative process.

I find it hard to believe any set of politicians in a democracy would deliberately vote to create or allow a system to continue that undermines people’s confidence in the internet and does so much harm to individuals and legitimate businesses.

Article 29 and the DPAs should be interpreting the GDPR in that light. Their failure so to do may well invite further, possibly urgent, corrective legislative action and undermine people’s confidence in DPAs for taking such a narrow and blinkered view.

Article 29 and the DPAs should have no hesitation in insisting that the identity and contact details of every web site are fully transparent and accessible, particularly to the police and the cyber security industry but the case for maintaining public access is also very strong. Children, parents and  indeed every internet user ought to have the option to check the credentials of a web site before they engage with it.

Finally, and I apologise for coming back to the point about accuracy,  it is imperative that all data within any and every  possible future version of WHOIS are accurate. Anything less will  only help criminals. Who voted for that? Nobody.

Posted in Internet governance, Location, Privacy, Regulation | 1 Comment

Cherie Blair speaks out

In the pantheon of bad actors in the internet space there are two distinct classes. There are the criminals and fraudsters themselves.  Clearly they bear the greatest part of the burden of guilt for the harm their actions cause. However, there are also those with the power to  stop or at any rate reduce the scope of the malevolence but instead choose to look the other way. In this second category two stand head and shoulders above the rest.  One is ICANN, based in California, the other is Verisign based in Virginia. The relationship between ICANN and Verisign is symbiotic.

Child sex abuse materials

By common consent there are now billions of images of children being sexually abused circulating in cyberspace. The vast majority of these began their virtual life by being posted on the open internet.

If ICANN had done their  job properly this would never have happened or the size of the problem would have been much, much smaller. The volumes now defeat the best efforts of any and every law enforcement agency. It needn’t have been that way.

What is ICANN’s job? Simple.  To make sure everyone who buys and operates a web site provides truthful, accurate and up to date details of who they are and how they might be contacted. Last time I checked less than a quarter (23%)  of domains were accurately registered in the way ICANN’s rules say they are supposed to be. In other words accuracy is the exception rather than the rule. In this environment criminals thrive. Children suffer.

And it is not just children’s interests that are harmed by ICANN’s indifference and inaction. The  same pathway is exploited by every kind of scammer.

Verisign Inc

According to figures published by the Internet Watch Foundation around 70% of all child sex abuse materials  found on the internet in the UK are located in two domains: .com and .net. They are the market leaders by a country mile and have held that inglorious title for many years.  Who owns and operates them? Verisign.

Verisign is the biggest single contributor to ICANN’s finances. Does this explain why ICANN does not bear down on Verisign? Whatever the contractual details of the relationship might be between ICANN and Verisign, Verisign’s moral responsibility could not be clearer. Yet they ignore it. Seemingly with impunity.

To put things right would cost money. If there were more checks on a would-be purchaser’s real identity and contact details it would likely hit sales and therefore, ultimately, both Verisign’s and ICANN’s revenues could be threatened. Not good enough reasons for doing nothing.

Cherie Blair speaks out

Cherie Blair QC is a distinguished lawyer, a judge and someone who cares deeply about children. Following a request made by the  Children’s Charities’ Coalition on Internet Safety Ms Blair wrote to Mr Xavier Becerra, the Attorney General of California in the following terms:

Dear Mr Becerra,

You will, of course, be familiar with the powers and functions of the Internet Corporation for Assigned Names and Numbers (ICANN) which is domiciled and incorporated in California as a  501(c)(3) non-profit organization.

A coalition of British children’s organizations have drawn my attention to what they say are significant failings on the part of ICANN in relation to key issues which impact on children as internet users.

In the first instance they refer to the fact that for many years two domains  – .com and . net – both owned by Verisign Inc.,  have been the largest source of child pornography on the open internet. While one might have hoped  Verisign would themselves have chosen to introduce measures to reduce or eliminate the traffic in these appalling materials, they only act as Registry for the domains in question in the first place by virtue of a contract which they have with ICANN.

