The Gist: Age Verification is an Epic fail

It will be no surprise to long-time Gist readers to hear that Ireland's clueless regulator of the Internet, Coimisiún na Meán, has some bad ideas. This is, after all, the body who suggested that an ideal policy outcome was for children to send live selfies of themselves to porn sites.

In fact, as it is relevant to the plan intended to roll into action in a fortnight, let's review the CnaM's stated plans to bring in an age verification gate for all video sharing platforms.

(which is to say, almost¹ all social media in a video-first media world):

“Uploading documents and or a live selfie is one example” (source: CnaM website)

“A requirement for a person to show their passport and then a selfie to verify they are the person on the passport” (source: Irish Examiner)

“A live selfie each time you want to access it and they use biometrics to check”. (source: Irish Examiner)

And, as always, I return to Dr. Karlin Lillington of the Irish Times description of these proposals to aid us in assessing them;

 “all absolutely mega-scale bonkers”

Britain: The Gift That Keeps Giving

It is one of the consequences of Brexit that if your country is considering some manifestly insane policy- I mean, something really really "mega-scale bonkers"- there is a greater than even chance that Britain will have done it already, with extra administrative zeal.

And so it is with the idea of Age Verification for social media.

The UK's equivalent of CnaM, Ofcom, is proud to report that its Age Verification enforcement system is coming online at the same time as ours. But, unlike the CnaM, it has built a load of tools and documentation to promote its mad idea. Whereas our regulatory body simply shouted out the window to the street below that it wants to see some square circles delivered in a fortnight, Ofcom set deadlines, built questionnaires, launched a full enforcement programme and has overseen the roll-out of those age verification systems.

As an aside, one of my favourite parts of the UK's laws is that there are exemptions if you are a UK education or childcare provider (who also permits porn on your website.) Surely an invitation for the creation of a chain of PornHub x Creche and Childcare Services collabs.

Bluesky's Epic Fail

This week saw the introduction of Bluesky's Age Verification requirements in the UK, in response to these Ofcom requirements. These will presumably mirror how they deal with these demands in the EU when Ireland's rules lackadaisically come into force too. So we get a peep into our near future. Spoiler: Not Good.

Instead of building their own Age Verification scheme, Bluesky decided to use one called Kids Web Services. This is a system bought by Epic Games (you know, the people who do Fortnite) and then made available for free to any developer to integrate with their service. Who doesn't love a free compliance tool?

Now, I live in a house with three children, so while I have never managed to learn how to do the Floss myself, I was, at least, familiar with Epic Games in their Fortnite aspect. But I hadn't encountered their Age Verification entity before. Possibly because they launched it with talk about the Metaverse and I may therefore have just zoned out while it happened.

But reading the Bluesky statement, I found myself suddenly interested in the Kids Web Services Privacy Policy. Especially when I found out that Kids Web Services has its EU representation office in Haddington Road, Dublin.

Yep, we've been left minding the shop again.

To access Bluesky (and whatever other entities take this free route to ticking the age verification compliance box) we will have to agree to Epic Games's system getting the following data:

• Your email address
• a unique ID number

some, "but never all", of the following information:

• your name, date of birth, mailing address, credit or debit card information, a personal identity number (such as a CPF number in Brazil, a CURP number in Mexico, certain digits of a RRN number or i-PIN in the Republic of Korea, and certain digits of a US social security number in the US), a cell phone number, an identity document or face scan." (uh...emphasis added)
• "we automatically collect information about your devices (computers, phones, tablets etc.) and your use of and interactions with KWS, including in order to identify your country and language"
• Device information, which includes "data about the operating systems and hardware and software versions, device identifiers, internet protocol (IP) address, login data, browser type and version, time zone setting, country and language, browser plug-in types and versions"
• Usage information, which includes site navigation... the actions you take, the time, frequency and duration of your activities (UH....emphasis absolutely added)
• your child’s age or date of birth.
• your child’s country (and in the US, State) and language.

Ok, so, you know, wow.

That is a lot of personal data, including face scans, postal addresses, mobile phone numbers and so on. But at least we can be sure, can't we, that it's not going to be used for anything other than Age Verification? I mean, we haven't accidentally issued a legal mandate for a huge commercially invaluable data honeypot on everyone's browsing and web activity history linked to their government ID, have we?

Epic Games, the people who brought us the most profitable microtransactions site aimed at children in the world, would never try to use this huge pool of data for their own commercial purposes, right?

Oh no.

Bluesky don't even have control over Epic. The Kids Web Services company isn't a Data Processor for Bluesky as Data Controller (which would let Bluesky dictate how its users' data can be used). The Privacy Policy is quite clear that "The legal entity responsible for the information that we collect through KWS is Kids Web Services Ltd (we / us). Kids Web Services Ltd belongs to the Epic Games family of companies"

In legal GDPR terms, they are Joint Controllers. Look, I even found the Joint Controller Agreement that sets it out. Epic even explicitly set out how all of the data they collect will be treated as an asset of the business;

"If we are involved in a merger, acquisition, or sale of assets, we may share your personal information with the acquiring or receiving entity. The categories of information we disclose and our legal basis for doing so depends on the circumstances, but would include our legitimate interest in operating, selling and expanding our business"

So, yeah, we've legislated for an exciting new kind of surveillance capitalism. As always, if a service on the web is being offered for free, it just means that you (in this case the adult wishing to participate in social media) are not the customer.

You are the product.

Square Circles are hard to draw

Both the CnaM in Ireland and Ofcom in the UK were tasked with performing an impossible task. They had to introduce mass surveillance of adults' interpersonal conversations with other adults by means of social media, while also, at the same time, protecting their Data Protection and Privacy rights.

As you can see above, if it can be done, it hasn't been done yet.

When Karlin Lillington wrote about this plan, she pointed out that the Age Verification bar would be at platform level, not at the level of individual pieces of content. So a person who just wanted to watch cat videos but not lose access to the full platform they were on would still have to surrender their browsing anonymity.

In response, the CnaM issued a furious statement;

"She accuses us of proposing to create a porn user register and repeats baseless online claims that people would have to upload their identity documents and facial scans, ... She even suggests that this could be required when people only want to view cat videos.

She rightly says that such a proposal would be bonkers. We agree. Which is why we have neither considered it nor proposed it."

This 'bonkers' outcome is, as we can see above, exactly what has now happened.

I believe CnaM when they say they never considered the consequences of their actions.

But it is a pity that they were so wrapped in institutional arrogance that they didn't consider that other people, with more experience of how the internet actually worked, might know better.

¹ You see, in all of this co-ordinated push to introduce age-verification, the unspoken winner is Meta. That's because they are the shopping centre to other platform's city streets.

While they recently announced they were specifically permitting hate speech against certain vulnerable groups, they won't allow anything sexual on their platforms. Scream trans people shouldn't exist all you like on Facebook, Instagram or Threads. They're fine with it, just as long as you keep fully covered while doing it.

These laws therefore create costs for their competitors, while leaving them with nothing extra to do. It is a classic regulatory moat.