Things are growing nasty in the UK’s Online Safety Bill debate. Lord Lipsey accused Online Rights Group of being “extreme Libertarians”.
Last month, we wrote about the UK’s Online Safety Bill. In our report, we covered the concerns being raised about freedom of expression. Specifically, the bill would create a bureaucratic super-structure to determine what speech should be allowed, monitored, and/or blocked altogether. About two weeks ago, we started getting a sense that the next iteration of this legislation would be worse thanks to comments made by the Culture Secretary.
Of course, the Online Safety Bill encompasses a number of different debates. One such debate is provisions for so-called “age verification”. Age verification has been a subject of debate in the UK for years now. The general idea is that there are growing fears – often moral panic spread by some media outlets – that young people are viewing pornography online. Aspects of the debate are all too familiar with many North Americans. Simply put, the fears is that online pornography will damage people’s minds – especially young children. The theory (of questionable credibility) is that people viewing online pornography will lead to people committing sexual offences in the real world on a massive scale.
Why Education and Awareness Trumps Policies of Prohibition
We obviously know that young people have long had access to adult material before they are legally able to have access to it. The dirty magazines of the 80’s and 90’s would be an example of this. A similar reference was briefly made in The Simpsons through the famously funny Moe lie detector scene. Obviously, this problem has existed for quite some time even before the Internet became such a modern day fixture. Today, we don’t exactly have a society filled with sex maniacs. Instead, society is arguably improved not thanks to or in spite of dirty magazines, but thanks to an increase in awareness of what are various moral boundaries (the #MeToo movement being an example). It is becoming increasingly clear that if you commit sexual based offences, there is no such thing as being too powerful to avoid consequences.
One lesson that we can take from all of this is that education and awareness can go a heck of a lot further than prohibition laws or policies. Is the concern that people will develop unhealthy views of sexuality? Then maybe campaigning for better education and awareness programs would give you a much bigger impact on your efforts.
It’s not as though we are in uncharted territory. Take the failed war on drugs, for instance. When things like crystal meth or cocaine began hitting the streets to a particularly high degree, the first response from lawmakers was to declare a “war on drugs”. Prohibitions were put in place and criminal convictions were put on people for things like simply possessing small amounts. What this ended up doing was simply increase the incarceration rates for people.
In more modern times, societies began to realize that the issue of addictive drugs was actually more of a public health problem and less of a criminal problem. Programs (such as those found in Canada), put in place safe needle exchanges to prevent the use of dirty needles. This arguably made a difference in preventing STDs from being spread through the re-use of needles. Education campaigns were rolled out to raise awareness about the issues and implications. Arguably, that helped people be better informed and got younger people to be more likely to simply “say no” to such drugs in the first place.
All this was a partial indictment on outright prohibition in the first place. Some of these drug problems are easily much newer than the issue of sexual health and awareness. So, that should make it even more questionable as to whether instituting policies of prohibition would even work in the first place.
The UK Push for Prohibition
Unfortunately, it seems that some are more focused on policies of prohibition like it is going to be the be-all end-all solution to the problem of underage users viewing adult material. The Guardian is highlighting where the debate is now and what is being called for:
Why are children’s safety groups calling for age verification on porn sites?
They fear it is too easy for children to access publicly available pornography online. Experts who work with children say pornography gives children unhealthy views of sex and consent, putting them at risk from predators and possibly stopping them reporting abuse.It can also lead to children behaving in risky or age-inappropriate ways, harming themselves and others. Charities say children tell them that pornography is difficult to avoid and can leave them feeling ashamed and distressed. One concern is the extreme nature of porn on mainstream sites, with one study showing that one in eight videos seen by first-time visitors showed violent or coercive content.
How do ‘age assurance’ and ‘age verification’ differ?
Age assurance describes methods companies use to determine a user’s age online, such as self-declaration (ie a pop-up form); profiling (determining a user’s age by scrutinising content they consume or how they interact with a computer), and biometric details such as facial analysis.Age verification uses ID known as “hard identifiers”, such as passports or credit cards. The NSPCC, the child protection charity, wants this to be required for access to high-risk sites, such as commercial pornography or dating sites.
Privacy Implications of Such a Push
It’s almost difficult to figure out where to even begin with this. Arguably, the biggest problem with all of this is what is being defined as “age verification”. Demanding the use of credit cards or passports as ways of identifying people for age verification is easily overkill for such a problem. Most immediately (and frequently pointed out by digital rights organizations) is the fact that if your credit card is being used to verify your age, then that information is being stored somewhere. Whether it is a centralized database or being held by private third parties presents an equal problem – it is a tantalizing target for identity thieves looking to score some huge cash through fraud.
A second knock-on problem is the fact that such information could very easily be used by people with ill-intent for ransom purposes. For instance, a database could get hacked. The hacker would then start hitting up people whose compromised information was found in the database and say that if they don’t want this information made public, they need to pay the hackers money.
The scary thing in all of this is a hack doesn’t need to even take place for such a fraud campaign to be viable. The simple fact is that there is a push for a very broad system to be put in place. All the people with ill-intent needs is a method of contacting people in the UK. Whether it’s through Facebook messaging, phone numbers, or even old-school e-mail, a point of contact is all that is necessary. If we’ve learned anything from illegal call centres and spam campaigns is that such information can easily be obtained.