The suggestion I am hearing, therefore, is that ICANN is equally at fault, or perhaps is even more at fault, because it has consistently failed or refused to bear down on Verisign to improve the situation. In the last year for which figures are available (2016), .com and .net accounted for 70% of all child pornography reported to the UK’s Internet Watch Foundation, yet .com and .net between them represent only 44% of all domains.

The second matter concerns the creation of a .kids domain. Approximately six years after ICANN began the process of creating the domain in the English language the matter remains unresolved. Yet in Cyrillic script the domain was delegated to a Russian organization which, when asked, said ICANN had made no stipulations in the contract about, for example,  the importance of ensuring that any potential Registrants  did not employ or use persons with convictions for child sex offences.

The way .kids was handled contrasted sharply with the way .bank, .pharmaceuticals and .insurance ended up at the conclusion of the same process of establishing  new Generic Top Level Domains. The difference between banking, insurance and pharmaceuticals interests and children’s interests is fairly obvious. The former can afford to employ lawyers and lobbyists, the latter cannot. Yet precisely because that is the case one might have hoped that ICANN itself would have stepped in to ensure that children’s interest were properly safeguarded. They didn’t.

I have not yet had the opportunity to look further into these matters, but I am aware you have taken a great personal interest in child welfare as well as the wider issue of  online safety as it impacts children. For that reason it occurred to me that you may already be actively engaging with ICANN with regard to the points I have raised. Either way I would be very grateful to hear how you see ICANN’s responsibilities  vis-à-vis children and I would also like to ask if you are satisfied with the way they are discharging them?

Mr Becerra replied on 13th April. He assured Ms Blair he appreciated her concerns about

“how actions or non-actions taken by ICANN may affect the security of children. Keeping kids safe online is a multi-front battle, which comprises combatting exploitation, including child pornography, as well as creating protected spaces for children such as .kids domain. ICANN’s responsibility for managing the internet’s domain names places it squarely in the thick of this fight.

For these reasons, my office and I, including the Bureau of Children’s Justice, will continue to give scrutiny to the issues you raise. Protecting children remains central to what we do at the California  Department of Justice.”

A call to action

I trust colleagues in California and elsewhere will be encouraged by Mr Becerra’s response and will be keen to follow up with the Bureau of Children’s Justice to see how the project is moving along.

I wrote an extremely long (10 pages) background briefing on all this. You can find it here if you want to delve deeper.

Posted in Child abuse images, Default settings, ICANN, Internet governance, Regulation, Self-regulation

ECPAT USA steps up

I have written before about the negotiations currently taking place around the North American Free Trade Agreement (NAFTA). One of the clauses being proposed for inclusion by the US Administration would require Canada and Mexico to adopt a law which the US Congress and President Trump ditched last month. Go figure.

The law in question is (the now amended) s.230 of the Communications Decency Act, 1996 – one of the most inappropriately named pieces of legislation ever.

The old s.230 is the law that allowed Backpage and similar to make millions of dollars from the distribution of child sex abuse materials and from facilitating a wide range of sexual offences. This was possible because the old s.230 created such a strong level of immunity for internet intermediaries that law enforcement agencies and the courts were defeated in their efforts to bring the offending parties to book.

The fear is that if the clause makes it into the final version of NAFTA, not only would that be very bad news for Canada and Mexico, it would also set a terrible precedent. It could reappear in trade negotiations that will be held with other countries. Speaking as a Brit contemplating Britain after Brexit that scares me.

All over the world it is common for one bit of Government not to know about or agree with something another bit of the same Government is doing. Very often it is the lot of outsiders to point this out and, generally, not always, it leads to the matter being resolved.

So assuming the decision to follow this course of action is not being directed by the White House or some other powerful element in the core leadership of the Trump  Administration, civil society organizations are starting to speak out.

ECPAT USA is one of the first.  Yesterday they released  a copy of their letter to The Honorable Robert Lighthizer, the US Trade Representative.

NGOs in Canada and Mexico are also stirring. We are all stakeholders.

