1
Communications Committee
Corrected oral evidence:
The internet: to regulate or not to regulate?
Tuesday 19 June 2018
4.35 pm
Members present: Lord Gilbert of Panteg (Chairman); Lord Allen of Kensington; Baroness Bertin; Baroness Bonham-Carter of Yarnbury; The Lord Bishop of Chelmsford; Viscount Colville of Culross; Lord Goodlad; Lord Gordon of Strathblane; Baroness Kidron; Baroness McIntosh of Hudnall; Baroness Quin.
Evidence Session No. 9 Heard in Public Questions 71 - 82
Witnesses
I: Professor Sonia Livingstone OBE, Professor of Social Psychology, London School of Economics; Tony Stower, Head of Child Safety Online, NSPCC.
This is a corrected transcript of evidence taken in public and webcast on www.parliamentlive.tv.
Professor Sonia Livingstone and Tony Stower.
Q71 The Chairman: Can I welcome the second set of witnesses giving evidence to us today in our inquiry into regulation of the internet? Our witnesses are Professor Sonia Livingstone and Tony Stower, and I will ask them to briefly introduce themselves in a moment. Just so that our witnesses are aware, the session today is being transmitted and broadcast online, and a transcript will be taken for the record and for use by the Committee in the future. Sonia Livingstone is well known to the Committee and is very welcome and, Tony Stower, you are very welcome indeed. Thank you for coming and giving us evidence today.
Maybe you would both start by briefly introducing yourselves and telling us a little of your background. Then, just broadly, so we know where you are coming from, tell us whether it is your view that internet regulation needs to move forward, whether there needs to be some bringing together of internet regulation, whether there needs to be a new regulatory framework for the internet in its broadest sense and what form that kind of regulation best takes. Is it directed regulation, co-regulation or self-regulation? If you could address that in your opening remarks, I will then open the meeting to other members of the Committee.
Professor Sonia Livingstone: Thank you very much for inviting me to speak to you today. I am a professor of social psychology at the London School of Economics. I am a researcher of children, families, schools and the ways in which, essentially, families and the general public access the internet, and the risks and opportunities that result. I am a member of the executive board of the UK Council for Child Internet Safety and founded its evidence group. I have variously advised on children’s risks and rights to the European Parliament, the Council of Europe, the European Commission, UNICEF, this Committee and various others.
I would say, yes, something needs to be done. Everyone in all quarters is calling out for some kind of action, broadly called regulation. We must be talking about some kind of mix of types of regulation. Of course, a lot of law already applies online and has been specifically developed for the internet. There is a lot that is called self‑regulation, of which I and others have become increasingly sceptical as to its efficacy, and there could be potential for a lot more co-regulation than has yet been tried and evaluated. What I see, as I hope we can talk about, is that it is a little like trying to get hold of jelly: there are a lot of different regulations, practices, norms and claims to regulation across the board, and of course the internet covers every sector of society. In addition to thinking about the right mix of regulation, we also need to think about co-ordination, so that something is cross-government and cross-sector.
Tony Stower: My name is Tony Stower and I am the head of child safety online at the NSPCC. I hope you already know that the NSPCC is one of the main children’s charities in this country, fighting to end child abuse across the UK and the Channel Islands. The NSPCC’s position is that there is a clear and compelling need to introduce statutory regulation of social networking sites, and app sites and games that have a social element. I am going to restrict most of my answers this afternoon specifically to social networking sites, rather than the internet as a whole. Previous witnesses have said that that is a bit too difficult to get your head around, sometimes.
In our view, we have already tried self-regulation. For the last 10 to 15 years, we have seen a number of codes of practice, self-regulatory approaches and co-regulatory approaches in some instances, which have totally failed to have any lasting impact on the protection of children online. I would make an exception to this, which is the production of child sexual abuse imagery. I know you have had witnesses from IWF here, who have talked quite persuasively about the model that works in that narrow band. I am happy to talk about why social networking sites, more broadly, need to take action on grooming in particular, but also other behaviours and offensive content.
Q72 Lord Gordon of Strathblane: On precisely the point you opened with there, the Internet Watch Foundation witnesses claimed when they came to us that their self-regulatory approach has worked. It is not broken; do not fix it. What is your answer?
Tony Stower: I was reading Susie’s testimony this morning and it is very interesting, because that is a specific area where not only are other laws across the world broadly similar, but there is a very clear ethical and moral agreement that production of child sexual abuse imagery and material is unacceptable. Our focus at the NSPCC is on issues such as grooming, where it is clear that children are still being put at risk, but the wide acceptance of that is not quite as clear, especially in other countries.
Lord Gordon of Strathblane: Surely the answer is to make sure that there is a widespread acceptance of it, and then it would be dealt with as the other problems have been dealt with.
Tony Stower: In the meantime, children will continue to be put at risk in the absence of any firm regulation for children in this country.
