Canada’s proposed age verification law is indefensible violation of privacy and expression, but that’s not stopping some reporters from trying.
Last year, we offered an analysis on Bill S-210, Canada’s age verification law. The bill is the Conservative party’s ambitious plan to introduce mass internet censorship and crack down on privacy within the country. The bill envisions non-existent technology capable of verifying everyone’s age before accessing the internet and requires every website to adopt this mythical technology. Failure to do so would allow the Canadian government to order all ISPs to block those websites – erecting a sort of Great Firewall of Canada.
The legislation is extremely poorly written. Problems include the fact that it doesn’t establish any thresholds for websites that supposedly carry such content. It’s just that if it exists at all, then that website must implement age verification. What’s more, there’s no metric for the websites size, either. So, it applies to every website in existence (which could effectively kill a number of small businesses along the way).
Further, there’s no enforceable privacy standards in the bill. All it says to companies carrying these enormous amounts of personal information to pretty please destroy that information afterwards with absolutely no repercussions for companies that fail to comply with such meek requests. It’s a problem compounded by the fact that Canada’s current privacy laws are an outdated joke where the only threat to come from violating people’s personal privacy is a strongly worded letter from either one or multiple privacy commissioners. That’s it. Any further action has to come from the individuals affected to sue the company in question, meaning they have to take matters into their own hands.
Probably the only silver lining in all of this is the fact that this bill is blatantly unconstitutional. This is a bill that literally has the government removing access to speech online which is a Canadian Charter violation with regards to freedom of expression. This isn’t the first time an unconstitutional bill was passed as the Online Streaming Act envisions ghettoizing speech as opposed to outright removal. Some people wrongly believe that this makes that bill good enough, but that’s another debate entirely. In this case, there is no real attempt to weasel around this. It’s just straight up removal of speech by the Canadian government. As such, it just begs to be challenged in court should MPs go full crazy and pass this bill. It’ll end up being a colossal waste of taxpayers money, but Conservatives are experts in wasting taxpayers money in the first place, so no real surprise there.
So, naturally, lawmakers were pressed by critics on how they envision this bill even working. MP’s responded by giving a collective shrug and saying that they’ll just pass this bill on to committee so they can sort out the details. The response boils down to MPs giving committee a fools errand in trying to get them to figure out a plan that tackles the impossible. Sure, experts have collectively pointed out this is asking for the impossible, but hey, what do experts know? MP’s will no doubt cobble together something that makes no technological sense and all will be well as the problems will just magically sort themselves out.
People defending the legislation have already started coming out to defend the bill. Those efforts, so far, have fallen flat on their face. Some defenders of the bill argue that the bill only applies to a handful of websites. In reading the bill ourselves, the legislation places no such limits on which site is scoped into the bill and which site isn’t. There’s no threshold for how big the site is, what portion of the content has to be adult content, or, really, any kind of metric at all. It simply applies to every website out there.
Recently, we came across another persona attempting to defend the legislation. Let’s just say the attempt was hilariously bad. The “article” was published on The Conversation and it was clearly written by someone who has almost no working knowledge about how the internet works. The self-described expert says that there are plenty of tools out there to protect privacy with such systems. This includes this charming nugget:
While different mechanisms exist for online age verification, the more popular methods are ID document matching, facial recognition and third-party verification.
ID document matching is a common method for age verification during in person transactions. For instance, individuals are required to present government-issued ID documents, such as a driver’s licence or health card, when purchasing alcohol from a physical store. Similarly, in online transactions, users can upload an image of their ID.
Then optical character recognition technology is used to extract data from the document, particularly the date of birth. Additionally, a liveness check may be conducted by comparing the photo on the document with an instant photo of the user to ensure authenticity.
Users may also verify their age through authorized third parties, such as their credit cards or bank accounts. This method leverages existing relationships and information held by these trusted entities to confirm the user’s age.
Biometric-based age verification has been an emerging field during the last decade, thanks to artificial intelligence. Researchers are exploring different biometrics for estimating age, including facial images and videos, speech, fingerprints, heart signals and irises.
During facial analysis, users are requested to provide a live selfie in the form of an image or video, which is then analyzed by AI-based tools to estimate their ages. This method has been extensively tested and is now deployed by various entities in different countries, including Google and Meta.
Don’t you feel like your privacy is protected already? Papers, please!
Hilariously, the reporter goes on to tout the incredibly weak privacy safeguard:
Bill S-210 proposes to implement reliable age verification methods that will collect users’ personal information solely for verification purposes, and the data will be destroyed immediately after verification.
