The government’s consultation process on blocking children from accessing porn has completed and they have published the results and the way forward.
Child Safety Online: Age Verification for Pornography
From Child Safety Online: Age Verification for Pornography - GOV.UK
I was listening to reports of this on the BBC and I heard at least two mad schemes being suggested. One was to use credit card details as a mechanism for proving that someone is over 18 and the other was to have people send their passport details to porn sites. What I didn’t hear being suggested was the development of a sane digital identity infrastructure capable of actually solving the problem. Since I’ve written about this topic several times in recent years, I thought I’d bring together a couple of old posts and update them with some new thinking to try to explain why the ideas I heard on the radio are not only wrong but dangerous and to make a sensible suggestion as to how the problem should be fixed.
So let’s start by going back a few years. For me, my serious interest in this topic began a few years ago when I was finishing up my book “Identity in the New Money”. I went along to the seminar on “Childhood and the Internet – Safety, Education and Regulation” in London in January 2014. I was there for three main reasons:
- I am interested in the evolution of identification and authentication in an online environment, and protecting children is one of the cases that brings the mass market practicalities into sharp relief.
- Consult Hyperion had clients who are developing recognition services, and it seems to me that if these services can contribute to a safer environment for children then we may have something of a win-win for encouraging adoption. Note that “recognition” is the term I use her for the combination of identification and authentication that is appropriate for the authorisation of the transaction at hand.
- Protecting children is an emotional topic, and as responsible member of society it concerns me that emotional responses may not be society’s best responses. This is a difficult subject. If, as technologists, we make any comment about initiatives to protect children being pointless or even counterproductive we may be accused of being sympathetic to criminals and perverts hence we need to learn to engage effectively. I’m not interest in childhood e-safety theatre, but childhood e-safety.
That seminar was kicked-off by Simon Milner, the Policy Director (UK and Ireland) for Facebook. He started off by noting that Facebook has a “real” names policy. Given my fascination with the topic, I found his comments were quite interesting as they were made on the same day that the head of Facebook, Mark Zuckerberg, was interviewed in Business Week saying that the “real” names policy was being amended.
One thing about some of the new apps that will come as a shock to anyone familiar with Facebook: Users will be able to log in anonymously.
[From Facebook Turns 10: The Mark Zuckerberg Interview – Businessweek]
Simon went on to say that the “real” names policy, setting to one side whether it means anything or not, is a good thing (he didn’t really explain why and I didn’t get a chance to ask) and then talked about how children who are being bullied on Facebook can report the problem and so on. I know nothing about this topic, other than as a parent, so I can’t comment on how effective or otherwise these measures might be although I have heard anecdotally from many sources that they are of limited impact. I found some of the talks by the subject matter experts extremely thought-provoking and I’m glad I heard them.
The main discussion that I was interested in was led by Helen Goodman MP (the Shadow Minister for Culture, Media and Sport) and Claire Perry MP, who is the Prime Minister’s special advisor on preventing the sexualisation and commercialisation of childhood. The ex-McKinsey Ms. Perry attracted a certain amount of fame in web circles last year (just search on “#PornoPerry”) when she made some public statements that seemed to indicate that she didn’t completely understand how the internet worked, despite being behind the government’s “porn filter”. (I am not picking on her. I should explain for foreign readers that most MPs are lawyers, management consultants, property developers, PR flacks and such like and they don’t really understand how anything actually works, least of all the interweb tubes. Only one out of the 635 MPs in the British Parliament is scientist.)
Now, let me be completely honest and point out that I have previously criticised not only the “real” names movement in general but Ms. Goodman’s views on anonymity in particular. I think she is wrong to demand “real” names. However, as I said a couple of years ago,
I’m not for one moment suggesting that Ms. Goodman’s concerns are not wholly real and heart felt. I’m sure they are.
[From The battle of the internet security experts – Tomorrow’s Transactions]
This does not make her right about what to do though. Forcing people to interact online using their mundane identity is a bad idea on so many levels.