Professor Sonia Livingstone: I am not a lawyer so I hesitate to contest a legal point, but I cannot see that the Internet Watch Foundation is a self-regulatory body. I was on the board of the IWF in its early years, when it was incredibly contested, unstable and being challenged on all sides. It was not until the passing of the Sexual Offences Act in 2003, which designated the IWF as a legitimate authority—I might have the words slightly wrong there—and a host of other things throughout its remit that it became an effective regulator. It takes a law that designates the authority.
Lord Gordon of Strathblane: I am simply quoting their evidence to us. They described it as self-regulatory. Other witnesses this afternoon have agreed with you that it is hardly self-regulation; it is more like co‑regulation. Is a principles-based approach the way to protect children?
Professor Sonia Livingstone: I just heard your previous witnesses arguing that there were already plenty of laws that stated what children’s rights to protection should be. Perhaps we could separate principles of protection from principles of regulation. I would probably refer to human rights legislation, including the Convention on the Rights of the Child, to specify what we want to protect, how we want to protect children and how we want to balance their rights to protection with their rights to privacy and to participation. The principles for the regulation that we want are principles of transparency, accountability, regulation in the public interest, evidence-based regulation and independent assessment of that regulation. In terms of how the regulation should be done, I would want to see a body that operates according to the principles of good regulation.
Lord Gordon of Strathblane: What sort of body would it be? Would it be a government body or appointed by government, or would it be an industry body with external representation? What would it be?
Tony Stower: I have views, if you would like me to jump in. The first point is that principles-based regulation is all well and good, but it depends what those principles are, what resources the regulator has and how muscular it feels in enforcing those principles. From our perspective, the regulator should be an independent body that operates on the principles of better regulation, only regulating as far as is necessary and appropriate. Of course, it needs the support and co-operation of industry, so it will need to work closely with industry, charities and academics to make sure that the principles under which it operates are appropriate, and keep up with modern technology and the threat.
It needs to be independent because there is a tendency—and I can say this as a former civil servant—for civil servants to get bogged down in the weeds when we get into regulation. It is much easier for an independent body to consult, to set its own regulatory approach and to take into account the balance that it needs to strike. It is much more difficult for civil servants, who are under the direct control of Ministers, to do that.
Lord Gordon of Strathblane: My final point to either or both of you is whether we are talking of one body here or a lot of ad hoc bodies to deal with separate and sometimes different problems that require different solutions.
Professor Sonia Livingstone: We already have quite a number of regulators in this space. That is the challenge. The Information Commissioner’s Office is already becoming much more significant and powerful in this regard. Ofcom has various responsibilities, as does the BBFC, and there are others. There will have to be some way of—“carving up” sounds too negative—demarcating where responsibilities lie, even if we as a country create a whole new regulator. In that sense, if there were a new regulator, and it could be strong, fair and operate those principles, it would be fantastic. If the same responsibilities were instead given to Ofcom, I can imagine that many would think that was also a satisfactory outcome. It is largely paid for by industry. It is trusted in the space. It does a lot of things that look very similar, in enforcing codes and so forth.
Tony Stower: You need to have a clear demarcation. If you think about it, in the financial services sector there are several regulators, at least three that I can think of off the top of my head. It is clear that the PRA, the FCA and the Financial Reporting Council have separate responsibilities. That does not mean it always works well, but I would echo Sonia’s perspective that Ofcom or a similar regulator that already has the respect and the muscle would be the right place for this to sit.
The Chairman: Before we move on to the next question, Mr Stower, you referred to the role of civil servants and an independent body. We were thinking of the context of regulation based on a set of principles. What is the role for politicians? Surely it is the role of politicians to build those principles, get the broadest possible support for them, and reflect the views of society and, in the case of elected politicians, their electors.
Tony Stower: I have to say that we have not done all our work on quite what the ideal form of regulation would be, but we would expect the broad scope of the regulator to be laid down in statute and then for the regulator to determine its exact regulatory approach within that. I hesitate to bring up the regulator that I used to work for, which is IPSA, where I was head of policy and strategy for some years, but the environment there was very clear. Parliament set down the rules for the regulator and the regulator itself decided the detailed rules and the approach that it would take to enforcement. That would be the right model here.
Q73 Baroness Bonham-Carter of Yarnbury: I do not think we will discuss IPSA. One of our previous witnesses referred to concerns about overbroad blocking. I wanted to ask both of you what steps should be taken to ensure that there are positive advantages and things that children and young people can get off the internet, and what steps should be taken to ensure that excessive regulation does not prevent children taking advantage of what is on offer.
Professor Sonia Livingstone: This is a hard one, because on the internet we do not know how old somebody is. We can have all kinds of ideas, and we do, about what is appropriate for five year-olds, 15 year-olds or 25 year-olds but, without adequate age verification, which is how I understand the present situation, it is difficult to make age-graded offers. I imagine we are going to get into that further.
