Written evidence submitted by John Carr OBE Secretary Children’s Charities Coalition for Internet Safety (OSB0215)

 

 

Age verification

 

The UK was the first country in the world to introduce mandatory age verification in respect of any service provided on the internet. 

 

Since the relevant provisions of the Gambling Act 2005 came into force to limit access to gambling web sites by under 18s, age verification technologies have been proven to work extremely well. Previously the great majority of gambling web sites operating in the UK had the ability to limit access by minors, but they chose not to until everyone was compelled to do it at the same time.  They were worried if they went first, or early, they would lose business to less fastidious competitors. They saw no significant advantage in standing alone wearing a halo.

 

The age verification technologies which exist today are superior to those which existed in those early days. They can operate at scale and in an entirely privacy respecting way. The ICO’s Age-Appropriate Design Code, the UK’s versions of the GDPR and the AVMSD, indeed the draft Online Safety Bill, all point towards and encourage greater use of age verification or age assurance.

 

There is a strong case for saying that wherever there is a law which imposes an age limit in respect of a particular product or service, it is an offence for any online site or service to seek to supply that product or service without having in place robust and effective tools which seek to ensure compliance with that law. Sites or services operating in the UK cannot be wilfully indifferent towards or careless about UK law.

 

Mindful of the rule of proportionality, and having regard to available technical solutions, in their Terms and Conditions of service no company should require users to be above a particular age without having the means to ensure they intend to, can and do enforce it. Otherwise, such age- related statements may be no more than deceptive marketing puffs.

 

The nature of the content or service provided to users should be age appropriate. The granularity of the steps taken to verify or assure a given age should be linked to a risk assessment.

 

Under any new legal regime, no online service or business should be allowed to run its own age verification system i.e. one which seeks to confirm the age of users of its own site or service. This will help avoid an obvious conflict of interest and avoid the appearance of a conflict of interest.

 

Businesses or organizations which use age verification services should be prohibited from having any kind of economic stake or other interest in any age verification provider. They may secure services from age verification providers but that has to be the limit of their engagement with them.

 

All age verification providers services and systems must be subject to independent external scrutiny and audit and conform to recognised, publicly stated standards.

 

 

 

 

Anonymity

 

Nobody should oversell the idea that anonymity currently exists on the internet, or ever has. Moreover, the claims now being made for end-to-end encryption (E2EE) are overblown and promote or perpetuate an idea which could put people in peril. This is discussed further below.

 

Snail mail preferred

 

At least one well known web site hosted by tech-savvy investigative journalists informs would-be whistleblowers how to send them information in a privacy compliant/anonymous way. It then gives a very strong steer towards using the traditional postal service. This is because they believe a powerful adversary likely already has the technical capabilities required to detect and identify the activity of any internet user whom it considers to be an actual or potential threat.

 

Where the law appears to have been broken or there is a threat to national security, most of the larger national security and law enforcement agencies around the world will have the capability to determine who is responsible. In any individual case the only question which typically arises is whether or not the agencies concerned think it is worth the effort in terms of time spent and cost. Everything is a matter of triage. That in itself is nothing new for law enforcement and the security services, but the internet has taken matters to a whole new and completely unacceptable level.

 

Two-tier system

 

Thus, what we have right now is a two-tier system in which a relatively small number of individuals with considerable technical knowledge can make it harder for their actions to be traced (but not impossible) or they can delay discovery, perhaps to a considerable degree. They will also be much better equipped to spot and deal with potential online threats to their personal safety, privacy or finances. They can live with things just as they are.

 

Meanwhile the rest of us suffer a constant, day to day background buzz of unlawful or anti-social behaviour when we go online. We always have to be on our guard for scams, malware, abuse, misinformation and what have you. We are then asked by people in that first group, in effect, to put up with all this as the unavoidable price we need to pay in perpetuity in order to continue to benefit from the good things the internet has brought us all. I very strongly reject that proposition.

 

The current situation has arisen in no small part because of the unintended and unforeseen consequences of the chaotic way in which the internet evolved and, perhaps above all, by the scale and speed with which it now operates. The latter factors are further complicated by the transnational nature of the medium itself and a related absence of clear rules which would oblige a platform to hand over data about an alleged miscreant to the authorities, to a plaintiff or other properly authorised entity with just cause.

 

What has been lacking hitherto are sufficient incentives to put things right. The Online Safety Bill offers the opportunity to address that.

