Submission

9 November 1999

Restricted Access / Age Verification Systems

This is a submission in response to the Consultation Paper on Restricted Access Systems issued by the Australian Broadcasting Authority.

Contents:

1. Executive Summary
2. Introduction
3. Age or Identification Verification?
4. Credit Cards as Identification
5. Qualification/Verification
6. Commercial or Non-Commercial Sites
7. Digital Signatures
8. Privacy
9. Access Control Methods
10. Conclusion

• The proposals are administratively onerous to the extent that few Australian content hosts would be prepared to incur the costs involved in setting up the relevant systems. It would be far easier to simply set up sites offshore in a country where such regulatory burdens are not imposed.

• The proposals require users to provide personal identifying information that goes far beyond proof of age. This is likely to act as a deterrent even for genuine adults.

• The proposed identification details are easily forged, demonstrating conventional wisdom that effective age-authentication systems are almost impossible to implement on the Internet.

• There are technical flaws in many of the ideas expressed in the Consultation Paper that suggest the authors did not obtain expert advice.

• EFA recommends that the ABA drop this proposal altogether and replace it with guidelines for placing warnings on web sites that may be unsuitable for children.

EFA wishes to state from the outset that we believe that it is not possible to devise an effective age-verification system without compromising utility, user-friendliness and technical feasibility to such an extent as to make the scheme unworkable. Consequently, our comments are made in the context of pointing out some obvious deficiencies in the proposed scheme, without implying that fixing these problems will lead to an acceptable restricted access system.

It is not clear why it is necessary to verify identity. The requirement under the Act is only provision of an access control system that has the objective of protecting children from exposure to Internet content that is unsuitable for children. There is no requirement to verify users' identity or actual age, only that a user is not a child. The proposal to require users to register name, address and date of birth are excessively onerous provisions which infringe privacy rights and will deter many adults from registering. They will avoid Australian hosted sites in favour of overseas sites.

Furthermore, while the proposal states that the system should invalidate an application if evidence of identity and age has not been produced, the proposed system does not require actual evidence to be submitted. If it did, there is no apparent means by which a web site operator, content host or PIN/password provider could verify such evidence. If such a means becomes available, it will need to verify within ten seconds as it is well known that visitors to sites will not wait for access. It is even less apparent how web sites could verify information about applicants residing outside Australia, or claiming to reside outside Australia.

Enquiries to banking institutions reveal that it is contrary to banks' policy to disclose the name or address of a credit card holder. To quote the online banking manager of one major bank on the subject of using credit cards to verify identity "If the government is looking to the banks to verify identity, they can forget it. Our customers would have a fit.". They will provide no information to credit card merchants other than to advise whether a credit card number is valid and whether the card has been reported lost or stolen.

Notably, some banks have difficulty verifying identity:

"In the past, the forgery of documents that were used to provide evidence of identity was a highly skilled task that few criminals were able to undertake convincingly. Since the advent of digital technologies, however, it is much easier to scan an official document electronically, alter the image as it appears on a screen, and print out a counterfeit version using high quality laser colour printers—all from the comfort of a home office.
... In Victoria, for example, between August 1995 and March 1996, an offender used desktop publishing equipment to create 41 birth certificates and 41 student identification cards (some containing photographs), each in separate names, and a counterfeit driver’s licence. These were used to open 42 separate bank accounts throughout the Melbourne metropolitan region to pay cheques into accounts as wages and make immediate withdrawals before they had cleared; to register a business name; to obtain sales tax refunds; and to defraud various retailers."

(Identity-related Economic Crime: Risks and Countermeasures, Russell G. Smith, Trends & Issues in Crime and Criminal Justice No. 129, Australian Institute of Criminology, September 1999. http://www.aic.gov.au/publications/tandi/tandi129.html)

It is not difficult for minors to obtain a valid credit card number. Some banks provide credit cards to minors, minors may have a subsidiary card on a parent's credit card account, minors may "borrow" a credit card number from their parents unbeknownst to them, or be told of a number by friends, or download a software program that generates valid credit card numbers.

In cases where goods or services are purchased by credit card, misuse of a card will become apparent on receipt of the credit card account. If a minor uses a parent's card to access sites presumably harm, if any, will have occurred prior to the parent becoming aware their credit card is being used. However, in cases where a credit card is used solely as identification, i.e. goods or services are not purchased, misuse of a card to obtain access to non-commercial web site may never become known.