At this point, one partly has to come back to the principles of good regulation. Whoever is doing blocking or operating filters, there has to be a process of independent oversight. For a number of years, the European Commission commissioned an independent company, which was Deloitte for a while, which would do independent testing of the filters and report the percentage of under and overblocking. That set up the means by which you could have a mechanism of redress. The Internet Watch Foundation did that assessment of overblocking and underblocking in house, with legal advice, but a similar sense of independent oversight. We do not have that at the moment. We have a lot of companies making claims and no ability to discover how good any of them are, unless we do a mystery shopper exercise, which could be done. It is very hard when we are talking about trying to avoid harmful content reaching vulnerable children, but it is none the less always vital that we also think about what might be being overly blocked. I am sure Tony will talk about it in terms of children getting access to help and counselling services.
Tony Stower: You are absolutely right that it is a concern, particularly where we have been engaging in debates about age verification for pornography. This has been a big element. The NSPCC’s approach is less about content and more about behaviour, so overblocking is not a concern per se. We are clear that we will only support regulation that is appropriate and, as Sonia says, follows the model of best regulation. That means that we are not trying to stop children enjoying all the benefits of the internet, app sites and games, being able to do their homework or interact with their friends. Children tell us that their use of the internet and what we would call offline are totally interwoven, and children do not really see the distinction.
We are not about intervening to prevent or change that; we are trying to make sure that children can do all that safely, without having unwanted sexual approaches from adults or being sent inappropriate material. We would expect any regulator to bear in mind the needs of users, including children, industry and the views of academics and charities, and have a continuing obligation to consult with them over the course of the regulatory cycle. It might be instructive to think a little about the other public spaces that children go in; so think about youth groups or swimming pools. Of course, there are rules of the road that we expect of children. In my day, it was dive-bombing that children were told not to do in swimming pools, but we also have lifeguards who monitor, who make sure that children are safe and intervene to make sure that one user’s behaviour does not adversely affect others. That is the kind of approach we are talking about here.
Baroness Bonham-Carter of Yarnbury: I know that if my colleague Floella Benjamin was here she would want me to ask about the problem of encrypted message services. Which companies would fall within the scope of your proposed social media regulation? How do you deal with that, interactive video and so on?
Tony Stower: If we are talking about principles-based regulation, the first principle would be that services that are open to children should be safe for children to use in the first place. You could set the threshold of “open to children” wherever you like. It might be that, say, 30% of their users are under the age of 18—50% or wherever. If you are providing content and expecting behaviour that is likely to be extremely sexual, it should be behind an 18 age barrier, in our view. Encryption poses a big problem. There is no doubt that many of the internet companies are doing good things to, for instance, detect nudity on live streaming sites or detect other forms of grooming but, when they implement end-to-end encryption, it is essentially impossible to intervene, so that remains a concern. I do not think anybody has the right solution or any solution, I should say, to that at the moment, but we continue to be concerned.
You mentioned live streaming, which is an issue that we have seen with adults grooming children and expecting or asking children to, for instance, remove clothing in real time, but it is not just adults and children. We also know that lots of video chatting goes on between children. Some of that activity we should not worry about too much,[1] but children are often being exploited at these ages and they do not know it. When encryption is in the way, there is no way for algorithms to get in.
Q74 Baroness Kidron: I wanted to ask a very small question. Sonia expressed the problem of how we know how old the child is and you have just used the phrase “open to children”. I am interested in this idea of what we know, and I am mainly asking you as a researcher, Sonia. There seems to be considerable evidence of how many children are actually using particular places. Do you both think that, if there was a regulatory framework that said, “If there are more than X children on your site, it has to be regulated or it has to be suitable for the youngest user”, that would be a way forward? Would we then get smart age verification terribly quickly?
Professor Sonia Livingstone: We might. The risk is that that might get services like WhatsApp saying, “I am sorry; we are not going to have any children at all”. WhatsApp has just raised its age to 16, and it is an interesting question as to whether it is the responsibility of researchers or children’s organisations to show that this has now caused a problem and that they are missing out on some of the opportunities that we would want them to have. My sense is that some companies—and we have already seen plenty of companies that want the family-friendly market—would begin to make that kind of offer. At that point, it becomes really important not to say what proportion of children are among the users, because there might be so many adult users that children always remain a tiny minority, but rather to say what proportion of children are using the services.
We know from Ofcom that 24% of 12 to 15 year-olds are using WhatsApp, as from last month, so they are either lying about their age—and it is shocking that a policy framework should put children in that position—or they have now been denied something that we know they were using to chat with their friends, grandparents and so forth. What exactly lies behind that decision? In other circumstances, would other companies say that this is a market that is worth something to them? I think they would.
Q75 Baroness McIntosh of Hudnall: Can I follow up that last point about age-appropriate stuff and particularly WhatsApp? I can see that there is a potential danger in its having raised its age to 16. That said, it is perfectly clear to me—and I know almost nothing about any of this—that children much younger than that are using WhatsApp. Children in primary school are using it and they are creating groups among themselves. They can only do that if they are enabled in some way: first, by being provided with the technology to do it, and secondly, presumably, by being able to lie about their age. We know they are being supported by adults in that. There is an education issue there, not just for the children but for the adults, and how we teach adults what it is appropriate for children to be doing. That is the first thing.