 

More than one way of thinking about the internet

 

Much of the debate about anonymity seems to rest on the assumption that the internet is pre-eminently concerned with advancing or promoting, repelling or constricting, different political projects or social agendas, or it is about providing whistleblowers with cover, or to the contrary, depriving them of cover. Any and every action which anyone might take or propose in respect of how the internet is managed is judged against this yardstick or seen through this prism

 

This is bizarre. It completely overlooks the fact that for the vast majority of people for the vast majority of the time the internet is in no way connected with matters of that nature.  If the internet is pre-eminently anything it is a medium for children, families, education, research, commerce, and communications between friends who already know and trust each other. Yet in the longer term all of these are at risk of being compromised or devalued because of the aforementioned hazards.

 

Most assuredly the internet has become an important element in the political, social and cultural life of modern democracies and in facilitating new connections between people who will get to know and trust each other but it is an odd idea that everything to do with the internet must be subordinated to such considerations and no others.

 

There has to be some kind of balancing in which we can imagine a world where, within countries with democratically elected Governments that honour the Rule of Law, irrespective of the available technology, there will not be routine or regular unlawful abuse of an individual’s rights to privacy or free expression and where, in order to ensure things stay that way, it is known there are trusted systems in place which can prevent, or detect and correct, any transgressions.

 

The alternative view is that tech is simply a weapon to protect everyone in a never-ending fight against all Governments. North Korea is indistinguishable from Sweden or the UK.  Ultimately our only protection therefore comes from the cleverness and nimble feet of a self-appointed techno priesthood. No, no, no to coin a phrase.

 

Neither can we say to people living in Britain that we refuse to do the maximum possible to protect our children, to protect women in public life, to protect a range of different minorities or marginalised communities, to protect ourselves, because, if we do, we are worried bad Governments elsewhere will copy our tactics, put them to bad ends, using our example to justify their actions.

 

Kim-jong un does not habitually wait for a memo from Westminster before doing terrible things to the people of North Korea. That line of argument hands over control of reform of the internet or the pace of change to the most reactionary regimes on the planet. It is a self-serving absurdity.

 

Traceability” not anonymity is what matters

 

If I want to log on as “Zapata” and discuss some of my (sadly non-existent) unusual hobbies or preoccupations, but without all my neighbours, employers or anyone else knowing, I should be able to do that.

 

But I should also know that if I cross a line, certainly in relation to the criminal law, I can be rapidly, inexpensively and accurately identified. Car number plates are the best analogy. The fact of their existence without doubt modifies the behaviour of a great many, not all, drivers, therefore unquestionably it helps create a better and safer driving experience for every road user. Note, the car registration system is a global one.

 

In the UK there should be a legal obligation for a trusted DVLA-type agency to acquire, keep and hand over identification data upon receipt of a lawfully executed request. Perhaps, as with driving offences, certain classes of offences could be dealt with administratively but with additional penalties attaching if a certain number are recorded. As with motor vehicles the entire system would be governed by law and the courts, only progressing to the higher courts where there is a dispute, or the allegations are of a more serious nature.

 

Establishing a system such as this would, very obviously, be a mammoth undertaking particularly as we sought to get other countries to join in, but we have to start somewhere. There may be intermediate steps which could be adopted sooner which would help smooth the way. I am afraid any alternative protective system, one which relies solely on AI or human moderators or some combination of these will, in the end, fail because of the problems of scale and speed.   Miscreants will know the chances of law enforcement or the platforms themselves acting effectively against them are small to non-existent because the systems are or could easily be swamped.

 

The E2EE misrepresentation

 

As hinted at earlier, there is a school of thought which says there is no such thing as anonymity online, or at any rate that a powerful adversary already has the means to identify users whom it considers to be an actual or potential threat.

 

For example, the metadata surrounding an E2EE envelope already can be and is being captured and analysed by many of the platforms themselves. They are also obtained by law enforcement upon production of a warrant, and they are open to capture by unauthorised third parties. Meta data yield valuable intelligence about users. But with the advent of quantum computers not only will the meta data continue to be readable, the actual content of an E2EE message will be exposed.  

 

9 November 2021

Quantum computers would find it trivially easy to crack any and all of the forms of encryption currently in use. A recent article in “New Scientist” suggested certain bodies were already siphoning off and storing encrypted data in anticipation of doing just that. They might be able to do it very soon. It is possible whoever does so will uncover a treasure trove of sensitive, valuable or highly embarrassing information which can be used to great effect.

 

There is talk of developing “quantum-proof” forms of encryption but, as far as anyone knows, this is not yet a reality and even if it becomes one that will be of little or no help in relation to the encrypted messages that have already been sent or will continue to be sent until quantum-proof forms of encryption arrive.

 

Moreover, if these already sent or soon to be sent encrypted messages are being diverted and kept on a hard drive with an air gap in Pyongyang how will anyone be able to reach them to protect the authors retrospectively? They won’t.

 

Makes the services of the Royal Mail seem all the more appealing.

---ooo---

 

 

5