While it is not difficult to acquire a credit card number, the system should not encourage misuse of credit card numbers by persons who for personal or financial reasons do not possess a credit card. Although a digital signature is proposed as an alternative to credit card details, at present digital signatures are generally possessed and used only by persons with technical expertise.

Despite its privacy intrusive qualities, the proposed system is no more effective in preventing minors from accessing material than systems presently in place. Like existing systems, its point of failure is the honesty of the user in declaring their age.

The qualification/validation rules state that an application will be invalid "if credit card number cannot be verified". The meaning of "cannot" requires clarification in this context. Does this refer to situations when the credit card number is reported invalid or lost/stolen by the credit card provider, or to situations when a content host/web site operator "cannot" verify a credit card number? Non-commercial web sites "cannot" verify credit card numbers without becoming credit card merchants. Requiring them to become a credit card merchant for the purpose of verifying applicant details is contrary, to quote the Consultation Paper, "to the principles laid down in the Act which have the aim of minimising the financial and administrative burdens on the Internet industry".

The proposed system states that a condition of use of an allocated PIN or password should be that it not be provided to a minor. In cases, if any, where application details can be checked for validity, a delay will occur between application and provision of PIN/password. In the case of electronic lodgement, presumably it is intended that PIN/password be subsequently provided to the applicant by email. Such an email containing a PIN/password is likely to fall into the hands of a minor who uses their parents' computer to access the Internet.

The requirement that an originally allocated PIN or password be provided in order to have a PIN or password changed does not allow for the situation where the user has forgotten or lost their PIN or password.

Since the proposed scheme places such importance on the use of credit cards for identification, the implication seems to be that the only Australian sites likely to be classified R by the OFLC are commercial sites, presumably offering pornographic material that is not so explicit as to warrant an X classification. This is an invalid assumption.

Firstly, given the narrow class of sexually (non)explicit material permitted in the R classification and the availability of X and XXX rated sites outside Australia, it is doubtful that there will be a market for Australian commercial R rated sex sites.

Secondly, the legislation requires the use of film guidelines to classify Internet content. While some commentators seem to believe that films are classified R primarily because of sexually explicit or highly violent content, this is not true. According to the Annual Reports of the Office of Film and Literature Classification (OFLC), the vast majority of R films are so classified because they deal with social and political issues, referred to in the Classification Guidelines as "adult themes". Adult themes include:

"verbal references to and depictions associated with issues such as suicide, crime, corruption, marital problems, emotional trauma, drug and alcohol dependency, death and serious illness, racism, religious issues".
(Source: OFLC Classification Guidelines)

In the 1997/98 year, 68% of films and 71% of videos were classified R for portraying adult themes other than sex, violence or coarse language. Examples of material that could attract an R rating under the film classification guidelines might be safe sex information and drug abuse prevention information published as a community service, rape victim support forums, shocking graphic images of violence documented by human rights organisations, etc.

In short, many if not most R-rated or potentially R-rated sites will be non-profit sites. Use of credit cards for identification purposes is therefore inappropriate.

A digital signature does not necessarily provide proof of identity, unless accompanied by a certificate signed by a Certification Authority (CA) recognised by and acceptable to the host server. There does not appear to be any impediment to minors obtaining a digital signature, nor having same signed by a CA. Furthermore, it is not obvious why credit card details and digital signatures are considered by the ABA as equivalent alternatives for the purpose of user identification.

The implementation of a system for authentication of digital certificates, tied to a scheme for controlling access to a web site, requires the use of technology that is at present well beyond the capability of a typical content provider. It would be most unwise for the ABA to propose an approach that depends on future technology developments that may or may not make such facilities commonplace or economically viable.

The proposed system foreshadows an unprecedented level of intrusion into users' privacy.

Off-line, on occasions when it is necessary to provide proof of age, such as purchasing liquor, entering a night club, or buying an adult magazine, the transactions is usually anonymous. Even in those cases where ID is requested, no identifying information is left behind. Given widespread concerns about data matching and privacy of electronic transactions, it is inappropriate to propose a scheme that gathers personal identifying data.

According to the Federal Privacy Commissioner's media release of 20 October 1999:

"Numerous surveys show that there is a growing unease in Australia and internationally about the impact of new technologies on an individual's privacy.