The second thing is the point I really wanted to raise. It is not just about content, but the actual design of the services themselves. Relatively anecdotally, it is possible to observe children who are using internet-based services that are not in themselves pornographic, inappropriate according to age or whatever, but are just addictive, and they spend an enormous amount of time on them and find it very hard not to. This question is about your view of the design quality of the services that are available now, and what more we can do to try to make children less vulnerable to those things. Are there ways in which children themselves are or can be involved in thinking this stuff through, so that the services are not only designed better for them, but they are able to understand what risks they run? An awful lot of this is quite top-down at the moment.
Professor Sonia Livingstone: I will respond to your comment on WhatsApp. Yes, I hope that something in terms of regulation from Government is going to be said about education, but we should take seriously the fact that children have, from a young age, adopted and embraced the chance to communicate through digital technologies with alacrity and enthusiasm. It is not just a matter of saying that companies have set certain age thresholds and we should educate children so they do not lie to get on. In a way, we have to recognise that this is a very real desire to be in touch. If I can invite us to stand back for a minute, we have designed a world in which it is now very hard for children to knock on their neighbour’s door or go and play in the street. We have separated them from each other and from their extended families, and then here is a fabulous service that they have embraced to stay in touch.
I will come to the addiction point in a minute, but it is not purely and simply about keeping them off. The challenge is to regulate in such a way that you stimulate rather than kill a potential market that can provide those kinds of services, such as Facebook Messenger. I do not think they should just be for children. I think of a broadly family-friendly, public‑friendly service that many other people would like to use, with some clear protections around it.
Baroness McIntosh of Hudnall: Before you go on, can I ask you to talk about how encryption works within that? The fact that you cannot see what is going on when services are encrypted means there are inherent risks, does it not?
Professor Sonia Livingstone: It is a coincidence that WhatsApp encrypts. It is the only service in popular use that does. I do not think any of the people we are talking about using it care that it encrypts. It does not encrypt for them and I do not think children are calling out for an encrypted service, so maybe there could be another service. I gather that WhatsApp encrypts for the same reason that it raised the age of use to 16, which is that it has a privacy ethos that means it does not want to have to collect data or be responsible for people’s personal data at all. Maybe WhatsApp has just argued itself out of the market.
I would prefer to call it a kind of compulsion and fascination, rather than addiction. You have heard me on this subject before. The clinicians are arguing about whether it is an addiction and doubting that it is. Could we think about better design and involving children in design? Absolutely, yes. You have the expert on this subject in the room. It is all about the defaults and finding ways not to maximise eyeballs, as they charmingly say, so it is not all about attention. Again, it is going to be either regulation or more differentiated business models. Part of me wants to think that this is just a very early stage in a whole new field and there will be more differentiation coming up. If there needs to be regulation, yes, let us regulate with notifications, endless reminders and pop-up reminders to say, occasionally, “Have you have been on too long?” There are ways in which you can set for yourself how long you want to be on before you go and get your homework done. Lots of better ways of managing attention could be designed in, which would be in the interests of the child, rather than in the interests of profit.
Tony Stower: It is an interesting point. You were talking there about what information children should be given and how they should be educated about this. That is absolutely part of the answer here. We at the NSPCC provide help and support both to children and to parents about how to set the controls appropriately and how to agree, as a family, what amount of screen time is responsible and useful, for instance, but that is only part of the problem. If we rely on children to make the right choice for themselves all the time, we can expect that some children will not make the right choice. They are children: they are pushing boundaries; they are testing and all of that.
As a society, we should expect that these services are safe and appropriate for children: every site, app and service. We should not expect children to have to remember what the settings are from what site and that they do not apply here, because there are different rules on the next site—that there is an app that is different here that resets itself every time you log in. We should expect that children, especially younger children, have the highest level of default privacy settings and parental controls. Then, when children and parents understand the impact of those settings, there should be an opportunity to loosen those controls, as children and their needs develop. It is clear that the level of co-ordination and compliance across the industry is very shallow at the moment. While there are pockets of good practice, some sites and apps are better than others, and some services in those sites are better than others. There is no consistency whatsoever, and we would be arguing for the regulator to take a strong approach on that.
Q76 Lord Gordon of Strathblane: On the point you were making, it seems to me that having 13 as some sort of minimum age is frankly daft. What we are really looking for is a platform that is suitable for seven year-olds and can be used by them. Would you agree?
Professor Sonia Livingstone: Yes, I would want age-appropriate design and different services for children of different ages.
Tony Stower: The whole concept of age verification at separate ages is unhelpful. We know that parents often defer to these settings. They may well think that, if the site that says it is okay for children at 13, that site is obviously safe. We know that, although the minimum age might be 13 for many sites, there are no special controls for children between the ages of 13 and 18. They may well be exposed to content and behaviours by adults that are totally inappropriate for them. We expect safety for all users; then you may have the capacity to turn off some of the controls.
