The Gist: Coimisiún na Meán is Big Mad

Once upon a time, state bodies did not issue rambling statements radiating J Jonah Jameson-shout-dictating-while-pacing energy, describing their own plans as a 'porn user register'.

That time was before last Friday, when Coimisiún na Meán decided to write a letter to the Editor of the Irish Times, and then (when it wasn't actually published on the Letters page) to publish it on its own site. An action which, now it has happened, we can take as being Perfectly Normal for an Internet Regulator. Which marks a change from before Friday, when it was typically the action of Internet Cranks.

So much has changed since Friday, you guys.

The prompt for this desk thumping and cigar chomping was that Dr. Karlin Lillington, technology columnist for the Irish Times, had picked up on some of the criticism from our last Gist and built them out into concern about the capacity of the new Irish regulator of internet content for much of the EU.

She echoed some of my concerns, arising from the Executive Chairman Mr. Jeremy Godfrey's interview with the Irish Examiner.

Here's what Mr. Godfrey originally told the Examiner: (emphasis added)

"Mr Godfrey said his office will not be “absolutely prescriptive” on how the age verification should work, a requirement for a person to show their passport and then a selfie to verify they are the person on the passport could be described as a “gold standard” of verifying a person’s age.

“We care much more about the effectiveness than how it’s achieved,” he said. “There are other ways people could consider like you just have a live selfie each time you want to access it and they use biometrics to check. "

Dr. Lillington was not impressed by the inevitable consequences of these ideas;

"On the bad side – oh, so woefully bad – is the suggestion from the commission’s executive chairman, Jeremy Godfrey, that the State build a porn user register, based on people submitting passport details and uploading facial scans. The idea is to verify ages and identity to protect children from the harm of accessing such sites. But this utter nonsense would create greater harm and risk."

And, to aid in reader understanding she helpfully summarised the plan

"It’s all absolutely, mega-scale bonkers."

The Commission was stung by a respected expert columnist suggesting that its half-baked proposals might indicated that CnaM was not a body ready for prime time, let alone to make incredibly complex decisions on behalf of most of Europe about what may or may not be done on the internet. So they came out swinging.

"She accuses us of proposing to create a porn user register and repeats baseless online claims^[1] that people would have to upload their identity documents and facial scans, with porn sites retaining this information for six years. She even suggests that this could be required when people only want to view cat videos.

She rightly says that such a proposal would be bonkers. We agree."

Just make the circles square

Friday's statement goes on to clarify what is being proposed instead of the uploading of IDs by adults and children alike, together with live selfies. No, no, no they said "we have neither considered it nor proposed it." Leave aside the fact that it clearly is what their executive chair told the Irish Examiner. Now is the time for them to set the record straight. They want tech companies to implement ID systems, yes and

Uploading documents and/or a live selfie is one such technique

Their objection seems to boil down to the (accurate) description of the consequences of this proposal as a distributed "porn user register". What matters to Ireland's internet regulator for the EU is not the material outcomes of their proposals, but the good intentions they have in proposing those outcomes.

They finish by once again attempting to assert that their previous experience in regulating broadcasting is, in some way, relevant when it comes to regulating the completely different many-to-many medium of the internet.

"While regulating licensed broadcasters is different to regulating online platforms, the end-goal of ensuring that audiences can access pluralistic, culturally, linguistically and socially relevant content, while being protected from harm, remains the same."

Instead the defence betrays just how inappropriate a broadcast-focussed regulator is in addressing the online world. On the Internet, we are not merely audiences, passively receiving broadcast material down a different wire. Here, we are also the creators of the content, the makers of the words and the ascribers of meaning. The internet reflects social norms, but it also creates them because it is made up of the people who are society. A body that presumes to regulate those norms but that cannot understand how that is different to the broadcast world of the past should not have the job.

You built it, you own it

Finally, as an aside, Friday's statement contains a number of freshly minted references to data protection laws. The Commission sagely puffs its pipe and demands that technology firms deliver a square circle to its desk by Monday. It wants them to find a way to both create an ID database of users (including biometrics, somehow?) and then also to do it "accompanied by appropriate privacy protections". How? The regulator doesn't say. Possibly because the regulator hasn't thought about it for more than the time it takes to type the pablum phrase. But also possibly because it is literally impossible.

But let us imagine this crackpot scheme were to be put into effect and the laws of Euclidian Geometry were to be rewritten so that circles could also be squares. In that universe, the Coimisiún na Meán would have decided the purpose of the ID and biometrics data being processed. They would also have determined the means by which that processing would have occurred.

Here's Article 4 of the GDPR, defining a data controller;

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

And here's Article 82 of the GDPR setting out the consequences of becoming a data controller;

Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation.

Is the Coimisiún na Meán ready to make itself liable for how Elon Musk's X, or any effected pornography site, uses these selfies of adults and children? Has it thought about how it will defend against claims if databases of state IDs with accompanying sexual preferences leak?

If the Coimisiún na Meán is issuing defensive statements now, wait until it finds itself an actual defendant.

I did write to the Coimisiún na Meán via its PR representatives and asked if I could interview someone there about their plans. I thought you might be interested in their position. About a fortnight later, I got this reply

"Unfortunately, Coimisiún na Meán is unable to accommodate your interview request for a piece for your newsletter. Coimisiún na Meán receives a large number of interview requests on an ongoing basis. Because of this it must prioritise requests from journalists, which are accommodated whenever possible, in line with the Commissioners' other work commitments. "

Sorry internet newsletter readers. The regulator who is working on rules about how and what you can see on the internet only wants to speak to real journalists. No newsletter slop.

Except, as Friday's statement shows, when a journalist starts doing actual journalism they're not too happy either.