Notice how the author never mentions any repercussions on what happens when any organization violates this. What’s the government going to do? Get angry and shout, “But we asked nicely! How could they???” Simply put, this is not an enforceable provision in the law. It’s there to look pretty and nothing more. If the author, thorugh some form of a miracle, happens to read this response, no PIPEDA will do jack here. You tell me in PIPEDA where the provisions are for the government to fine companies for privacy violations. Until then, sit down.
So, one of the points I (and many others) have raised is the fact that VPNs can easily circumvent such restrictions in the first place. The author in this piece tried to address it by… taking an even bigger faceplant:
Virtual Private Networks (VPNs) are often used to evade age verification. Users route internet traffic through servers in different locations, making it appear as if they are accessing content from a region without age restrictions.
This challenge can be tackled by IP geolocation services, which compare a user’s claimed location with their actual IP address, helping to identify any discrepancies.
Yeah, that’s this authors entire response to this. It’s, uh, getting worked on. Don’t worry, this magical solution will come around, you know, some day. Then you get sources like this that talks about IP geolocation technology:
Despite its impressive accuracy rates, IP Geolocation is not perfect, and mistakes can happen. Several factors contribute to these occasional inaccuracies.
One significant factor affecting accuracy is the use of virtual private networks (VPNs) and proxy servers, which hide the true location of an IP address. When you use a VPN or a proxy, your incoming and outgoing traffic is routed through the proxy/VPN. Because of this, your IP is the VPN/proxy IP — which means geolocation will be able to pinpoint the VPN address but not your real (hidden) one.
Another factor is the allocation of dynamic IP addresses by some ISPs. These addresses can change periodically, which can result in inaccuracies if the geolocation database is not regularly updated.
While Wi-Fi and mobile data can offer precise location data, they can also introduce errors when users connect to networks outside their usual locations. For example, a user traveling to a different city may momentarily appear to be in two locations at the same time.
Geolocation databases may not always reflect real-time changes either. For example, if an ISP reallocates IP addresses, it may take some time for the database to update, leading to temporary inaccuracies.
I’m pretty sure “significant factor” is pretty far removed from the excessively optimistic take from this author. I mean, the whole point of a VPN service is to mask your identity and secure your connection online. Any VPN service that introduces obvious vulnerabilities in their protective services is grounds for privacy conscious people to distrust such a service and take their business elsewhere. Any VPN worth their salt is not going to be freely handing their customers personal information to non-law enforcement third party services. VPN services that hand their customers personal information over through a court order is already controversial enough as it is.
From there, the author suddenly pivots hard and talks about child luring for… some reason:
Along with technological readiness, social awareness is also crucial to ensure proper adoption of age-verification measures, which takes us back to the legislative aspects.
The number of online sexual luring cases involving children has increased 10-fold in the last five years in Canada. We have experienced tragic incidents of kids dying by suicide after being victimized online. Last October, a 12-year-old B.C. boy died by suicide after falling victim to online sextortion.
So, the question is: how long do we need to wait before measures are in place to protect children? Canada cannot afford to trail behind any longer. It is now time to move forward and make online space safe.
Tragic cases? Sure. What does this have to do with age verification in the first place? Usually, in cases of child luring, there’s actual contact between the victim and the criminal. Predators aren’t exactly setting up public facing websites with flashing text saying “kids contact me pls!!!!!” and taking out advertisements on multiple ad networks in the process. Yet, this is about the only form of such crimes that the legislation would guard against.
Simply put, there is literally nothing in the legislation that guards against this kind of criminal activity. With no real thought on how to tackle anonymous technological solutions like TOR and VPNs, there’s ultimately nothing here that makes children any safer.
If we are talking about criminals using private messaging services, then this boils down to moderation. This bill does nothing to change moderation. Usually, for large services, such criminal activity is reported to police so they can deal with it. Whether or not they deal with it is a different matter, but that’s generally how it is handled as far as I know. You tell me, in instances like this, what the bill changes with regard to moderation because, believe me, I’ve read the bill and I never once saw anything related to these matters at all.
Up to now, I’ve never seen a single viable defence for this legislation. This “article” on The Conversation doesn’t change that. All it does is reinforce my perspective that people who defend the legislation don’t have any real grasp of how the internet works in general. They just have this warped sense of how technology works that is probably inspired by bad television.
There’s simply no defending Canada’s Age Verification law. With more and more people coming out of the woodwork spouting such garbage as the author at The Conversation, they inadvertently continue to prove my point beautifully. By all means, though, bring me more morons like this. Maybe two of you could share a keyboard next time.
Drew Wilson on Twitter: @icecube85 and Facebook.