Professor Sonia Livingstone: It comes back to the point about what the regulator does. If a company claims that its service is appropriate for a certain age group, there has to be some kind of independent verification of that.
Q77 Baroness Bertin: Could we bring it back to the education point, digital literacy in particular, and whether you think the Department for Education is as engaged as it should be in the curriculum? This Committee previously recommended that digital literacy should be part of the PSE curriculum. Whether it is going to be remains to be seen. What are your views on that?
Tony Stower: We are awaiting a decision from the DfE on the future of RSE and PSHE in schools in England. We have heard good messages from it, but it is not yet clear quite what the extent of the online safety messages is going to be in those lessons. At the moment, it is very much left to charities, such as the PSHE Association and us, to work together to come up with some of these lesson plans. There is not very much coming out of DfE that is appropriate. We would not want to see simply a lesson here and a lesson there about online safety. We would want to see this as part of schools preparing children for adult society.
Baroness Bertin: From a young age, children learn not to get into a car with a stranger. It is a rather clunky analogy, but we have to try to apply that to the rules of the road of the internet as well.
Professor Sonia Livingstone: I would suggest that it is a bigger challenge than that. I remember the policeman coming to my school when I was little, and we had the afternoon to learn how to cross the road, which parents reinforced. Now, we are trying to understand and help children grasp a very complex system that is changing all the time. With respect, it would be problematic if it were left to charities, which can disseminate and do occasional forms of awareness raising, but education is a process that involves a pedagogy that requires trained teachers.
Baroness Bertin: It has to be placed in the system.
Professor Sonia Livingstone: Yes, absolutely. I am told that, at the moment, digital literacy is approximately one hour in the citizenship curriculum in our secondary schools. The subject association is incredibly under-resourced and pressured. It is not just a matter of saying we want schools to take it on; it should be absolutely clear what is done in PSHE, what is done in citizenship and what is done in the computing classes, which are also required to teach children how the internet works, which is part of what they need to understand.
Baroness Bertin: There needs to be training of the teachers, presumably.
Professor Sonia Livingstone: There needs to be continual training of the teachers because, if a teacher teaches for 40 or 50 years—although people do not usually last that long—it is not going to be what they learned in their initial teacher training. It is a very serious task. The Department for Education should clearly be involved.
Baroness Bertin: Am I hearing from you, then, that the Department for Education needs to double-down on this issue a bit more?
Professor Sonia Livingstone: I do not know what the thinking at the Department for Education is, but I have been at hundreds of meetings about children’s internet safety, rights and literacy, and I very rarely see anyone from that department.
Tony Stower: This can only be part of the comprehensive solution. Digital literacy, the new Green Cross Code or whatever can only be a very small part of this. We cannot expect that children, even if they have all the lessons and this is baked into the system, will always make the safest choices for themselves. We need a wider system that respects their needs and their developmental position.
Professor Sonia Livingstone: It must provide a safety net because, however good education is, we know it reaches 20% really well, 70% fairly well and there is 10% it does not really reach. Those are probably the ones who come to the attention of NSPCC.
Tony Stower: That is absolutely right. With any solution, whether parent-based or education-based, there will be children who simply cannot take advantage of it, perhaps because they are being looked after or have chaotic home lives, which we deal with quite regularly. That is why the systems themselves need to be safe from the first moment that a child goes online.
Q78 Viscount Colville of Culross: I would like to ask you about data protection and privacy. Do you think the platform should do more to tell children and young people about how their data is being collected, or do GDPR and the Data Protection Act have that covered? Is there enough transparency and privacy built into those two pieces of legislation?
Professor Sonia Livingstone: We are waiting to see; that is the honest answer, because the GDPR and the Data Protection Act are only just coming into force. We have not yet seen what all these child-friendly and child-interpretable terms and conditions will be like. We have all seen, from the endless requests to update our privacy permissions on any service we have used, that we are still in the land of tick-box exercises and user-unfriendly or privacy-unfriendly defaults. You can scroll down and read the terms and conditions, but I know I have been staring puzzled, asking, “Does that mean you are going to collect or not going to collect?” Children will be in a much worse position. It might be that this is what the ICO has in its sights, action will be taken and everyone will start learning much better what good practice looks like, because the companies just do not know what good practice looks like, but it might be that a lot of great hopes are about to be disappointed, in the form of the GDPR.
Tony Stower: There is nothing to disagree with there, Sonia. We simply do not know. It is worth saying that the advent of GDPR brings certain benefits to children, including the right of erasure, which could be a very powerful tool. Children who have uploaded their personal information to social networking sites have the absolute right to have it removed, in almost all circumstances. This is all well and good. If you ask Facebook or Twitter, they will say that you can delete your account and that is that, but it is not going to be that simple for children in reality. If you delete your account, it may delete the data, but it also cuts you off from your friends. Children are not going to make those kinds of choices in that way. There needs to be more granularity.
