Dear Sir/Madam,
I am responding to this BBFC consultation on the Digital Economy Act 2017 and the proposed Age Verification (AV) regime : –
http://www.bbfc.co.uk/about-bbfc/dea-consultation
Introduction.
Before responding to the questions posed in the consultation I want to stress four points: –
1. Opposition to AV: This regime is not a proportionate response
The proposed BBFC AV regime will do more harm than good and is not a proportionate response to what is a legitimate concern (the legitimate desire to protect young children from explicit adult material).
Backlash has sent representatives to previous meetings with the Department for Digital, Culture, Media & Sport (DCMS) and other bodies but we have yet to see any evidence of the creation of a regulatory regime that addresses our concerns. We are so concerned that we have written to the Information Commissioner (IC) asking that body to intervene and provide your office with the instructions needed to ensure a life threatening breach of data does not take place.
The Ashley Madison (AM) breach is well documented, as were the suicides that followed. It is important to also understand the scale of marital breakdown/divorce and wider emotional damage done by that data breach. This article provides some insight into the scale of harm: –
https://www.theguardian.com/technology/2016/feb/28/what-happened-after-ashley-madison-was-hacked
I am at pains to emphasise that the scale of harm that will be caused by your proposed AV regime is much greater than occurred following AM. Far more people view pornography than registered with AM. Perhaps as many as 25 million UK citizens will seek to access explicit material in the first year of operation and, over their lifetimes, perhaps two thirds of the UK population will at some point want to view such material.
The number of people being put at risk is unprecedented. The potential scale of harm is unprecedented and so the regulatory regime must be unprecedented in the strength of the protections that are put in place for UK citizens and law abiding consumers.
Healthy people enjoy a range of sexual preferences and their internet searches reflect what many consumers view as their unique desires. But it would be absolutely devastating for most viewers of explicit material if the types of material they had sought or accessed became public knowledge. Many would be distraught if their sexual desires were to be released publicly and far more people would kill themselves than happened following the AM hack.
It is important that you understand that there will be some malicious hackers who seek to gain access to confidential material to cause embarrassment or to commit fraud. But, in the age of cyberwarfare, where state actors will hack stored data to harm their opponents, it is obvious that cyberattacks will soon be attempted upon the data held on those who access explicit sites. It is entirely foreseeable that foreign operators will soon seek to hack such information simply to hurt the population at large. It won’t matter if those hurt are civil servants, MI5 staff, police officers, doctors, nurses, MPs, or those who feel they don’t care and have nothing to lose by a hack; all that will matter to an aggressor is that they cause mayhem and significant public alarm.
Under no circumstances should the IC permit BBFC to allow that to happen. It is imperative that AV providers are properly assessed regarding their data security measures and practices to ensure they comply with UK & EU data protection legislation and that the IC ensures consumers are guaranteed absolute protection.
Backlash supports efforts to protect young children from unsuitable material but this AV regime is dangerous and is disproportionate and will do nothing to stop the determined 16 year old from using the number of online tools that are available to access explicit material.
2. Financial liability of BBFC and Information Commissioner
Under Introduction ( 1 ) Para 13 you say: “The BBFC does not accept liability for any loss or damage alleged to result from reliance placed either on its published guidance or any supplementary informal guidance it may give.” See: –
I need to emphasise now that when a breach of confidential data does take place, if the BBFC’s regime is in part to blame for that breach, this organisation will explore with others the potential to seek financial compensation from BBFC for the harm that is done. The statement that you do not accept liability is designed to be misleading and misinform the public on their legal rights, and you must remove it from all future material that you publish.
3. Extreme pornography laws
This public consultation and the proposed regime are being publicised as being in connection with AV; but it is only upon closer inspection that readers will see that the regime is being used as a tool to extend the reach of CJIA 2008 to block access to extreme pornography. The public consultation process should not be misused in this way. If a public body wishes to extend the way in which CJIA 2008 is regulated and enforced, then a public consultation on that should be advertised in the proper way.
4. Infringement to the right of freedom of expression and speech
There are many negatives associated with the proposed AV regime but I wish to express concern about the wider chilling effect this will have upon freedom of expression and speech. The blocking powers of the BBFC represent derogation to the free expression right of both consumers and site operators. There will be thousands of publishers who do not generally provide sexually explicit material for financial gain but who might occasionally stray into territory that could be seen as being for purposes of arousal. Even if that is not the intention of the artist/publisher, many will conclude that they must self-censor in order to avoid the financial and administrative burden of installing an AV system.
I will add that Backlash has previously represented a number of small, ethical producers of explicit material who promote the acceptance of non-heteronormative sexualities, some of whom do so in an artistic and imaginative way. Many of these small ethical producers will feel squeezed out, further diminishing the right of UK citizens to freedom of thought and expression.