Posted in Child abuse images, E-commerce, Internet governance, Regulation, Self-regulation

The internet: to regulate or not?

The UK’s House of Lords is holding  an inquiry into whether or not the internet should be regulated.  The Children’s Charities’ Coalition on Internet Safety submitted evidence. Here is a link to the House of Lords web site where the text of the evidence is reproduced.

If you want the original pdf you can download it  from here.



Posted in Internet governance

Article 29 and children

In the UK our Data Protection Authority (DPA) – the Information Commissioner’s Office (ICO) – has shown a real and sustained interest in how the new data privacy regime – the GDPR -is likely to impact children.  ICO officials attended an all-day seminar organized by Professor Sonia Livingstone at the LSE. They shared their thoughts and interacted with a group of leading online child rights and child protection experts who came not just from the UK but also from other EU Member States. Several of the latter travelled to the LSE precisely because they knew the ICO would be represented.

The ICO subsequently issued a consultation paper  and draft guidance specifically addressing the position of children in respect of all relevant headings of the GDPR.

The Article 29 Working Party

Each DPA in every EU Member State remains a sovereign and independent body but they stay in touch and try to achieve a degree of consistency through something called the  Article 29 Working Party.  Article 29 has existed since the mid 1990s. It is being replaced by  the European Data Protection Supervisory Board.

Historically, Article 29 has not shown an excessive degree of interest in children as data subjects. One suspects they have a box marked “Very Difficult. Avoid If You Can. Only Open If You Absolutely Have To”. Children are in it.

In fact the only major Opinion Article 29 seems to have issued which concerns children dates from 2009 and it addresses children’s personal data held by schools. If you were to ask any randomly selected group of parents, children  or policy makers about their main worries in terms of what is happening to young people’s personal data in the internet age, I doubt  that how schools are handling it would be at the top of their list. It would be there, but not at the top. Silicon Valley meanwhile….


Once the GDPR became law Article 29  decided to organize a series of “FabLabs” to discuss what would happen next and get feedback from interested parties. I attended. There were three such meetings. One in July 2016,  one in April, 2017 and finally October, 2017.

In plenaries and working groups at the FabLabs a number of people suggested there should be a  specific session on  the position of children. On behalf of the European NGO Alliance for Child Safety Online and the UK’s Children’s Charities’ Coalition on Internet Safety I wrote to Article 29’s then Chairperson,  Isabelle Falque-Pierrotin of the French DPA, to support that suggestion.

Article 29 did not agree. Neither did they expressly disagree.  The request was just ignored. Thus, at an EU level there has been no open or extended engagement between the online child rights and child protection communities and the privacy community.

Since the GDPR was adopted Article 29 has published no letters about children. They have issued no press releases. No consultation documents or position papers on children  have been sent around. Article 29 have issued no guidelines on children although mentions of children are scattered among several of those that have appeared.

Save for the British texts nobody has tried to bring together or discuss all the parts of the GDPR which concern children. Such a publication would help a lot of people get a better take on or overview of the diverse ways the landscape is changing.

In the report of the first FabLab no mention of children or young people appears.

In the report of the second FabLab the following words appear

Minors  are  a  priority  but  resolution  lies  at  Member State  level  and  the  age verification  of  a  minor  is problematic. The verification of consent by the holder of parental responsibility is also problematic.

Interesting use of the word “priority”.

In the report of the final FabLab this appears

Practical challenges for (data) controllers are arising since, while the GDPR recognizes the need for extra protection for children, it was pointed out that there is no clear indication of how the different stages of the development of a child should be taken into account when providing information.

Amen to that.

What are EU-wide institutions for?

Isn’t one of the points of having EU-wide institutions that, for example as in this case, the larger DPAs and the Commission itself can help out the smaller ones and together they can help each other? Are we seriously expected to believe we are going to see 27 different attempts to sort this out?

Why this catalogue of moans?