However, we also think there needs to be a much more expansive approach taken to the right of erasure. If you think about photographs that children might upload, particularly what are called self-generated indecent imagery, so nude selfies, the ICO is very clear that personal data, under the GDPR, is data that is about you. If you take Facebook’s approach that you can simply delete that data from your own account, that is all well and good, but that photo may well have been shared elsewhere. It may well have been screenshotted, so the metadata has been lost. It may well be going all round your school, or in even less savoury hands. We are clear that a really expansive approach needs to be taken, and Facebook and the other sites need to work closely with ICO and children’s groups such as ours to make sure that children can genuinely delete their data and make this a reality.
Professor Sonia Livingstone: That is the safety side, but the privacy side is also that the data has gone to all kinds of third parties that nobody has any idea about. What is the process of getting back all of that data and all the metadata? I do not know. The experts here will know exactly who owns that and the limits of the definition of personal data. Who owns the profile that has been created about you? Who owns the way in which discriminatory decisions might be made about you in the future, because of the collation of data from multiple sources? How we and our children are going to get that back, I cannot imagine.
Q79 Baroness Kidron: This is a slightly leading question, because I introduced the age-appropriate design code into the Bill, so I need to put that on the record. Do you think what you have expressed about the design of services goes to the design of data? To your point, we have to do it upstream. Before all that dissemination, we have to consider what is appropriate to take from children.
Professor Sonia Livingstone: Your remit is whether the internet should be regulated generally, not just for children. Some things might be better done for everybody, like control over third-party data and regulation of profiling. Some things are better done particularly for children. I do not know that the GDPR has got the balance right in that regard. It is unclear about profiling children. We might want to say that children particularly should not be profiled. Adults might understand that they should be profiled.
To your point, yes, I absolutely favour particular protections for 13 to 17 year-olds, different from but no less real by comparison with those for zero to 12 year-olds. One of the interesting questions for this Committee is how far control over data should be better guaranteed for everybody. That might be the best way of protecting children in the long run.
Baroness Quin: My question was widening it out from children to the protections for all of us, basically, but you have just alluded to that.
Q80 Lord Allen of Kensington: Tony, in your written evidence, you said that 50% of 12 year-olds have a social media account and the minimum age is 13. I would like to explore further what practical policies online platforms should follow on things like age verification, privacy and anonymity. Do you have specific things you would like them to do?
Tony Stower: Absolutely we do. I alluded to the issue about age verification before. I am never quite sure what problem it is trying to solve. Yes, if the technology was there to allow robust age verification at 13, we would know that only 13 year-olds could be on a site. Absent any other protections, it would not be of great benefit to 13 year-olds and, inevitably, there will be children on either side of the boundary who may benefit from being on the other side of it.
There are things that we think the internet companies should do and simply are not doing at the moment. That is why they require regulation, in our view. The first is that they need to be much better at dealing with grooming. We know that sexual grooming happens and is incredibly widespread in the UK. In fact, in the first year of the new offence of sending a sexual message to a child, the police recorded over 3,000 offences in England and Wales. We released that figure this week. These are messages that have been sent across social networks—text messages and things like that. We cannot quite be sure how many children those offences relate to, because some offenders will send messages to many children at a time, but there is simply not enough action by the networks themselves to pick up those kinds of issues before they arise.
We want them to put in place effective algorithms to detect the kinds of behaviours that we know groomers use. They may be sending “friend” requests to children they have no familial connection with or are geographically distant from, or receiving a large number of rejected requests. We know that many groomers use that approach. There is a developing science of techniques around the linguistics that groomers use. Cardiff University in particular is focusing on some of this stuff. The internet companies are great at using linguistics to target advertising; we know that this is something they could do more of to prevent grooming. We want them to be better at liaising with the police service, so that the police can understand more about the techniques they say they are already using.
We think that children should be told and directed to support when they are at risk of grooming. One of the features of grooming is that, too often, children do not realise they are being groomed until it is too late. It is more often discovered than disclosed. We want to make sure that children are directed to services such as Childline, which can offer help and support.
I should say one other thing before we move on: we also think that all under-18s should have safe accounts from the first moment that they go online. Unless an account can be proved to relate to an over-18, the geolocation setting should be at the highest privacy protection. Live streaming should be protected, so that only verified friends can view it. There are various controls that we would like to see for friend requests as well. All these should be set at the highest as a default, with strong educational measures so that children know what they are doing if they are loosening those controls.
Lord Allen of Kensington: It is something we covered in our last report, but are you still getting resistance from the companies and platforms?
Tony Stower: We have been banging on about this for quite some time and some sites are doing very well at this, actually. Some companies engage with us and have made quite a few improvements, but even those sites are coming to it late, after we have had a go at them, and there is no consistency across platforms. We would like to see safety baked in by design, from the first moment that a service is thought of. There is a tendency in the internet world for designers to think that the end users are like them: they are largely adults, who are intelligent and have the capacity to make a careful discrimination between people’s bona fides. We are clear that children do not have those skills in all cases, and they need an extra bit of help to protect them.