But that was the same month that the Communist party struck its first major blow against Weibo, requiring users to register their real names with the service. From that point, those wishing to criticise the Party had to do so without the comforting blanket of anonymity and users started to rein themselves in.
[From China kills off discussion on Weibo after internet crackdown – Telegraph]
I’m not suggesting that Ms. Perry represents a government intent on creating a totalitarian corporatist state that reduces us wage-slaves to the level of serfs to be monitored at all times. I’m sure her good intentions are to block only those communications that challenge basic human decency and serve to undermine the foundations of our society, such as MTV, but the end of public online space seems a drastic step. What has been the result of the Chinese campaign to end anonymity? What is the practical impact of a real names policy?
Once an incalculably important public space for news and opinion – a fast-flowing river of information that censors struggled to contain – it has arguably now been reduced to a wasteland of celebrity endorsements, government propaganda and corporate jingles.
[From China kills off discussion on Weibo after internet crackdown – Telegraph]
None of us, I’m sure, would like to see pillars of our society such as the Daily Mail reduced to the level of “celebrity endorsements, government propaganda and corporate jingles”. Perhaps there is now less crime in China too, but I have yet to discover any statistics that would prove that. I don’t want this to happen to Twitter, Facebook and The Telegraph web site (where it is my right as Englishman to post abuse about the Chancellor of the Exchequer should I so choose). So here is a practical and positive suggestion. At the seminar Helen said the “The gap between real-world identity and online identity is at the root of [the problem of cyberbullying]”. So let’s close that gap. Not by requiring (and policing) “real” names, but by implementing pseudonymity correctly. I wrote an extended piece on this for Total Payments magazine recently.
Now imagine that I get a death threat from an authenticated account. I report the abuse. Twitter can (automatically) tell the police who authenticated the transaction (i.e., Barclays). The police can then obtain a warrant and ask Barclays who I am. Barclays will tell them my name and address and where I last used my debit card. If it was, say, Vodafone who had authenticated me rather than Barclays, then Vodafone could even tell the police where I am (or at least, where my phone is).
[From Dave Birch’s Guest Post: Anonymity – privilege or right? – Total Payments : Total Payments]
As I said, I don’t just want to talk about doing something about cyberbullying and the like, I actually want to do something about it. “Real” names are a soundbite, not a solution. What we need is a working identity infrastructure that allows for strongly-authenticated pseudonyms so that bullies can be blocked and revealed but public space can remain open for discussion and debate. Then you can default Facebook and Twitter and whatever to block unauthenticated pseudonyms without insisting the kid looking for help on coming out, the woman looking at double-glazing options or the dreary middle-aged businessman railing against suicidal economic policies from revealing their identities unless they want to
We’d all, I’m sure, prefer a world in which children did not have access to corrosive and nauseating material that undermines our civilised society. But how can we stop children from seeing MTV and the Daily Mail? The government has given up on this, I’m afraid, and has instead decided to try to stop them from seeing porn.
Porn is a problem. Let’s not beat about the bush. None of us want kids watching inappropriate sexual content on the web, not even the stuff they’ve created themselves. And I would like to practical ways to achieve this goal, which is why I’ve been along to a couple of events about safety on the internet and such like, looking for a win-win whereby our clients can use their technology to help.
The main discussion that I was interested in was led by Helen Goodman MP (the Shadow Minister for Culture, Media and Sport) and Claire Perry MP, who is the Prime Minister’s special advisor on preventing the sexualisation and commercialisation of childhood.
[From Identity and authentication technologies can make the Internet safer]
Ms. Perry, a former McKinsey consultant, attracted a certain amount of notoriety in web circles last year when she made some public statements that seemed to indicate that she didn’t completely understand how the internet worked, despite being Prime Minister’s advisor on such things. As I said at the time, I don’t understand why government doesn’t ask people who understand how things work (e.g., me) for advice and instead seem to evolve policy by listening to PR flacks, mates in the City, management experts and political lifers who have never had a real job of any kind. But let’s put that to one side.
