Friday, 11 May 2012

Online Safety Bill (1st draft) Review

There is a new bill out there, ready to be discussed and debated by Parliament, called the Online Safety Bill. This is the bill, that has received a lot of pre-release attention with news reports in the past few weeks, that Tory MP Clare Perry has been pushing for to change how ISPs operate...to "filter" out adult material as standard unless requested by the bill-payer.

There are a few things I want to make sure are absolutely clear before I go in to the detail of the Bill.

1) This bill is fundamentally flawed before it even begins as it presumes that by ISPs "filtering" out adult material, such as pornography, that it won't be able to be viewed by children. This is dangerously wrong, if it leads parents to believe that their kids are suddenly safe to roam the net without guidance then it is making the internet less, not more, safe. This is without even going in to the easy to find ways to circumnavigate ISP blocks on adult material.

2) This bill has not come about out of some altruistic and evidence based concern for the kids. It is a bill made by an MP who is presenting the findings of a report that is funded and pushed by Christian groups that aim to censor the web, not only from porn but from violence, bad language, and all the other nonsense that was present in the "video nasties" censorship culture of the 80s.

3) Absent from the debate so far, but hopefully will be interjected by those in the Lords and the Commons, is the issue of parental responsibility on this subject, with the assumption being that the state must intervene in order to "protect children". This is a terribly illiberal stance to take, and is the main reason I'm opposed to it.

So, on to the bill...

1 Duty to provide a service that excludes pornographic images

This section says that ISPs and Phone Networks will be legally mandated to ensure pornographic imagery is blocked, unless someone requests to be able to see pornographic images, and is verifiably aged 18+.

This is the meat of the bill. It doesn't tell ISPs how they should block content, only that they must legally provide a service that is 100% free of pornographic images outside of an age verified opt-in by the subscriber to the ISP.

From the get go this law is unworkable, as it is simply impossible for an ISP to be able to ensure that someone connected to the internet through their service won't be able to see porn without opting in. TOR networks, I2P...this is just scratching the surface on possible ways that people will be able to view porn through their ISP's connection without the ISP being able to do a thing about it.

As soon as the law comes in to effect, every ISP will be breaking the law simply by operating their service.

Taking the above issue aside, assuming that legislators will realise that it needs to create a caveat, what about the technical issues with such a law being adhered to in good faith by ISPs?

There is the issue of whether it is technologically possible to simply ban pornographic imagery. The bill only targets the images, yet images have no meta-data. Perhaps, if the ISP is lucky, the image may have content in it's name that is identifiable as pornographic in nature...but then this would block images that are not pornographic but have problem keywords in their name.

We have to, then, extrapolate this out. Since ISPs won't have the detail to be able to ban just the pronographic images, they'll be banning connections to domains that contain text and content that suggests imagery on the page is pornographic. It'll catch pornographic sites, sure, but it'll also catch Wikipedia, newspaper websites that report on pornography (such as this law), and other informational sites that don't actually contain pornographic imagery at all.

Sure, ISPs might in theory be able to be smarter with their filtering, excluding known sites like Wikipedia or the Daily Mail..however in practice they would not be able to, since to do so would open the possibility that a pornographic image is shown, even if it is for the purpose of commentary, debate or illustration.

The best ISPs will be able to hope for is page level detection of content on a case by case basis...as users browse sites the content of the page they visit will be intercepted, searched, and flagged as 'clean' or 'pornographic' on the basis of keywords in the page and the presence of images.

Yet even that last part, detecting presence of images within the code of the page, is unlikely to be a criteria since javascript insertion of images in to pages after their initial load would circumnavigate such checks.

Are we seriously going to ask ISPs to monitor our traffic usage in real time, to filter content (by blocking it's appearance) through this monitoring by running user-interaction scenarios to ensure that no content will be loaded in through secondary action? Does the government have any idea about how much this would cost to implement and run, and the effect it would have on the speed of our web browsing?