Professor Sonia Livingstone: I absolutely agree with everything Tony just said. About 10 years ago, the predecessor to the UK Council for Child Internet Safety, which was the Home Office Task Force on Child Protection on the Internet, made a code of conduct that pretty much contained many of the things that we and the child’s rights, welfare and wider stakeholder community wanted to see. It wrote that code, which was adopted by the UK Council for Child Internet Safety in 2010 and, as far as I can see, never implemented. It was not implemented for a number of reasons that are deeply regrettable.
One genuine problem is identifying to whom it applies in the first place. Who is this? We can see that we want Facebook and Instagram in there, but do we know about musical.ly and do we have Omegle on our radar? Have we thought about all the others? When the NSPCC, in its Net Aware project, began reviewing the 50 top social network sites that children use, you could not find a person who could name those 50. It is an extraordinarily long tail, with a number of platforms coming in all the time. They all have to be brought into it, because what we know about children is that, if we make some services safe, they will go to the others. That is why an inclusive approach is necessary.
One of the interesting points in the GDPR that we have yet to see working is that regulation, especially interventionist regulation, is meant to be risk-proportionate. That means that all these companies now have to do risk impact assessments, taking into account the likelihood of children, including vulnerable children, being on their services. We do not know how that is going to pan out, but I hope that the ICO makes sure that those assessments are adequate.
Q81 Baroness Quin: I will just raise the international dimension, both European and worldwide, to see what you feel or hope might happen in terms of international and European co-operation. Sonia, you have been working on some aspects of the UN Convention on the Rights of the Child, so it would be interesting to have your take on what could happen there. At the end of the last session, we were looking at the effect of the UK leaving the European Union, the possible loss of influence and whether it will make a difference in reality, because we will want to stay as close to its decisions as possible. Your thoughts on both the European and international dimensions would be helpful.
Professor Sonia Livingstone: If it is complex in Britain, it is even more complex when we look first to Europe and then internationally. Even in Europe, we can see regulation pulling in opposite directions. A lot of the difficulties we are having with the way in which companies act are because of the electronic commerce directive, which makes them platforms, not publishers and not responsible. I do not know whether it is feasible, or even desirable, for Britain to move away from the e‑commerce directive, but I hear a lot of discussion about how we might make platforms somehow more like publishers, if it can be done politically. If Britain can be part of that push on a larger canvas, it is much more likely to be impactful than if we become a weird space in a weird market, in which I cannot imagine how international companies are going to operate or respond.
On the UN Convention on the Rights of the Child, I and some others wrote a case for general comment for the Children’s Commissioner. It is about the Committee on the Rights of the Child’s mechanism for ensuring that a particular new issue on the horizon, such as the digital environment, is properly attended to by all the countries that ratified the convention, which was everyone apart from America, sadly and curiously. This matters, given the headquarters of most of the companies that we are talking about. The committee is certainly making very positive signs. If that were to go ahead, it would set out an ideal statement of what could happen.
In a parallel process, I have been advising the Council of Europe, which is about to pass a recommendation with guidelines for its member states on how to translate the UN Convention on the Rights of the Child in terms of the digital landscape. What does it mean for privacy protection, participation and parenting responsibility across the board? These statements are as good as the paper they are written on, in a sense, if they are implemented. They provide a gold standard, a sense of what the to-do list looks like and a statement of what “good” looks like. There is a lot of uncertainty in this space about what “good” could look like, so this is some thoughtful, rights-informed thinking.
As soon as you switch to a rights framework rather than a protection framework, you get the question of harms. That is not to make it less important, but to see how it is part of a bigger picture. This is also about children’s participation and positive provision for their benefits and opportunities online. We should be part of it, putting our enthusiasm into it and making it happen. We are not especially doing that at the moment. I do not know that this is a landscape for which we can make a Britain‑only set of provisions.
Tony Stower: I wonder if some of my comments might run slightly counter to Sonia’s. There is a great deal of international co-operation in this space already. The IWF, which you have heard from, works with many international partners. The WePROTECT Global Alliance is an international group that is attempting to bring together some players here to make the internet better. We at the NSPCC have some concerns about what happens to children after Brexit. I have no idea what is going to follow the e‑commerce directive in domestic law. It would be great to hear if you do. Certainly, we do not know what is going to happen after we leave Europol, the European arrest warrant and Eurojust, which helps to co-ordinate some of these investigations. We have expressed concern about that in the past.
We are dealing with global companies, but the UK is a very big market. For several of these companies, the UK is their second-largest market in the world. They have told us at times in the past that you simply cannot have a domestic one-country solution to this. I just do not believe them on that, to be honest.
Lord Gordon of Strathblane: What about China, for example?
Tony Stower: I am not sure that is the example I would choose but, while most of these companies are based in the US, they have subsidiaries within most countries and target advertising very closely, even at the subnational level. It is certainly possible to put in place restrictions there. In different countries that have different language requirements, they have moderation in local languages, usually based in that part of the world, if not in individual countries. We know that global companies have adapted to local regulations for many years. Think about simple things like product safety and electrical plugs. If you buy a toaster in this country, it has a three-pin plug; if you buy one in France, it has a two-pin plug. That is a very simplistic example, but it is quite possible to adapt your business models. It might not fit within current business models, but they are always adaptable.