Less than three weeks ago,  the pattern of neglect of children reasserted itself.  The new Chair of Article 29 published a letter that had been sent to Facebook on the question of facial recognition and how it might be deployed in the future.  No mention of children.

Facebook have said facial recognition will not be available to children, i.e. persons below the age of 18.  Good decision. That being so, why didn’t Article 29 ask about the steps the company is planning to take to ensure the policy works?

Apps or services which broadcast location data also raise safety and security issues for children. This is not just about Facebook. It’s about the whole social media space.

Article 29’s ear-shattering silence does not inspire confidence

I appreciate there are lots of things that need sorting out in relation to the GDPR. I appreciate also that many DPAs are still angry about the way the GDPR turned out in respect of children. It is clear the privacy community wanted a single age for the whole of the EU and they wanted that age to be 13, the then de facto status quo. Echoes of resentment can still be heard about how, at the last minute, politicians stepped in and “messed things up” by allowing multiple ages.

Of the many lawsuits that lie ahead where the scope and meaning of the GDPR will be clarified, there is unquestionably going to be one on children and in that lawsuit Article 29’s lack of leadership is bound to be noted and criticised.


Posted in Age verification, Facebook, Google, Location, Regulation, Self-regulation

The case for age verification for pornography sites

Judging by the number of emails and phone calls I am getting, around the world there is growing interest in what the UK is doing  to reduce the possibility of children being exposed to pornographic web sites.

In particular people want to know what tactics and arguments were used to get the legislation on to the statute book here in Britain

What follows is therefore a briefing. Please feel free to add to, adapt, modify or abandon any or all of it to suit your local situation. There is no single or “correct” way. The local context will always be paramount. We all have to find our own path.

Children’s organizations and children’s interests led from the outset

In the UK we have a number of large and extremely well known children’s organizations. Some are substantial bodies employing thousands of people and can trace their roots back to the mid  19th Century. They have Royal patrons, are highly respected and respectable, often with internationally recognized expertise across a broad range of child welfare, child development, protection and educational issues.  Moreover – and this was hugely important – they are resolutely secular. On internet policy they co-operate through a specially constructed coalition which has existed since 1999. I am its Secretary.

We were 100% pragmatic and stayed completely focused on harm to children. Obviously we had support from feminist and religious groups and that was welcome but they were in no way involved in shaping our tactics, strategy or messaging.

At no point did we say that we thought all porn was bad in and of itself, although we did point out that a great many people probably had a somewhat dated idea of what today’s online porn is like i.e. predominantly it depicts anti-female violence and promotes a completely unreal set of ideas about sex and relationships.

The new law

The Digital Economy Act, 2017 established that commercial pornography sites that publish into the UK must introduce age verification measures to restrict access by children. The so-called “free” sites were a key target of the legislation. These are, in truth, highly successful businesses. They don’t charge at the door, so to speak, they collect their revenues in other ways.

The new  law will be operational towards the end of this year. There are two regulators.

What is porn?

The British Board of Film Classification (BBFC) has the primary regulatory role.Like the children’s organizations referred to earlier the BBFC is an extremely well known and trusted brand. An independent organization that has been in existence for over 100 years, the BBFC’s business is analyzing, classifying and describing every kind of content, including pornography. It has a child protection mission.

The BBFC’s principal regulatory task is to determine whether or not a qualifying site has put in place robust age verification measures that work. If they haven’t the BBFC has a range of tools at its disposal to encourage compliance. Ultimately the BBFC has a legal power to require ISPs and other access providers to block non-compliant sites. It is not thought this blocking power will be used very often because the sites are likely to comply. If they don’t their revenues will be hit. They care deeply about revenues.

As a matter of fact because the porn sites will be able to guarantee they have an adult audience in the UK, porn companies may even find they become more profitable. They will need less bandwidth to service their sites and since their visitors will have money and the means to spend it, advertisers may be prepared to pay more. This is an example of the doctrine of unintended consequences at work. Hey ho.

Privacy is vital

The other regulator with skin in the game is the Information Commissioner’s Office (ICO), the UK’s data protection authority. Its task is to ensure age verification solutions respect people’s privacy rights.

