Why the Digital Economy Act Part 3 still merits consideration

May 6, 2021

Parents cannot be expected to supervise every minute their children are online,  and many do not know about or understand how to apply parental controls in the home.

A new judicial review has been launched by individuals personally affected by the decision in October 2019 to abandon Part 3 of the Digital Economy Act which would have introduced age verification to access adult content on websites wherever they were based globally (read more in the Guardian).

It will  be years before replacement legislation is enforced

Part 3 of the Act was dropped in favour of the new Online Safety regime expected to be announced in the Queen’s Speech next week.  But that still faces a period of pre-legislative scrutiny by Parliament before it is revised and then must make its way through both the House of Commons and the House of Lords.  Only once it is passed, can the new regulator, Ofcom, gather views on how it should be implemented, draft regulations and guidance, and then consult on these before they are eventually enforced.  It may even be that laws relating to pornography are left to secondary legislation which can only be passed after the Act itself receives Royal Assent, further delaying implementation.

Part 3 is a good start  and it is “oven-ready”

So there is a good argument  for implementing Part 3 as an interim measure,  given it is still on the statute books and could be in force within weeks.  It was not perfect, and at the time it was accepted it did not, for example, cover social media, but it was only intended to be a first step – “not letting the best be the enemy of the good” as the minister championing it, Margot James, warned at the time.

The arguments against Part 3 are weak and technically flawed

Below we address the arguments which come up every time the proposal is discussed – the arguments do not stand up to scrutiny

On fears about data security and privacy…

These concerns were clear to the age verification providers right from the start so they designed their systems to minimise the data they stored, and to anonymise users.  So, a user proves their age to an AV Provider, but then any personal identifiable information is never stored anywhere centrally where it is at risk of being hacked.  Some providers anonymise the user; others only allow personal  data to be accessed on the user’s own smartphone.  The AV providers also designed their interaction with the adult websites to prevent any opportunity to know which user was trying to access a particular site.

It is well know that the only un-hackable database is no database at all.  By applying privacy-by-design and data minimisation principles, the age verification industry achieved this, and providers can be audited and certified to confirm that this is true and sensitive personal data is not put at risk.

On the use of virtual private networks (VPNs) to pretend the user is not in the UK…

The Digital Economy Act requires any pornographic website to prevent minors in the UK accessing it and however they do so – including by using a VPN.

The website can either:

  • Introduce age verification for all its visitors, or
  • Introduce age verification for visitors  from UK IP addresses and those from IP addresses known to be used by VPNs (because these may be visitors from the UK).  The more widely known, and particularly the free VPNs  on offer, tend to use a limited number of IP addresses which organisations, such as  the BBC iPlayer and Netflix, already use systems to block.
On evading enforcement through blocking access to the sites by using DNS over HTTPS (DOH)…

Some opponents of the measure have questioned whether IP blocking will work as DNS over HTTPS (DoH) becomes more commonplace- this is an encryped  method of navigating the internet. In the first instance, while current DNS based blocking methods used by ISPs may need updating, DOH does not completely disguise the sites being accessed, so they can still be blocked.  Alternatively, if it is going to become a  significant problem, this will not become clear for  several years and here we are talking about interim protection over the next three years. Finally, IP blocking is just one of four enforcement mechanisms in the Act. Even if it did not work there would still be the other three!

If a site is failing prevent minors in the UK accessing it, the regulator can:

  • Block standard (non-DOH) access by requiring ISPs to do so – this is how the vast majority of users navigate the internet
  • Block  DOH access by asking cooperating DNS resolvers to do so – these are the telephone books of the internet turning website domain names into numerical IP addresses (potentially they are required to do this alongside ISPs under the DEA as they fall under the broad EU definition of  ‘internet access providers’ used in the Act )
  • Block DOH access by requiring ISPs to use unencrypted elements of the traffic which are still not hidden by DOH.  (Server Name Indication and Online Certificate Status Protocol connections)
  • Use other enforcement measures such as payment service provider interventions to cut off the website’s access to revenues
On the scope of the Digital Economy Act…

 It was only ever intended as a first step. the legislation required a review within 18 months specifically considering the definitions within Part 3

  • It can easily be extended to include social media
  • The online safety bill may in fact have a narrower scope because the duty of care is restricted to sites which have user generated content or allow user interactions.  Websites facing the prospect of losing $1,000,000 a day if they impose age verification are highly likely to change their functionality  (one major site dropped the majority of its user generated content within days when Visa and MasterCard withdrew their payment services)
 On why not wait for the Online Safety Bill…

 The new Bill has yet to be published; the digital economy act is already on the statute books and is ‘oven ready’ – it could be in force within weeks.

  • There is a commitment to pre legislative scrutiny and the bill itself may not be passed as quickly as the government hopes
  • The regulator cannot begin to consult on regulations and guidance until the bill is enacted
  • Ofcom took a year to implement the audio visual media services directive which is only expected to impact a dozen websites
  • The government has indicated that pornography will be dealt with through secondary legislation which cannot be passed before the Act itself; and will also require preparation by Ofcom