This post examines Part 3 of the UK’s Digital Economy Bill, which requires online pornography sites to limit children’s access to adult content. It discusses the related legal, policy and technical drivers that apply across Europe that will extend the requirement to conduct age checks beyond online pornography providers to apply more generally to online platforms that allow children access to age-rated content and services. The focus is on those online businesses that must comply with Article 8 of the General Data Protection Regulation, and the updated Audio Visual Media Services Directive.
The legal and technical enablers of the move toward age-checks becoming a routine aspect of online child protection are examined i.e. the hugely important Electronic Identification and Trust Services for Electronic Transactions in the Internal Market Regulation (eIDAS) and the related specification of eIDAS interoperability platform.
Digital Economy Bill
The Digital Economy Bill was introduced to the House of Commons and given its First Reading on 5 July 2016. Part 3 of the Digital Economy Bill addresses online pornography and requires adult content providers to conduct age checks to ensure that both R18 and 18 rated content (produced solely or principally for the purposes of sexual arousal) ‘is not normally accessible to persons under the age of 18’. The Bill also makes provisions for the Secretary of State to designate a person or persons as the age-verification regulator.
Part 3 of the Bill delivers on the Government’s pre-election manifesto pledge to restrict young children’s access to online pornography. This commitment was made in response to a growing body of research findings, which indicate that children are spending less time in front of TVs and more time viewing content on mobile devices and tablets. Therefore young children are at greater risk of exposure to age-inappropriate and harmful content.
In 2006 across 25 EU member states, only 9% of children aged six years or under, had accessed the Internet. In 2015, Ofcom reported that 28% of 3-4-year-olds and 37% of 5-11-year-olds had used a tablet to play games online. In a more recent study that explored the activities these very young children engage in online, 45% of parents reported that their pre-school child (0-5 years) had used a tablet to watch videos online, 40% had played games, and 29% had watched music videos on YouTube.
Age differences and the effect of viewing pornography
Many studies have explored the relationship between young people who are exposed to Internet pornography and an array of sexual beliefs. For example, a survey of young people (below 18 years) found that participants who were exposed to sexually explicit material were at risk of developing unrealistic attitudes about sex and were more likely to have maladaptive attitudes towards relationships.
Only a handful of studies have explored age differences in how young children and teenagers are affected by pornography. In a pan-European study conducted in 2011 findings suggested that younger children were more upset by online sexual images than teenagers. Very young children (up to 9 years old) appear to confuse sexually explicit activity with violence, as they seem unable to distinguish between unfamiliar repetitive movements and auditory stimuli that resemble pain; this may mean those stimuli may have the same effect as viewing violence on television (e.g. sleep disturbances and nightmares).
This shift in the proportion of pre-schoolers and young children accessing the Internet on mobile devices presents a very obvious challenge regarding limiting the risk of these children accidentally stumbling across violent and pornographic content online.
Adult industry is pro measures designed to reduce the risk of young children stumbling across adult content
The provisions in the Digital Economy Bill on restricting children’s access to adult content were informed, in part, by the responses to an online consultation run by the Department for Culture Media and Sport, entitled Age Verification for Pornography. Portland TV, a UK based company, strongly agreed with the introduction of a new law requiring age verification.
“…if this signals a move to establish a single framework for the regulation of all adult service providers, irrespective of content strength, delivery method, country of origin or establishment and/or whether payment is required.”
Portland TV highlighted the need for parity between UK based providers and those based abroad. MindGeek, the parent company of several major sites including PornHub, with headquarters in Canada, also supported a new law requiring age verification and a new (civil) regime. Both the major UK Internet Service Providers and mobile operators expressed a positive view on the proposal to require adult content providers to conduct age-checks.
Audio Visual Media Services Directive: Age-checks for under 18’s coming in 2017
Restricting young children’s access to harmful and age-inappropriate content online is also part of the rationale for the European Commission’s proposed updates to the Audio Visual Media Services Directive, (AVMSD), which first came into force in 2007. AVMSD governs EU-wide coordination of national legislation on all audiovisual media, both traditional TV broadcasts, and on-demand services.
In June 2016, in a press release about the updated AVMSD, the Commission announced that it intends to engage platform providers in a self-regulatory process to implement measures designed to better protect children online.
Crucially, the Commission explicitly stated its intention to encourage online platforms to use technological innovation relating to secure eID, which would also enable online platforms to both acquire verifiable parental consent (Article 8 of GDPR) and conduct age checks to limit children’s access to harmful content (AVMSD). The Commission has set a timeline for this dialogue and intends to issue sets of principles and guidance on more secure means to protect children online at the latest by 2017.
Secure eIDs and Trust Services enabling GDPR compliance
In many European countries, young people are issued, by mobile operators, banks or government, with the means to securely prove online, either that they are who they say they are. Secure eIDs enable people to engage in Internet banking, participate in e-elections, and establish their age-related eligibility to purchase, for example, student rate public transportation tickets.
Secure eIDs also enable both a child and the adult(s) with parental responsibility for that child to access a web-based home -school environment. The ability of trust services to leverage the connection between a verified adult and a child, to both secure, verifiable parental consent and conduct an age-check, on behalf of online platforms is critical to enabling compliance.
Age checks are relevant to a range of platforms, for example, e-commerce, e-health, video, messaging, and i-gaming.
The Commission’s vision for a single European market involves European countries mutually recognising each others secure eIDs. To this end, the Commission invested in the Secure idenTity acrOss boRders linKed (STORK) initiative that was instrumental to the realisation of a single European electronic identification and authentication area. STORK enabled interoperability of different approaches (bank, mobile or eID), at both national and EU level, eID for persons, eID for legal entities.
On 1 July 2016, new rules for electronic signatures and electronic trust services, (under the 2014 eIDAS Regulation), came into force in all member states of the European Union. Since it is a regulation, no implementation into the national laws will be necessary. Trust Services can use the technical specifications for the eIDAS interoperability framework (which is the product of the STORK initiative).
eIDAS Regulation extends to age-related eligibility checks conducted by trust services and as such creates a predictable regulatory environment within which businesses will be able to deploy age-checks, not just in the UK but across Europe and in other countries around the world where mobileID, bankID or eID are available.
How will businesses conduct age checks?
The assumption that conducting an age-check is always a burdensome and costly process that erodes a user’s privacy is no longer accurate. Technology and policy innovation in the identity sector, driven in part by legislation, mean that it is possible to conduct an age-related eligibility check, (is this person over 18 years? which elicits a Yes/No response). Age-checks carried out by trust services, in compliance with the provisions of the GDPR and eIDAS, are privacy preserving, affordable and scalable.
A code of practice that outlines how companies can conduct age checks stipulated in a Publicly Available Specification (PAS), 1296 Age Checking code of practice is currently being developed.
Online safety net
It is the view of the UK Government that age-checks will not only help to prevent young children stumbling on harmful and violent content but will also be a helpful addition to a raft of existing safety measures which include, for example, parental oversight, and programmes of internet safety education.
Effective enforcement methods are a critical consideration, which will also be addressed in a separate post
About the author:
Dr Rachel O’Connell, founder & CEO, TrustElevate.com a Trust Services consultancy that advises businesses on the technical, legal and policy aspects of electronic identity and related services. Rachel is the technical author of the British Standards Institution’s PAS, 1296 Age Checking Code of Practice and in 2015, she was nominated for a Future CIO award. Rachel’s PhD focused on online criminal activity and the implications for investigative strategies. She is the former Chief Security Officer of BEBO, one of the first mainstream social media platforms and frequently speaks at technology events.