Joseph Steinberg is a cyber security expert.
With the Labour Government committing in the Kings Speech to strengthen the Online Safety Act, new ministers will soon rule on Ofcom’s final guidance on age assurance for Internet access to adult content.
This creates an important opportunity to revisit OSA’s call for website-based age verification protocols which, history and experience suggest, not only do not work but may do more harm than good.
Instead, advances in the technology of device-based content filtering afford us the opportunity do a better job of protecting children whilst preserving privacy and not compromising our security.
The Conservative Government presented the Online Safety Act to the public as if the act were some form of panacea for addressing the challenges of protecting minors in digital spaces; even today, government spokespeople routinely insist that the act makes Britain the safest place in the world to be online.
Such claims, however, are simply false. Age verification is a case in point.
Regulators at Ofcom are in the process of producing draft guidance codes to assure compliance with the Act. But those guidelines effectively seek to make website owners do what liquor store owners do before selling liquor to youthful would-be purchasers – looking at the buyer’s ID before selling the bottle.
Cyberspace, however, bears no resemblance to the physical world in terms of verifying someone’s identity and age. While it is effective to require the presentation of an ID card to a cashier when purchasing alcohol while physically standing inside of a store, this approach does not deliver effective protection online.
IDs can easily be falsified. Age-estimation based on biometrics has a broad margin of error. The frequency of online impersonation attests to the challenge of recognizing humans online. Aggravating matters is the fact that children know how to access sites outside of the UK’s jurisdiction – whether directly on the public Internet, using a VPN, or via the Dark Web.
Website-based authentication may even be counter-productive, engendering in parents a false sense of security which may lead parents not to take advantage of the tools that are available to them to protect their children on the devices they buy for them.
The International Centre for Missing & Exploited Children recently called on governments and industry to enhance child protection through device-level age verification, rather than via website-based age-verification models, because the advocacy group found that the latter can push children to use VPNs and the dark web – terrible potential consequences of website-based models.
And these unintended consequences come with great risks to privacy. Identifying information of the sort included in Ofcom’s draft guidance, including bank information and credit card records, would provide a magnet for hackers.
Adults should have the right to browse adult content secure in their privacy both from the surveillance of their own government – much less should we facilitate criminals and foreign governments to access personal data to blackmail officials about their patterns of consumption of adult content.
Requiring everyone to establish their true identity before accessing adult content not only doesn’t protect children but may endanger them, and adults too.
If Labour truly wishes to protect Britain’s children, Ofcom and new ministers should recognize the significant problems that come with website-based age assurance. Britain attempted an age verification statute in 2017 whose enforcement was first delayed and eventually abandoned because of various associated problems.
Australia adopted a similar law, but ultimately decided not force websites to implement age verification as a result of concerns about privacy and the lack of maturity of the technology. We should learn from this experience does not repeat what has been proven a no go.
Today’s devices typically arrive with powerful parental oversight capabilities built in: features that are at once effective and easy to enable.
With proper oversight software in place, it doesn’t matter where a child who tries to access adult content is located. The chances that the content will be blocked are quite high, and, unlike the case with the current website-based age verification, children cannot easily use a VPN, ID falsification, or access to one or more of the numerous adult-oriented sites outside of the UK’s jurisdiction to circumvent the protections that the parent has enabled.
This puts control over a child’s access to the web in the hands of the parents, where it belongs. The Online Safety Act, as enforced by Ofcom, should do the same.
Joseph Steinberg is a cyber security expert.
With the Labour Government committing in the Kings Speech to strengthen the Online Safety Act, new ministers will soon rule on Ofcom’s final guidance on age assurance for Internet access to adult content.
This creates an important opportunity to revisit OSA’s call for website-based age verification protocols which, history and experience suggest, not only do not work but may do more harm than good.
Instead, advances in the technology of device-based content filtering afford us the opportunity do a better job of protecting children whilst preserving privacy and not compromising our security.
The Conservative Government presented the Online Safety Act to the public as if the act were some form of panacea for addressing the challenges of protecting minors in digital spaces; even today, government spokespeople routinely insist that the act makes Britain the safest place in the world to be online.
Such claims, however, are simply false. Age verification is a case in point.
Regulators at Ofcom are in the process of producing draft guidance codes to assure compliance with the Act. But those guidelines effectively seek to make website owners do what liquor store owners do before selling liquor to youthful would-be purchasers – looking at the buyer’s ID before selling the bottle.
Cyberspace, however, bears no resemblance to the physical world in terms of verifying someone’s identity and age. While it is effective to require the presentation of an ID card to a cashier when purchasing alcohol while physically standing inside of a store, this approach does not deliver effective protection online.
IDs can easily be falsified. Age-estimation based on biometrics has a broad margin of error. The frequency of online impersonation attests to the challenge of recognizing humans online. Aggravating matters is the fact that children know how to access sites outside of the UK’s jurisdiction – whether directly on the public Internet, using a VPN, or via the Dark Web.
Website-based authentication may even be counter-productive, engendering in parents a false sense of security which may lead parents not to take advantage of the tools that are available to them to protect their children on the devices they buy for them.
The International Centre for Missing & Exploited Children recently called on governments and industry to enhance child protection through device-level age verification, rather than via website-based age-verification models, because the advocacy group found that the latter can push children to use VPNs and the dark web – terrible potential consequences of website-based models.
And these unintended consequences come with great risks to privacy. Identifying information of the sort included in Ofcom’s draft guidance, including bank information and credit card records, would provide a magnet for hackers.
Adults should have the right to browse adult content secure in their privacy both from the surveillance of their own government – much less should we facilitate criminals and foreign governments to access personal data to blackmail officials about their patterns of consumption of adult content.
Requiring everyone to establish their true identity before accessing adult content not only doesn’t protect children but may endanger them, and adults too.
If Labour truly wishes to protect Britain’s children, Ofcom and new ministers should recognize the significant problems that come with website-based age assurance. Britain attempted an age verification statute in 2017 whose enforcement was first delayed and eventually abandoned because of various associated problems.
Australia adopted a similar law, but ultimately decided not force websites to implement age verification as a result of concerns about privacy and the lack of maturity of the technology. We should learn from this experience does not repeat what has been proven a no go.
Today’s devices typically arrive with powerful parental oversight capabilities built in: features that are at once effective and easy to enable.
With proper oversight software in place, it doesn’t matter where a child who tries to access adult content is located. The chances that the content will be blocked are quite high, and, unlike the case with the current website-based age verification, children cannot easily use a VPN, ID falsification, or access to one or more of the numerous adult-oriented sites outside of the UK’s jurisdiction to circumvent the protections that the parent has enabled.
This puts control over a child’s access to the web in the hands of the parents, where it belongs. The Online Safety Act, as enforced by Ofcom, should do the same.