A key legal principle is data minimization i.e. the  only thing a porn publisher needs to  know is whether or not an individual who wishes to access their site  has been reliably verified as being over 18. A number of companies are springing up to provide age verification services that can be used across a range of adult products, not just porn e.g. for gambling, buying alcohol, tobacco and knives. Thus, going through an age verification process does not mark you out as being into porn. It just shows that you may sometimes engage with a range of items which are associated with an age restriction.

Porn sites do not need to know or retain your name, your actual age, address or credit card number. All the porn site needs to know is that this particular log-in has been verified as belonging to someone who is 18 or above. The new system can therefore be seen as being privacy enhancing in a number of respects.

Getting agreement to act

First key political point: the measure went through the UK Parliament with all-Party support.  However, it has to be said that winning the personal support and engagement of the previous Prime Minister was crucial in getting the ball rolling. Neither he nor his successor tried to use attitudes to porn and protecting children as a means of scoring points and the opposition parties adopted a similar stance. This was important. If the draft measure had become heavily politicised in Party terms it would probably have failed.

Second key political point:  in lobbying for the measure  we got the backing of major, mainstream newspapers and within Parliament a group of talented women Parliamentarians devoted a lot of time and energy to the subject over several years.

Without in any way doubting the sincerity or commitment to the principle behind the measure on the part of the Prime Ministers and the other politicians,  it certainly did no harm to our cause to have the sustained support of major media outlets.

You have to listen to the other side

Free speech and civil rights groups were heavily involved in trying to get the measure defeated or neutered. That is their job. It is both wrong and counterproductive to portray them as heartless, nihilistic anarchists who do not care about children. The great majority of them do care but have genuinely held reservations about the methods being proposed. We have to address those reservations not just shout them down and refuse to  hear. Some of what a number of them said definitely influenced me even though I thought others were too quick and too ready to misrepresent what was going on and why.

While I completely reject the idea that protecting children from pornography is in any way about promoting censorship – no legal content that is on the internet today will not be there tomorrow –  it has to be acknowledged that whenever politicians get involved in subjects of this kind people are entitled to be nervous.

Some regimes and a number of groups do not want anyone in their country, or anywhere else for that matter, to be able to access  pornography, and they might have a very broad definition of what constitutes pornography. We never argued adults should not have a right to access pornographic content.

Our only point was that children should not be able to get at it so easily.

A tiny amount of hassle is unavoidable

Age verification  in the UK undeniably will create a minor inconvenience, i.e. adults will have to go through a process, but they already do this in many other areas, online and off. It is the inescapable but essentially  trivial price we pay to achieve a desirable social goal. The age verification solutions that are being developed for use in Britain can be completed easily and rapidly. In other countries with better developed online infrastructures it might  be even simpler to get confirmation that someone is over 18.

Technical measures are not a substitute for sex and relationships education

Age verification in respect of pornography sites is NOT an alternative to or a substitute for children and young people receiving age appropriate advice and guidance about sex and relationships, both at home and at school or indeed via thoughtfully prepared educational resources available online. This continues to be of vital importance

However, age verification is an important complementary component. Inter alia, it helps show children that, as with alcohol, gambling and similar, a serious effort is being made to ensure the laws and norms mean something. The advice given by parents, teachers and others in respect of porn is not merely “virtue signalling”. It is not something to which grown-ups  pay lip service without it truly being meant to be taken seriously.

Bringing the physical and virtual worlds into closer alignment

Age verification for porn sites helps bring about a closer alignment between the physical world and the virtual one. We don’t have one set of rules and expectations which apply in one place but not the other.