Response to the paragraphs 2 – 4 of the draft guidance document.
2.2: refers to how BBFC will “discharge the functions”. I gather that the BBFC will be given two additional members of staff to handle hundreds of millions of adult sites. If this is correct it must surely be impossible for the BBFC to handle this task in an objective, consistent and transparent manner. Surely very large numbers of omissions and errors will occur?
2.4: refers to the commercial services which the BBFC will investigate.Backlash has represented many sex workers and we are therefore concerned to establish the effect the AV regime will have upon the way sex workers advertise their services. Will independent sex workers advertising online be considered to be making pornographic material available for the purposes of the Act?
The guidance says the material has to be “produced solely or principally for the purposes of sexual arousal” but sex workers advertise to persuade clients to book services. Their primary objective is to meet clients, not to cause sexual arousal. It should also be noted that sex workers are not receiving any payment for making advertising materials available. Sex workers receive payment or benefit from providing sexual services, not from advertising service. A sex worker might place an advertisement but not get any bookings. Are they still obliged to AV?
If sex worker advertising is considered to be “making pornographic material available on a commercial basis” then this will cause immense harm. Consenting adult sex workers will be prevented from posting their own advertising, screening and vetting their own clients, and choosing what services they offer, if they are obliged to lock their adverts behind AV tools. The consequences will be that sex workers are instead obliged to go back to working for exploitative bosses or on the street because they cannot effectively advertise online. This will put them at greater risk of violence, exploitation and abuse.
I put it to you that the inclusion of sex workers within the AV regime would be disproportionate, life threatening and open to Judicial Review.
I also wish to express concern about the impact upon sex bloggers, educators and those who provide advice to sexual minorities. Backlash has bitter experience of legislation being misused to attack sexual minorities (CJIA 2008) and so we appeal to you to make your guidance clear that those who provide advice, commentate upon or seek to educate upon sexual matters will be exempt from the AV regime. It is entirely foreseeable that those who are vehemently opposed to sexual minorities will seek to use the AV regime to close down sites they disapprove of. So it is essential that those who publish material designed to educate, inform and reassure must be assured freedom from the AV regime and not be put under pressure to self-censor what are often essential services.
2.5: refers to the “priority of protection”. Our expectation is that determined, internet savvy, 16-18 years olds (above the age of consent) will ignore the AV regime and access material using Tor browsers and VPNs. It has already been put to the BBFC that this will be the case but the priority of protection paragraph makes no reference to this fact. Before proceeding with the AV regime I ask that the BBFC advise government ministers of the evidence that the desired outcome of the regime cannot be fulfilled.
I note that you have identified a number of sites that young adults most wish to access. Please state which sites they are so that we can better inform those we represent on the likely impacts of the AV regime.
I also express concern that the BBFC is straying into the area of responsibility of the Internet Watch Foundation. BBFC have no statutory authority to duplicate efforts of IWF, nor the Police, and this is an inefficient use of public resources.
2.8: notes the opportunity for the person or people concerned to make representations to the BBFC. However, these representations must then be taken into account in the decision made. The BBFC must be able to justify the recommended action based on proportionality and balance; taking into account the interests and safety of all stakeholders.
2.9: discusses the infraction of “making extreme pornographic material available on the internet to persons in the UK”. This is an offence covered by the Criminal Justice and Immigration Act (2008) and the Obscene Publications Act (1959). This is outside of the remit of age verification and suggests a further will to police sexual freedom beyond the notion of protecting young people.
2.16: Backlash has represented small independent producers of pornography who trade under a pseudonym but are self employed for tax purposes and often trade from their home addresses. We have seen instances where the media has published home addresses in order to hound minorities and so are anxious to ensure that you do not “out” publishers by displaying full names and personal home addresses.
3.1: You state that providers “must adopt effective and robust age verification arrangements” but you do not use the same strength of language when referring to the AV tools. At 3.7 you say “the BBFC recommends that age verification providers adopt good practice in the design and implementation of their solutions.” This is wholly inadequate and we call upon the BBFC to discuss with the IC’s office the standards that it would expect from operators that hold data that, if breached, would lead to loss of life.
I cannot emphasise strongly enough that the BBFC is not taking data protection seriously and has not shown an appreciation of the scale of harm that its lax guidelines represent. I call upon the BBFC to require that AV providers guarantee totally secure services that cannot be hacked. If the BBFC does not use powerful language that sets the standards required of providers then it will be complicit in the potentially catastrophic effects that follow.
3.2: lists a number of ways in which age verification can be carried out using documents. However, these documents will not be accessible for everyone, whether this is due to financial difficulties, disability or citizenship. A method of making sure age verification can be achieved by any eligible party regardless of these is necessary to prevent people from being shut out from material they wish to access and further perpetuating social and sexual inequalities.