MPs and Lords may think that this is as simple as turning the Opt-Out system in to an Opt-In system, but they'd be wrong. My understanding is that right now an Opt-Out system is not required to filter all pornographic images, and is instead a filtering of known adult content on the web. Changing this to comply with a law that ensures web browsing "excludes pornographic images" is a whole different beast

2 Duty to provide a means of filtering online content

This section says that anything that can connect to the internet and receive data must have some kind of filtering element or software that can be used, at the point of purchase.

On we go to "ridiculous law" part 2, whereby MPs and Lords show how little they know about technology.

Thankfully not a law that also means the default for such filtering is "on", its still a ridiculous law. They talk about "electronic devices", defined by themselves as something that can connect to the internet and download something.

Modern TVs connects to the internet and downloads data...it will now need filtering software. Modern MP3 players, even without any graphical interface, can connect to the internet and download data...they will need "filtering software".

Right now you can buy internet connected coffee machines, fridges and garage doors. All of these "devices" would, by law, be required to have filtering technology built in to them.

Can you see how ridiculously vague this law is, and how many facets of modern manufacturing it will affect? The world is moving in to one where we have to increase the number of IP addresses (unique identifiers of a devices location on the internet) because of the sharp increase in internet connected devices that we will use in our homes, from TVs and Games Consoles, to lights and doors.

Once again there is little definition or structure here, while the implication is that the filtering would be for webpage traffic, the wording doesn't limit that. It would be easy to say that these devices would need filtering technology for any part that displays web-based content, sensible even since this part law isn't about stopping pornography from being able to be seen (section 1 does that), it's about limiting what individual devices can use that they download even if the ISP block is turned off (while on the move, for example, connecting to WiFi).

Yet this is why the section here shouldn't be here. If a parent is looking to view pornography, but set their kid's device to filter content, on a parental lock for example, then the reality is that the child will have every opportunity and ability to simply reset the phone to it's defaults and get around their parent's control.

But that's not all! The legislation talks about "point of purchase". This may well mean, for some, that manufacturers have to bundle in software to the box, if not in to the device, that allows for this filtering. But what of all the devices already out there? Does a firmware update that is up to the user to carry out constitute provision of a way to filter content?

What about devices that can't be updated in this way, via the internet (pre-filtered internet at that)? Does the manufacturer need to recall their devices so they can manually include the filtering provisions in the box or on the device? What about devices sold second hand? Should someone receive a 5 year old Nokia (for example) phone they bought of EBay, can they bring legal action against Nokia because the phone did not contain a way to filter the internet at that particular point of purchase?

It's insulting to the market that such an overarching and vague law would be placed here, with many manufacturers of devices and software doing everything that they can to provide parents with the tools to help, however futilely, to control what their children see on the web. If parents aren't happy with a company's products on an "online-safety" point of view, then there are other products out there that will make them happy.

Why we need legislation here is beyond me.

3 Duty to provide information about online safety

This section says that, despite already being legally mandated to block porn, ISPs must have some kind of online safety guidance that they can provide to customers.

ISPs will have to have a page on their website that says something, that hasn't been defined, about online safety. Whoop.

4 Reports

This section says that OFCOM will be responsible for reviewing how the law is being adhered to.

The government has been trying in various laws to make OFCOM responsible for regulation of the internet, and this bill is no different. OFCOM will have responsibility to assess how this law is going, the principle reason (given it's 3 year cycle of requirement to produce reports) likely to be to flag up changes in technology that need amendments making to this bill.

The final administrative bits of the bill states that the law would come in to effect 6 months after it's passing, a grace period for those affected to get their services and products compliant.

Conclusion:

Here we have a law that aims to make it damn hard for your kids to stumble upon a reference to porn on your internet-enabled toaster.

This bill is ridiculous, it puts unrealistic expectations on ISPs and product manufacturers, ignores the gaping holes in the ability for both to adhere to the law even if they do everything physically possible to try to comply. It is a placebo to the issue of child safety online, one that will only help lazy parents get even lazier about helping their kids understand how the web works.

As I said in point 2, this is the internet's "Video Nasties" moment, and so it's important that these first stages towards regulation of the web are opposed. This isn't the same issue as TV or video games, the internet is a virtual equivalent of walking out your front door and strolling around the city...it's time we treated it with the same realistic thinking and respect, and not as another medium for the state to filter and control.