Look at what has happened in Germany with the recent legislation on hate crime. The German Government have taken a very strong line, which is that companies that host hate content must remove it within 24 hours of being notified and within less time for the worst content. That has not been smooth sailing for them, but we have seen a ramping up of the number of moderators and approaches they have taken. It is eminently possible to do this, if only there is the will.
I should say that the UK is already regarded as an international leader in parts of this space. We talked earlier about age verification for pornography. We know that several jurisdictions around the world are looking to the UK. They want to see it being a success here, so that they can adapt it to their local situation. It is possible to regulate on a UK level. Of course, there will be norms that we need to think about applying internationally, but we should not let the absence of an international framework prevent us moving ahead.
Baroness Quin: Picking up the last point that was made in the previous session, there seemed to be one view that America was going to remain rather distinct from Europe in its way of doing things, its legislation and so on. Another view was that, because of the internationalisation of industry, they are coming closer towards the European model and an international consensus. Do either of you have a view on how America is moving?
Tony Stower: I am afraid I do not have anything to add on that.
Professor Sonia Livingstone: We can see some subtle differences in the ways in which America prioritises parental responsibility and rights, perhaps, over children’s rights. We sometimes see this playing out in the internet space. I hear informally from a number of companies that they would like everyone to agree on the one model. They fear that model of different provision in different markets. We can see that America is much tougher in some ways, but at the moment it is much looser in how it provides for and protects its children.
Q82 The Chairman: Maybe it was just on the basis of the questions we have asked, but neither of you has spoken much about the role of parents and parenting. We have used some analogies about the role of parents. My parents taught me how to cross the road and that was reinforced in lessons at school and in television campaigns. My parents primarily told me not to get into a stranger’s car and that was reinforced elsewhere. You have not spoken much about their role. Is that because these issues are too difficult for parents who were not born in the digital age, when their children were, or is it because the quality of parenting is not adequate? Were you in fact referring to parents when you were talking about the need for education and support?
Tony Stower: It is quite a big issue in the limited time that we have. The first point is that parents absolutely are part of the solution to this problem. The NSPCC works with parents to provide them with information. The Net Aware tool that Sonia talked about is primarily aimed at parents, to help them understand what parents and children think about the apps and sites that children use. We have workshops with parents to help them understand some of this stuff as well.
It can be very difficult for parents to keep up with the latest games and apps, because they change all the time. If you look at Omegle or musical.ly, they only arose in the last three or four years. Facebook is old hat to young people now. While parents may not understand the details of how to talk about individual games, apps and sites, they have many adult skills that they can pass on to their children about how to assess people’s approaches and how to keep yourself safe generally, which you and I would perhaps take for granted.
We also need to remember that not all parents have those skills and abilities to keep their children safe. It is a well-known trope now that parents face more pressure than they ever have, especially in families where two parents are working. People may just not have the time and not everyone has parents, so we cannot rely on parents to protect their children. These issues are discussed on internet forums and sometimes, late at night, if I want to get myself enraged, I go on and look at them. I take exception when the answer always comes that it is down to bad parenting. We see in our services up and down the country that it is not that. So many children simply do not have parents who are capable or who are even there, who can protect them in this way. That is why we have focused our lobbying and influencing work on the companies instead, to make sure that the services are safe from the first moment that children use them.
Professor Sonia Livingstone: I have spent a lot of the last couple of years interviewing parents. Most parents are absolutely willing and quite keen to engage with this issue. They do not know where to turn and they are getting a lot of advice, much of which is proprietary and competing. It says, “Come and use our service and our solution”, but they do not know how to weigh that. A lot of it is wrapped us as educational, but really it is not. A lot of it is wrapped up as protecting privacy, but it may not be. They need somebody to mediate and evaluate the claims that are coming at them.
What they are told is misguided, in a way. A lot of parents tell me about screen time. I do not say it is not an issue, but what the kids are doing on the screen is more important than how many minutes or hours they have been on it. There is a desire for a simple solution. Judging the kinds of interactions your child is having online or the kinds of services there to protect them is a fantastically hard task, and nobody is speaking to parents except those with a particular interest at stake—apart from the children’s charities, which cannot be expected to do everything; or maybe they can.
The Chairman: On behalf of the Committee, can I thank our witnesses? We are very dependent on evidence. We like to make serious evidence‑based conclusions, and you have given us ample evidence from a very expert perspective today. We would welcome any further evidence that you come across. It is a developing area, as we all know, and our inquiry will take some time, so we would welcome any material that crosses your desk that you think may be of value to the Committee, if you would forward it to the clerk. Similarly, if there is anything you thought we might have talked about today and did not, or anything that you might have said but did not have time to, please do not hesitate to write to us and give us the benefit of your wisdom. Thank you again for taking the time to be with us today.
[1] Mr Stower clarified that he meant that some of that activity is not of concern because it is not always exploitative.