The British Government’s Department of Culture, Media and Sport (DCMS) is reportedly drawing up plans to force porn sites to verify the age of visitors. Since the UK has no identity infrastructure (the government scrapped the controversial identity card scheme years ago and has yet to commission a study from Consult Hyperion on the viable alternative, the National Entitlement Scheme, NES) there is no way of doing this properly, so they are casting around for proxies.
As reported by the Sunday Times, this includes bank-approved software and credit cards, which can only be issued to those 18-years-old or above.
I liked this credit card example, because it shows how little the politicians understand about identity. Forcing people to give their credit card details out willy-nilly will inevitably leading to an explosion in card fraud, since there is no way that the punter can tell whether they are looking at the real “Honourable Members” or an Eastern European rid-off created solely for the purpose of harvesting valuable personal information. The example also feeds one of my pet bugbears, which is trying to use the payment system as a policeman instead of using real policeman.
The payments systems, which will be overseen by Economic Secretary to the Treasury and MP for South Northamptonshire Andrea Leadsom, will utilise UK-approved companies such as PayPal and Visa.
Andrea Leadsom read Political Science and comes from the investment banking and hedge fund world so I imagine she is very familiar with know-your-customer legislation, multi-factor authentication and such like. However, I would like to point out that there is a crucial difference between logging in to a hedge fund account and logging in to a porn account. I want the hedge fund to know who I am, but I don’t want the porn account to know who I am. Which is not to say I want to be (or should be allowed to be) anonymous, just that there is no reason for the operators of the web site “Ministers without Portfolios” to know who I really am.
What we need is a working identity infrastructure that allows for strongly-authenticated pseudonyms
[From Identity and authentication technologies can make the Internet safer]
We have to come up with something that will work for the porn sites so that they want to implement it because it makes their lives easier. But it has to be something that will protect the privacy of individuals who are doing nothing illegal by checking out the Black Rod’s Garden Gate. Oh wait, that’s real…
Better choose another example. It has to be something that will protect the privacy of individuals who are doing nothing illegal by snapchatting their junk to attractive opposite persons of the contradictory gender (who may or may not be real).
Brooks Newmark quit as the minister for civil society after he apparently sent a picture of his genitals, taken while he was wearing paisley pyjamas, to an undercover reporter who was posing as a “Tory PR girl”.
[From Brooks Newmark Quits As MP: ‘Sexting’ Scandal Places ‘Intolerable Burden’ On Family]
Actually, my idea wouldn’t have helped the Minister in this instance, because it’s not about identifying people, it’s about protecting their identities. (That’s enough examples, Ed.)
The protection of privacy must be by a trusted intermediary. A bank, for example. Here’s a free idea for the DCMS to consider. I go to log in to “Home Secretaries in Heels” or whatever my favourite fetish site of the day is. It asks me to create an account. As part of the account creation process it asks for my bank. I tell it Barclays. At that point, I am bounced to the Barclays web site and asked to log in. I do this using my dongle (**). Once I am authenticated, Barclays generates a one-off service provider ID (maybe by hashing my account number and the DNS name of the requesting site). I am then bounced back to the porn site to continue browsing, logged in using the bank-provided pseudonym. The porn site gets a digitally-signed message from Barclays that says “this person is over 18 and known to us” together with the service provider ID. Now they have a unique identifier for me that cannot be traced back to me because it is the output of a cryptographic one-way function. What’s more, the service provider ID will be different for each site where I create an account: “Bigger Ben” cannot collude with “Dispatch Fox” to determine that I am the same person.
Now, you may think that I am being slightly flippant about this serious topic, but I am not. Taking active steps to create digital identity services that have privacy as an integral element of the customer proposition means that banks can establish a clear, responsible, customer-centric position in the emerging value network. The payment system isn’t a policeman, but banks might be privacy providers.
(*) Sincere apologies for appalling but irresistible puns throughout.
(**) The two-factor authentication device that I use to access my Barclays bank account.
Comments
Post a Comment