Your Daily Broadsheet

Italy will begin enforcing a new, experimental directive from the countries internet censor requiring all phone providers to install a default filter for all adult content, on SIM cards registered to minors.

The directive from the Italian Communications Regulatory Authority (AGCOM) was approved in January and published on Feb. 21, allowing telecom companies nine months for full implementation.

AGCOM Commissioner Massimiliano Capitanio told Italian media that the measure is a testing ground to verify the real desire of adults to take an active part in the digital education of their children.

Adult content categorized for filtering includes all websites for an adult audience, showing full or partial nudity in a pornographic sexual context, sexual accessories, sexually oriented activities, and sites that support the online purchase of such goods and services.

Besides adult content, other material designated for filtering includes sites related to gambling, weapons sales, violence, self-injury or suicide; sites that display scenes of gratuitous, sustained or brutal violence; and sites promoting hatred or intolerance toward any individual or group, or promoting practices that can damage health, like anorexia or bulimia, or the use of drugs, alcohol or tobacco.

Another blocked category is sites that provide tools and methods to make online activity untraceable, including VPNs.

On 14th November, Members of the European Parliament's Civil Liberties committee voted against attempts from EU Home Affairs officials to roll out mass scanning of private and encrypted messages across Europe. It was a clear-cut vote, with a significant majority of MEPs supporting the proposed position.

A political deal struck by the Parliament's seven political groups at the end of October meant that this outcome was expected. Nevertheless, this is an important and welcome milestone, as Parliamentarians demand that EU laws are based in objective evidence, scientific reality and with respect for human rights law.

This vote signals major improvements compared to the Commission's original draft law (coined Chat Control'), which has courted controversy. The process around the legislation has faced allegations of conflicts of interest and illegal advert micro-targeting, and rulings of "maladministration". The proposal has also been widely criticised for failing to meet EU requirements of proportionality -- with lawyers for the EU member states making the unprecedented critique that the proposal likely violates the essence of the right to privacy.

In particular, the vote shows the strong political will of the Parliament to remove the most dangerous parts of this law -- mass scanning, undermining digital security and mandating widespread age verification. Parliamentarians have recognised that no matter how important the aim of a law, it must be pursued using only lawful and legitimate measures.

At the same time, there are parts of their position which still concern us, and which would need to be addressed if any final law were to be acceptable from a digital rights point of view. Coupled with mass surveillance plans from the Council of member states and attempts from the Commission to manipulate the process, we remain sceptical about the chances of a good final outcome.

Civil liberties MEPs also voted for this position to become the official position of the European Parliament. On 20 th November, the rest of the house will be notified about the intention to permit negotiators to move forward without an additional vote. Only after that point will the position voted on today be confirmed as the European Parliament's mandate for the CSA Regulation.

Mass scanning (detection orders)

The European Parliament's position firmly rejects the premise that in order to search for child sexual abuse material (CSAM), all people's messages may be scanned (Articles 7-11). Instead, MEPs require that specific suspicion must be required -- a similar principle to warrants. This is a vital change which would resolve one of the most notorious parts of the law. The position also introduces judicial oversight of hash lists (Article 44.3), which we welcome. However, it unfortunately does not distinguish between basic hashing (which is generally seen as more robust) and perceptual hashing (which is less reliable).

At the same time, the wording also needs improvement to ensure legal certainty. The Parliament position rightly confirms that scanning must be "targeted and specified and limited to individual users, [or] a specific group of users" (Article 7.1). This means that there must be "reasonable grounds of suspicion a link [...] with child sexual abuse material" (Articles 7.1. and 7.2.(a)). However, despite attempts in Recital (21) to interpret the "specific group of users" narrowly, we are concerned that the phrasing "as subscribers to a specific channel of communications"(Article 7.1.) is too broad and too open to interpretation. he concept of "an indirect link" is also ambiguous in the context of private messages, and should be deleted or clarified.

The Parliament's position deletes solicitation (grooming) detection from the scope of detection orders, recognising the unreliability of such tools. However, the fact that solicitation remains in the scope of risk assessment (Articles 3 and 4) still poses a risk of incentivising overly-restrictive measures.

End-to-end encryption

The European Parliament's position states that end-to-end encrypted private message services -- like WhatsApp, Signal or ProtonMail -- are not subject to scanning technologies (Articles 7.1 and 10.3). This is a strong and clear protection to stop encrypted message services from being weakened in a way that could harm everyone that relies on them -- a key demand of civil society and technologists.

