Digital rights organization, Open Rights Group, is offering a detailed analysis of why the UK Online Safety Bill’s age verification is a threat to privacy.
The UK Online Safety Bill represents a considerable risk to user privacy as well as security online. This is something we covered a couple months ago. Three problems worth highlighting is the banning of effective encryption, the terrible age verification provisions, and the “online harms” provisions that could see jail sentences handed down to people who posted mean comments online. Simple put, the bill is a complete disaster that threatens people’s privacy, freedom of expression, and security.
Recently, digital rights organization, Open Rights Group, posted a deeper analysis of the age verification provisions and explained why such provisions are such a huge threat to people’s personal privacy. From Open Rights Group:
Compliance will be compulsory unless the terms of service of the platform explicitly prohibit the content that is being addressed.
Providers will have to choose systems that are “highly effective at correctly determining whether or not a particular user is a child” [S12 (6)]. Providers can even be required to distinguish between children of different ages, for the purpose of determining whether they can be permitted to access certain content.
There is no privacy-protective age estimation or verification process currently in existence that functions accurately for all users. France’s National Commission on Informatics and Liberty (CNIL) published a detailed analysis of current age verification and assurance methods. It found that no method has the following three important elements: “sufficiently reliable verification, complete coverage of the population, and respect for the protection of individuals’ data and privacy and their security.” In short, every age verification method has significant flaws.
These systems will collect data, particularly biometric data. This carries significant privacy risks, and there is little clarity in the Bill about how websites will be expected to mitigate these risks. It also carries risks of incorrect blocking where children or adults would be locked out of content by an erroneous estimate of their age. This risk is recognised by the inclusion of a requirement for providers to consider complaints by users whose age has been incorrectly estimated [S 32 (5)(D)].
Ofcom could minimise the damage of this Bill, as they are required to produce a code of practice on age assurance. The first principle that Ofcom should adopt is that the age assurance or age verification systems should be effective at correctly identifying the age or age-range of users, and that competition of provider should exist so users with a concern for privacy and security can opt for their chosen provider. The pressure will be on Ofcom to ensure that platforms implement age verification or age assurance, and this will have priority over any balancing of free expression rights. This poses a risk to the fundamental rights of huge numbers of users.
This is a big part of the problem with age verification laws. The technology the laws envision simply doesn’t exist. Having databases of people who have explicitly asked to see such content is an extremely juicy target for scammers. Once a database like that is exfiltrated by hackers, blackmail is going to ensue at a large scale. This is because real information is going to be part of that data set and social media is a prime candidate for assessing who is associated with a given victim. Once those connections are made, criminals have all the tools they need to exert maximum pressure to demand payments.
Of course, that isn’t the only way such information could be abused as well. Contact details can be used to, say, have a victims phone ring off the hook or hit them with scams afterwards.
Some of the more technically minded people out there will immediately jump up and say that all they have to use is anonymous tools such as VPNs to circumvent such things. The hard truth in that is that not everyone is going to jump through those hoops. Yes, the person who builds computers for a living probably has something like that set up. The person who works in IT probably has a set of VPNs that they work with. There will always be a portion of the population that will use such services. The problem is that this is far from universal. A 60 year old high school drop out that works as a dishwasher at a restaurant who is just starting to understand how the search bar on YouTube works might not even have the knowledge to use such services, for instance.
That is where the threat lies. These databases are going to fill up with the most sensitive information and all it takes is one successful hack (which you know is going to be not a matter of “if”, but “when”) for the entire house of cards to come crumbling down. Once that data is out there, there’s no going back. There’s no “undo” button for getting hacked. You can’t just make a court order demanding that all illegal copies of such a database be destroyed and expect 100% compliance. It isn’t happening. As a result, innocent people are going to get screwed.
Ultimately, you could devote a whole website just talking about the problems with the UK Online Safety Bill. I know people want me to cover things like this more frequently and, truth be told, had Canada not gone completely insane and declared war on the internet, forcing me to fight for my websites life for the last few years, I would have been more than happy to partially be such a site. Still, I hope this article offers some consolation on that front.
At any rate, there is a heck of a lot that is bad about this bill and I think I speak for a lot of UK residents when I say that we all hope this bill never becomes law. Unfortunately, it is reaching the final stages of passage, so there isn’t a lot of time left for UK residents to tell their MP’s how they feel about this bill.
It may feel hopeless in doing so, but I know all too well such a situation. In Canada, we had two nasty internet bills pass with the government ignoring the very public outcry over them. I can tell you that the hopelessness it felt seeing that unfold didn’t matter because I wrote my MP, knowing that I actually did something instead of chalking it all up to “the government is going to do what the government is going to do” and just sitting this one out. I take great comfort in knowing I did something about it and, honestly, it didn’t hurt me to shoot my MP a letter. I hardly think that is any different in the UK. All it would cost is a few moments of your time to do the same. As a result, I encourage writing your MP anyway even if you feel it won’t make a difference on the matter.
As for the broader implications, this can very easily spiral out of control. As we saw with the passage of the Australian Bargaining Code and subsequent countries that followed suit and tried pulling their own version of the link tax stunt, the UK passing such a law is only going to encourage other countries to pass similar laws. Whenever some idiot politician in another country is going to say that their country needs some of that age verification law stuff, they’re going to point to the UK and say that it passed there and it’s up to their own country to pass the same thing just to keep up with “international standards” (despite how awful such a “standard” is). So, if this bill passes, the damaging implications are only going to spread.
Hopefully, the UK can be pulled from the brink on this issue. Otherwise, things are only going to get uglier for the future of the open internet.
(Via EFF)
Drew Wilson on Twitter: @icecube85 and Facebook.
