A privacy disaster waiting to happen – the #DEBill on third reading
Age Verification: a privacy disaster waiting to happen
Age Verification is fraught, and likely to result in a chilling effect, where adults avoid visiting websites because of fears around the age verification technology. It is unclear that it is addressing a pressing social need; and while children do need support and education, a solution addressed at all adults is the wrong way to attempt it.
However, let us turn to the specifics.
Despite assurances that pornographic publishers will be obliged to use age verification tools that are privacy-friendly, the approach is almost certain to go wrong.
The government has chosen to leave the market to specify and provide the actual tools. They expect websites, rather than users, to choose which age checking product is used.
At this point we should remember that one website operator, MindGeek controls the majority of the UK porn market. They are also keen to implement Age Verification, according to the government. The result will be that they will choose and probably own the dominant age verification product.
While we cannot know exactly what MindGeek would do, we should remember that they will be able to shape the AV product how they like. They could allow users to opt into lots of convenient services, such as saving their porn preferences, getting recommendations, and having their credit card details ready for quick and easy payment.
So long as these services and tracking of vast numbers of UK porn users is voluntary … then there is little that could be done to challenge it.
The consequences for privacy are enormous. New risks of tracking people’s sexual preferences will be created, and possibilities of data leaks will abound. It will be the government’s decisions that created this problem, as they failed to impose sufficient safeguards upon the age verification market.
Censorship: how much blocking would you like?
Any commercial pornographic website that doesn’t offer Age Verification can be blocked under the powers in the Digital Economy Bill. This blocking is meant to be a punishment: but the result will be the censorship of legal material.
The BBFC and government have attempted to assure people privately that the numbers of blocks will be low, and based on market share.
However, the power in the Bill is not limited in this way. How much is blocked is purely a policy and financial choice. The door is open for the government to be lobbied to block vast numbers of entirely legal websites. And there are plenty of people who think this would be a wise and necessary step, including MPs.
Copyright: dangerous criminal penalties for online infringement
For whatever reason, the government resisted our suggestion to limit criminal sanctions to “criminal scale” infringements or serious risks of “criminal scale” infringement.
The result is that any intentional infringement is a criminal matter. This is very different to the offline world, where large scale organised activity is required before criminal charges can be brought.
This cannot be proportionate; and it is not sufficiently foreseeable. While minor infringements may not be brought to court, it makes it impossible to know when something might attract a criminal charge. For individuals, the risk of “copyright trolls” issuing threats, or lawyers giving clients bad advice, can only increase.
Data sharing
The data sharing part of the Bill has undergone significant changes and will leave the House of Lords in an improved state. Following pressure from several civil liberties groups and the Delegated Powers and Regulatory Reform Committee, the Government tabled and passed important amendments on codes of practice and brought forward changes that narrow down definitions of public authorities.
We welcome that the Government specified the list of persons who may disclose and receive information both for public service delivery and for debt and fraud related to the public sector on the face of the Bill. The process of specifying persons entitled to participate in data sharing will be more transparent by not leaving all of these powers up to the Minister.
The Government also amended the Bill to require a specific public authority to only access data for purposes which are in line with its functions. The Bill ties functions of a public authority and its objectives closer together and it will create a more transparent environment where public authorities will be prevented from accessing data for purposes out of scope of their functions.
The Codes of Practice were made statutory by the Lords. Both Houses of Parliament must approve the Statutory Instrument before it becomes law. We repeatedly advocated for this amendment since most of the safeguards are placed in the Codes of Practice and not on the face of the Bill. Without statutory footing, the codes would have less statutory force and safeguards in the Codes wouldn’t be enforceable.
However the Government has not at all addressed the bulk use of civil registration data and they have not changed their stance on review for all the powers in Part 5 on data sharing.
Chapter 2 provides for the sharing of civil registration for any public body’s functions without restrictions. The power is intended for bulk data sharing of the full civil register across government but this power hasn’t been sufficiently justified by the Government.
This Chapter leaves several questions without clear answers. We don’t know how these large databases will be stored and if at all encrypted. The Government said they have no intention to share the information with private companies but they did not provide a guarantee that they won’t do so in the future. We still believe this power should be removed from the Bill.
The Bill includes provisions on amending and repealing the chapters on debt and fraud after a review. The provisions will prevent Ministers from broadening these powers or removing safeguards from the Bill.
ORG would have liked to see reviews in place for all the powers under Part 5 of the Bill to increase transparency of data sharing and prevent unjustified onward disclosure of data to other public authorities.
The Bill doesn’t clearly state that relevant powers in Part 5 should be for benefit of individuals and not for punitive purposes. This could leave a wiggle room for future changes of purposes of data collection.
What is ORG going to do now?
ORG will be considering our options, including Judicial Review. These are very serious matters and nobody else will be stepping up to deal with them.
Join today
If you want to help our work, please join today. By joining you will help us beef up our legal team, led by Myles Jackman. We can only win with support from people like you.