Several other provisions throughout the text, such as a horizontal protection of encrypted services (Article 1.3a and Recital 9a), give further confirmation of the Parliament's will to protect one of the only ways we all have to keep our digital information safe.

There is a potential (likely unintended) loophole in the Parliament's position on end-to-end encryption, however, which must be addressed in future negotiations. This is the fact that whilst encrypted 'interpersonal communications services (private messages) are protected, there is not an explicit protecting for other kinds of encrypted services ('hosting services').

It would therefore be important to amend Article 1.3a. to ensure that hosting providers, such as of personal cloud backups, cannot be required to circumvent the security and confidentiality of their services with methods that are designed to access encrypted information, and that Article 7.1. is amended so that it is not limited to interpersonal communications.

Age verification & other risk mitigation measures

The European Parliament's position is mixed when it comes to age verification and other risk mitigation measures. EDRi has been clear that mandatory age verification at EU level would be very risky -- and we are glad to see that these concerns have been acted upon. The European Parliament's position protects people's anonymity online by removing mandatory age verification for private message services and app stores, and adds a series of strong safeguards for its optional use (Article 4.3.a.(a)-(k)). This is a positive and important set of measures.

On the other hand, we are disappointed that the Parliament's position makes age verification mandatory for porn platforms (Article 4a.) -- a step that is not coherent with the overall intention of the law. What's more, the cumulative nature of the risk mitigation measures for services directly targeting children in the Parliament's position (Article 4.1.(aa)) need further attention.

This is because there is no exception given for cases where the measures might not be right for a particular service, and could instead risk platforms or services deciding to exclude young people from their services to avoid these requirements.

We recommend that there should not be mandatory age verification for porn platforms, and that risk mitigation measures should oblige providers to achieve a specific outcome, rather than creating overly-detailed (and sometimes misguided) service design requirements. We also warn that the overall CSA Regulation framework should not incentivise the use of age verification tools.

Voluntary scanning

The European Parliament's position does not include a permanent voluntary scanning regime, despite some MEPs calling for such an addition. This is an important legal point: if co-legislators agree that targeted scanning measures are a necessary and proportionate limitation on people's fundamental human rights, then they cannot leave such measures to the discretion of private entities. The Parliament's position does -- however, extend the currently-in-force interim derogation by nine months (Article 88.2).

US Senator Mike Lee, R-UT, has reintroduced a bill in the U.S. Senate that would make it federal law for all adult websites to verify their users' ages.

The bizarrely titled Shielding Children's Retinas from Egregious Exposure on the Net (SCREEN) Act would require all pornography and adult entertainment websites with users in the United States to deploy reasonable age verification methods from third-party providers.

Supporters of the bill include software company Envoc, which provides ID verification software and anti-porn groups, such as the National Center on Sexual Exploitation, National Decency Coalition, Enough Is Enough, and Culture Reframed.

House Representative Mary Miller, R-Ill., introduced a companion bill in the House of Representatives.

The SCREEN Act requires the Federal Trade Commission (FTC) enforce elements of the bill that would require a porn site, like Pornhub, xHamster, and Xvideos, to verify ages. FTC is also required to conduct regular audits of the parent companies affected by the act to ensure compliance and to promulgate rules based on the statutes of the bill if it were to become law.

The SCREEN Act competes with the Kids Online Safety Act (KOSA). This requires an expansive overhaul of trust and safety protocols for web platforms. If adopted into law, KOSA would require Congress to coordinate with the executive branch, namely the U.S. Department of Health and Human Services, to review the benefits and shortcomings of nationwide age verification requirements for websites.

German authorities have introduced a proposal to block adult websites deemed to have inadequate age verification systems, and also to prohibit financial institutions from providing payment services to those sites.

Germany's Broadcasting Commission of the Federal States released its draft proposal to reform the State Youth Media Treaty (JMStV).

The proposal is now open for consultation until Dec. 7.

The new proposal would allow the media regulator to turn off the money supply to targeted adult sites, explained NetzPolitik reporter Sebastian Meineck, who has been covering German efforts to censor the internet. Meineck told XBIZ that there is a regulation in German media law concerning online gambling, which has a similar structure to the JMStV and includes a similar authorization to prohibit payment transactions in objectionable cases.