Campaigning points

  1. Various people have observed that the internet is the biggest social experiment in history. We owe it to our children not to insist that they are unwitting, involuntary guinea pigs.
  2. To put that slightly differently, we cannot say we will wait 20 years or so to see how things turned out for this generation before deciding what to do to ensure the next is not damaged in a similar way.
  3. In the EU Kids Online survey exposure to pornography came out as the No 1 issue kids found upsetting in terms of materials they were exposed to online.
  4. By any standards there is enough evidence to suggest porn may be causing significant harm to children, particularly younger and vulnerable children. It is therefore simply unacceptable to say, in effect, we must do nothing until the matter is conclusively and finally settled beyond all reasonable doubt. Only then will it be acceptable to seek to mitigate or reduce the likely consequences of children being exposed to porn.
  5. There are very few areas of scientific or academic enquiry where the evidence is not disputed. If we waited until there was 100% agreement about everything and never tried anything new until there was zero doubt about the probable outcomes we would probably all still be living in the Rift Valley herding cows.
  6. The precautionary principle therefore dictates we must have regard to the evidence of the possibility of harm and, unless and until there is a widely accepted body of evidence to the contrary, we are obliged to take proportionate steps to avoid the reasonable apprehension of predictable harm.
  7. Anyone who thinks online porn can be a useful or worthwhile source of advice, guidance or information about sex and relationships plainly hasn’t seen any of it.
  8. It is easier to make the argument for introducing age verification in respect of younger children and the risk of accidental exposure, but in fact all under 18s have a right to be protected and to understand where the boundaries are and why those boundaries exist.
  9. Older teens might be more likely to want to engage with porn but the very fact that difficult to circumvent boundaries and technical controls are in place will cause them to pause and reflect and that is likely to change the nature of their experience or engagement with any porn they do encounter.
  10. We agree that porn consumers have a right to have their privacy properly safeguarded.
  11. Age verification does not promise to deal with accidental or intentional exposure to all forms of porn everywhere e.g. porn that might be exchanged via Bluetooth, messaging Apps or on thumb drives or be created using cameras in phones. Rather age verification addresses the easy accessibility of  the gigantic quantities of pornography published by commercial concerns on the internet. This is the dominant form.
  12. Sadly there is no silver bullet that catches all porn everywhere, but that is no reason to refuse to act where you can have an impact.
  13. Age verification is about the responsibility of the publishers of pornography. They all say they don’t want children to access their wares but hitherto they have done little or nothing actually to prevent it.
  14. This was because they weren’t required to and even if an individual company might have been inclined to do something about it they were worried that unless everyone was under the same obligation to act at the same time they could lose business to less fastidious competitors. This is exactly how it worked with online gambling in the UK.
  15. Age verification should not be conflated or confused with the use of filters. Families might want to use filters to restrict access to all kinds of materials that conflict with their values or they might not want to use them at all. That still does not give porn publishers the right to expose under age youngsters to their products.
  16. Even if a family uses filters at home their children may end up in friends’ houses or other places where filters are not in use. Again that does not give  porn publishers the right to expose under age youngsters to their products.
  17. An age verification law is really about establishing a new normative value. It is saying it is not OK for porn publishers to make their products available without taking meaningful steps to ensure children cannot see them.
  18. It is also saying that the realities of our modern lives and the challenges of parenting in the digital age mean it is unfair and unreasonable to put the responsibility solely or even largely on parents to protect their kids from stuff that shouldn’t be there in the first place. The porn industry should not be creating extra burdens for parents.
  19. Least of all should porn companies feel unmoved or unconcerned about the idea of making money from showing porn to kids.
  20. People argue kids will get around whatever you try. That is an argument for doing nothing, for preserving the status quo.  Cui bono? Yet the evidence (see page 16) suggests most kids do not  know how to get around blocks and even  among those that do only a small proportion (6%) actually bother.
  21. It is a convenient myth that every child is a super-cool internet user who knows every  technical trick in the book and wants to break every rule or ignore every boundary.
  22. That said it will be important to keep track of technological developments and changes in the porn market to ensure the regulators stay up to date and relevant and are sufficiently nimble so they can swiftly address any circumvention strategies which might appear at scale.








Posted in Advertising, Age verification, E-commerce, Pornography, Privacy, Regulation, Self-regulation | 1 Comment