3.4: encourages “the use of mechanisms which confirm age but not identity”, which is contrary to the methods listed in 3.2, all of which can be tied to a person’s personal information. The BBFC must explain clearly what its intentions and standards are.
I must also express concern regarding the company MindGeek and its AgeID product. Very many consumers will use this product due to the popularity of the tube sites MindGeek hosts. MindGeek’s main source of revenue is advertising, and therefore such a company would have significant interest in storing and using individual user data for profit. Given that this company is based abroad and will attract very significant UK traffic, I ask that the BBFC explains what checks it has already undertaken to ensure that the company will comply with the AV regime proposed? UK consumers have every right to expect the BBFC to have conducted thorough research before implementing the new regime.
3.7: acknowledges that AV providers should “provide ease of use for end users”. Given that the enjoyment of a healthy sex life, including accessing explicit adult material, is a lawful activity and one that government has not set out to ban, “ease of use” is what the BBFC should ensure without jeopardising data security. But it is surely unrealistic and unworkable to expect users to age-verify on each visit, which might be several times in one day. The alternative that users will be forced to use will be websites that maintain databases of age verified users, permitting them to login using a password or personal ID number, which creates a real risk of this very personal sensitive data being leaked or hacked. The retention of this data creates a conflation of identifying details such as username and password, with information about what pornography sites and which specialist areas of those sites users have visited. The BBFC is creating this new risk while taking no responsibility for keeping user data safe.
3.7 and 3.8 use the word “recommends”. This makes both of these clauses non-binding and cannot guarantee protection for AV users. This is a recurring theme throughout the document and is a source of grave concern. There is no obligation for AV providers to ensure any greater level of protection to their users than that specified within the General Data Protection Regulations, which are wholly inadequate for such a sensitive, personal and private matter such as one’s sexuality.
3.9: fails to include the necessity to ensure adequate protection against breaches of privacy. I have referred to the Ashley Madison (AM) incident above, which led to multiple suicides, and the BBFC must not allow this scale of harm to be repeated. It is imperative that AV providers are assessed regarding their data security measures and practices to avoid future leaks or hacks.
3.10: is an inadequate response to the scale of the threat. It is not sufficient to refer non-compliant providers to the IC after failures have been discovered. The BBFC should devise a robust regime that protects users from the outset, not respond to catastrophic failures after the event.
4.3: says that “Age verification services and online pornography providers should have regard to the
ICO’s guidance on data protection and specifically data minimisation, security and data
protection by design and default.” This language is not sufficiently robust and needs to be mandatory.
4.4: is a wish list that does not do enough to set the absolute standards that AV providers must adhere to. It is entirely foreseeable that during an AV process a number of sites will use a tick box system to both provide AV and seek permission to provide other services. Many sites will have clauses that permit them to change their terms after an initial authority has been given. The vast majority of users are not sufficiently aware of the risks they face and I put it to the BBFC that you must not compound those risks and you must not enable disreputable firms, often based abroad, to exploit large numbers of UK users.
4.5: refers to GDPR, stating that “have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities”. Again this woefully inadequate language reflects a lack of understanding of the scale of the threat to life associated with data breaches that will occur with the AV regime as currently designed. It is absolutely essential that the BBFC takes responsibility for ensuring the safety and security of AV providers. Leaving this to chance is a dereliction of duty and a breach of your duty of care.
If the BBFC’s failure to set the required standards is due to poor guidance from the IC or if it is due to a poor appreciation of the scale of the risks by government ministers then the BBFC has a duty to explain that now. If a regulatory regime has been designed that has inherent flaws, whereby the BBFC cannot do anything about the safety of the AV platforms, then it has a duty to ensure everyone knows that now. It is not enough to warn government ministers that serious breaches of data will occur. It is essential that the BBFC is honest with the public and ensures that both the public and the media is informed that the systems are unworkable, insecure and data breaches are guaranteed to occur. You have a duty of care to ensure the public understands the scale of risk people will be taking under your AV regime.
Response to the paragraphs 1 – 4 of the draft guidance document.
The comments I have made on the first paper are equally relevant to this paper and I will make these additional comments.
1.11: refers to occasional research to check the effectiveness of the AV regime. I call upon the BBFC to undertake thorough research before initiating the regime and to guarantee that it will report once every three months on the effectiveness of the AV products. A robust research and reporting system is essential because it is very likely that serious data breaches will occur which will have huge adverse implications for large numbers of people.
2.2: says that the BBFC will it will act in an “objective, consistent and transparent manner”. The test of that will be how the BBFC now responds to my comments above on the draft guidance relating to the age verification arrangements.
Yours faithfully,
Jon Fuller
Chair: Backlash