From there, the scammers can simply hit as many people in the UK as possible and demand, say, £1,000. You send that ransom demand out for 100,000 British residents. Let’s say 10,000 residents have given such information, but only 1% respond and pay up. From there, simply math takes over. That’s £100,000 worth of ill-gotten gains. There is your scam business model, no hacking of a database required. All it takes is a convincing message and a link to a Bitcoin wallet.
Cue the Name-Calling
Over the course of our coverage, we’ve highlighted a number of concerns about the Online Safety Bill. Whether it’s speech, privacy, security, or viability problems, it’s very obvious that such legislation is filled with problems. In a normal and healthy debate, proposals come forward to address these problems.
That doesn’t appear to be happening.
In a sign that supporters of this legislation is losing the debate, some have resorted to abandon attacking the ideas and, instead, focused on attacking the people instead. That came to fruition through Lord Lipsey who apparently stood up in the House of Lords and proclaimed that digital rights organizations like Open Rights Group are “extreme libertarians“:
The Bill which the noble Baroness, Lady Kidron, has worked so hard to lay before us, addresses a real and present harm, not to adults, who, arguably, can look after themselves, but to our children and grandchildren. As I stand here, I think of my beloved grandchild, Marli Rose, who is five-years old. When she is twice the age that she is now, she could be exposed to this kind of stuff, and my blood boils. It has not happened: there is still no single regulatory or statutory code that sets out rules or standards for age assurance in the UK. All we have is a bit of guidance from DCMS and the design code. Previous legislation on age verification is effectively defunct.
If we wanted proof of the Government’s sheer lack of umph on this subject, we got it this week. To a blast of trumpets, Priti Patel, the Home Secretary, announced new money to help tech companies combat child exploitation and abuse online. Great, but how much was it? It was £500,000, which does not even buy you the services of Sir Geoffrey Cox for six months. Of course, the noble Baroness’s Bill and the age verification that it seeks has some enemies. There are extreme libertarians such as the Open Rights Group, for whom American-style free speech trumps all other values. More insidiously, there are companies that benefit from the freedom to distribute their material to kids, in particular pornographers.
Unsurprisingly, the comments went viral:
Are you a member of @OpenRightsGroup?
Lord Lipsey thinks you’re a porn-mongering libertarian.
Gosh. And I’m on the @OpenRightsGroup Board of Directors, so I guess that makes me EVEN WORSE? Do join us to protect online privacy, challenge mass surveillance, and fight for free expression online: https://openrightsgroup.org/join/
There is the possibility that Lipsey is conflating the free speech concerns about the bill and the age verification concerns about the bill. Still, such a detail is relatively minor to the fact that lawmakers are now resorting to schoolyard style bullying such as name-calling in an effort to pass such legislation in the first place. After all, it’s difficult to even figure out what Lipsey even means when he calls these concerns “American-style free speech trumps all other values.” in the context of the Online Safety Bill. After all, how does one dismiss concerns highlighted above as something to ignore because it’s just “American-style free speech”? It makes no sense given that the concerns are specific to UK legislation in the first place.
None of this changes the fact that there are very real concerns about this legislation. If there are no ways to address these concerns, then that really is a sign that the legislation, at the very least, needs to be sent back to the drawing board.
Drew Wilson on Twitter: @icecube85 and Facebook.
(1) It is not necessary to retain any personal data once an age check has been completed. All a platform or an independent AV provider (I prefer the latter as they can be regulated and audited more directly) needs to retain is an identifying code (which could be hashed) and a date of birth, or estimated age.
(2) Equally, if it is an independent provider, there is no need to track which websites the user is visiting. The sites need not know the identity of the user and the independent provider need not record which sites enquired in any way connected to the user. So it can be double blind.
There is a legitimate debate to be had about how such regulations are enforced (standards, certification, regulation etc.) and the risk of fake sites harvesting data also needs to be managed but suggesting this cannot be achieved technically is not a sustainable argument against age verification.
During the “porn pass” debate, the idea was actively floated that different sites retain such information. If this is no longer being actively required, it adds a layer of security risk to such a system.
This ultimately harkens back to the early days of reg-walled news websites. Sites like BugMeNot cropped up where usernames and passwords were actively shared to rout around reg-walled content. Similarly, identifying codes could theoretically be shared in a similar manner. Whether it is fraudulently obtained via a stolen credit card or extracted from a hack via a stolen database. Regardless, the only necessity is a regular stream of identifiers that work at one point or another.
What’s more is that all of this assumes that all adult material is obtained through streamed content on large sites. There is also those that obtain such content through file-sharing networks, cyberlockers, etc. If such a website is located outside of Britain, the whole system falls apart because it falls into the same problem as copyright enforcement of file-sharing websites located outside of North America. What’s more, this doesn’t even take into account removable storage or hidden FTP sites.
If you’ve been around various technology debates as long as I have, then you should know that trying to prevent a certain demographic from obtaining a certain kind of material online is a fools errand. The Internet was originally built on being resistant to damage and censorship. With the prominence of TOR and VPN services, your best hope is a system that is far more sophisticated than relying on simple identifiers. Even then, even if you come up with something that is even remotely successful, you run into problems of excessive censorship, overblocking, over-surveillance, and a whole lot of other problems. This is akin to the American argument of “nerd harder” and hoping that knowledgeable people will be able to do the work for you to overcome something so technically impossible. Right now, the knowledgeable people are saying that this Online Harms Bill is a terrible idea all around for very good reason – and it’s not because they are some porn mongering “information wants to be free” ideology believers.