• A Roy Morgan survey, published in August '99, found that "The majority of Australians (56 percent) are worried about invasion of privacy issues created by new information technologies.
  http://www.roymorgan.com/polls/1999/3221/
• A recent survey of 5,000 Internet users, by the GVU Center, College of Computing Georgia Institute of Technology, Atlanta found that 77.5 percent of users valued privacy over convenience when buying on-line.
  http://www.gvu.gatech.edu/user_surveys/survey-1998-10/graphs/privacy/q13.htm

The proposed system facilitates creation of databases of personal information that may be used, or sold, for marketing and other purposes without the Internet user's knowledge or consent. Requiring entry of PIN numbers on access to sites enhances the ability of content hosts to monitor and track Internet users' activities and interests and to cross reference this information to personal identification data. Information obtained will not prove that the user is an adult, but may be used for fraud, personal or professional exposure, blackmail and predatory behaviour.

Privacy legislation applicable to the private sector is not expected to be in place until at least eighteen months after the amendments to the Broadcasting Services Act commence on 1 January 2000. In any case, proposed privacy legislation will not provide users with adequate control of personal information provided to web sites. It will not prevent misuse of information and in seeking redress users are likely to experience difficulties in identifying which content host or PIN number provider breached privacy laws.

Privacy concerns are already a significant impediment to consumers accessing the Internet. In many instances, persons or entities providing web sites are unknown. Compelling provision of personal information to web sites is dangerous. Users will, on the whole, be unwilling to submit personal information of the type proposed.

Does the ABA propose to allow adults to access Australian sites discussing adult themes only by sacrificing their privacy?

The most commonly-used method to control access to web pages is the HTaccess method. This is readily implemented by content providers without requiring CGI or other server-side programming. The HTaccess method depends on use of a user name and password.

The ABA's proposal to use date of birth combined with a PIN or password necessitates a non-standard approach to user authentication which will impose additional costs on content providers. While it may be conceivable to use date or birth in place of a user name, birth dates are not unique and would therefore be clumsy to implement under the HTaccess method. If instead, the date of birth was used as a password, security is likely to be compromised.

Of course it is possible to design custom-made authentication systems but this imposes substantial costs on the content creator and would severely limit the number of sites able to comply with the legal requirements. Furthermore, custom-made systems generally require use of facilities, such as CGI scripts, that many ISPs are unwilling to provide to typical content providers due to network security issues. Is it the intention of the ABA to implement a scheme that is so onerous and expensive as to effectively become a form of self-censorship?

The requirement that the system "must not allow for automated input of login information" should be deleted or, at the least, restated in a more technically aware manner. Enabling automated input is not only under the control of the web site, but the developers and users of Internet access software such as web browsers. It is thus not necessarily possible for web sites to prevent automated input of login information.

Development of the proposed system does not seem to have been guided by the Parliament's intent that "Internet content hosted in Australia...be regulated in a manner that...enables public interest considerations to be addressed in a way that does not impose unnecessary financial and administrative burdens on Internet content hosts" and encourages "the supply of internet carriage services at performance standards that reasonably meet the social, industrial and commercial needs of the Australian community".

The proposed system is extraordinarily privacy intrusive while not meeting the objective of protecting children more effectively than standard restricted access systems presently in use.

In conjunction with the ban on X-rated material, the system will have the effect of essentially removing all material from Australian sites that is not suitable for a child to read. This could include research material, medical and health information, safe sex guides, or any matter dealing with controversial adult themes, e.g. abortion, euthanasia etc.

The proposals are totally out of step with the essential character of the Internet as a public communication medium. The ABA should go back to the drawing board else it will stand condemned as an agent for the suppression of freedom of speech and infringement of Internet users' privacy.

References:

Consultation Paper - Restricted Access Systems, Australian Broadcasting Authority (ABA), October 1999
http://www.aba.gov.au/what/online/restricted.htm

Identity-related Economic Crime: Risks and Countermeasures, Russell G. Smith, Trends & Issues in Crime and Criminal Justice, No. 129, Australian Institute of Criminology, September 1999
http://www.aic.gov.au/publications/tandi/tandi129.html

Blinded by Smoke (A discussion paper on the R classification guidelines), Irene Graham, 14 June 1999
http://rene.efa.org.au/liberty/blinded.html

Federal Privacy Commissioner's Media Release, 20 October 1999
http://www.privacy.gov.au/news/index.html#6.13