The proposal also simplifies the process for the state to order network blocks. The media regulator, Meineck wrote, is already allowed to issue network blocks for porn sites that resist the mandatory age controls. A network block means that Internet providers such as Vodafone, 1&1 or Telekom must prevent customers from accessing a website as usual. In order to achieve such a block, the supervisory authority currently has to carry out time-consuming administrative procedures, some of which are ineffective.

The proposed change would make it easier for the government to more easily target mirror websites that host content similar or identical to sites that have already been ordered blocked, without another complex procedure, as the draft comments clarify.

Alabama lawmakers have proposed a bill for the upcoming legislative session that would block pornographic sites from anyone under 18 years old.

Representative Ben Robbins plans to sponsor a bill that will require someone to verify their age using a photo ID in order to access sites that offer pornographic material.

His bill will aslo require companies to register with the state as adult content distributors. It will also create additional state taxes for items sold on pornographic websites, and tax memberships Alabamians purchase through a site. The money will be allocated for mental health services in the state.

Lastly, the bill will require distributors to have written consent from people who are posted on the site.

Ofcom is threatening to block a suicide website linked to 50 UK deaths after it said it would refuse to abide by new online censorship laws.

The website, Sanctioned Suicide is described by wiki as an internet forum known for its open discussion and encouragement of suicide and suicide methods. The forum was created in 2018 after the subreddit r/SanctionedSuicide was banned by Reddit. As of September 2022, the forum has over 25,000 members, receiving nearly 10 million page views that same month.

The BBC have been investigating the forum and reported:

We have discovered that at least six coroners have written to government departments demanding action to shut the forum down. Collating inquest reports, press articles and posts on the forum itself, we have identified at least 50 UK victims. We have learned that at least five police forces are aware of the forum, and have investigated deaths linked to it, but have been unable to take action.

The Online 'Safety' Bill, passed by Parliament last month, is due to get royal assent this week, investing Ofcom with immediate powers to take action against errant social media firms. Ofcom is due to set out its legally-enforced code of practice for firms to combat illegal harms including promoting suicide next month.

An Ofcom spokesman said:

Sites that failed to prevent users coming across such illegal material would face fines of up to 10% of their global turnover and bosses who persistently ignored warnings and requests for information could face up to two years in jail .

Operators of the site could also face up to 14 years in jail under laws against encouraging or assisting suicide including through online platforms. Because there are victims in the UK, the company bosses could be prosecuted in the UK and brought to the UK to face trial through an extradition request to the US.

Ofcom will also have powers to take out court orders that would enable it to prevent the company from gaining any access to UK users. ISPs would be then required by laws to block access to a service in the UK.

It could also order platforms hosting the site to no longer do so and require search engines and social networks to deny it any presence when users look for it.

We expect tech companies to be fully prepared to comply with their new duties when the time comes. It's a serious concern if companies say they are going to ignore the law. If services don't comply, we'll have a broad range of enforcement powers at our disposal to ensure they're held fully accountable for the safety of their users.

The forum responded to UK criticism from the BBC and Ofcom by displaying the front page message:

Hello Guest,

We will not be following or complying with the Online Safety Bill that was recently signed into law in the UK. This bill will not affect the operations of the site, nor do we have a presence in the UK to receive notice or fines that the UK Government may impose.

We would highly recommend that all users from the UK get some sort of VPN, and you should petition your lawmakers to let them know how you feel about this piece of draconian legislation.

 

Update: Blocked by Sky

31st October 2023. See article from bbc.co.uk

Sky's ISP has added the Sanctioned Suicide website to its voluntary blocking list. It is not clear what level of blocking and what blocking category the website falls into.

Sky vaguely says the forum will automatically be barred if home users are using its standard filters. The company said it had moved as quickly as possible and blocked the online forum with immediate effect.

A second ISP, TalkTalk, said the webssite had now been added to its list of inappropriate content and could also be blocked by users. TalkTalk told the BBC the site would now be blocked for any customer with its HomeSafe safety filter activated. It said it was unable to automatically block the site.

 

 Update: Self blocked

11th November 2023. See article from bbc.co.uk

A pro-suicide forum has decided to block itself from users in the UK following pressure from the British internet censor, Ofcom.

The Sanctioned Suicide forum was previously available online without any restrictions. But now the forum can now only be viewed by UK users already signed up as members.

Anyone visiting the site is now met with a banner saying content that violates the UK's new Online Safety Act will not be viewable to the British public.

It is unclear whether new users from the UK can still apply for membership. Existing members in the UK do still have access.

It will be interesting to see how many sites respond to British internet censorship by blocking themselves to British users.