August 28, 2015

Running with the devil

The Conservatives' election manifesto included a pledge to require websites displaying adult content to implement age verification. This week, I attended a meeting organised by the Digital Policy Alliance (whose own website unfortunately appears blank to me) convened to study the details in which the devil always lurks: how it might be done. The somewhat government-approved DPA's plan is to generate a document to be handed over to the BSI to use as the basis for a standard websites can implement (which means raising the funds to pay the BSI for drafting). erroll-lords.jpgIn charge of proceedings was the cross-bench peer, the Earl of Erroll, who has a long record of sanity on IT-related issues.

The background: multiple parties are pushing for age verification besides Prime Minister David Cameron. In November, Parliament quietly passed the Audiovisual Media Services Regulations 2014 (PDF), which came into force on December 1, 2014. These rules require anyone providing on-demand video that would be refused an over-18 classification to ensure that it cannot be viewed by those under 18. Sex and Censorship has a critical analysis. This week, the Authority for Television on Demand (ATVOD) charged 21 adult websites with violations of sections 11 and 14 of these rules. ATVOD is also the source of the 2014 For Adults Only? (PDF)">study of young people's access to pornography (though its methodology has been criticised.

Also a precipitating factor is the Online Safety Bill, sponsored by Baroness Howe of Idlicote, her fourth attempt in four sessions. Howe believes identifying adult content and providing a mechanism for dealing with overblocking claims should be jobs for Ofcom. The growing pressure is reminiscent of 1996, when the Internet Watch Foundation was created: "regulate or be regulated".

As noted at this week's meeting, age checks happen in retail all the time: in movie theaters, in shops selling cigarettes and alcohol (and, in Colorado, marijuana), at car rental offices, and in libraries. In many of these cases, online age verification is beside the point because the buyer has to acquire the good or service in person, but in many others it's not: gambling, gaming, some games, and so on. At this week's meeting, the representatives of the adult content industry indicated they'd actually be glad to have a way to filter out underage visitors, who produce no revenue and cost bandwidth. Age classification already applies to music videos.

The first thought in such cases always seems to be to confuse verifying an attribute - in this case, age, which the group resisted expanding upon - with verifying identity. This was the most positive part of this week's meeting: there was general agreement that what's needed is a lightweight system that avoids the privacy and security issues surrounding collecting personal data. If I can prove I'm over 18 you don't need to know my identity and you don't need to store anything more than "18=yes". Creating such a system involves solving two technical problems. First: devising a way of implementing the check in a form that websites can automate. Second: tying that verification to a single specific person so only they can use it. The second problem is far harder than the first. Big brothers buy little brothers beers in the offline world; parents, a 2011 survey found, have helped millions of under-13s to lie about their age so they can use Facebook. No amount of technology or government fiat can force parents to implement what others have decided are "responsible" rules.

LSE researcher Sonia Livingstone, who often tries to calm down moral panics Sonia Livingstone (and for whose Parenting for a Digital Future blog I write) has found generally that what both children and parents want is tools and skills to manage their own online environment, recommending a "complex solution for a complex problem". She advocates using multiple approaches: legislation, self-regulation, community norms, education (adding attention to pornography, coercion, and consent issues to the sex education curriculum), empowerment, and welfare intervention where needed.

Within those bounds, can age checks work? It depends on what you think "work" means. Very few pornographic websites are based in the UK. The only obvious way to force a non-UK website to comply is to block it - or, as someone facetiously (I hope) suggested, throw the owners in jail if they step onto UK soil. In pushing for age checks, proponents may not care how they are implemented, making it hard to ensure that they don't turn into excuses for the usual data-driven suspects to corner the market as intermediaries, scooping up even more data about everyone and holding smaller UK businesses to ransom. The makeup of the meeting's membership was not promising in this regard: there is not enough representation from consumer protection, small business, academic research, or civil liberties groups. For them, it's a conundrum: if they oppose it as censorship, do they refuse to participate on principle and hope it fails, or do they join to ensure the result is as least-worst as possible?

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.