WEBVTT

00:00.000 --> 00:11.800
We're now ready for our next session on a verification to over to you.

00:11.800 --> 00:12.800
All right.

00:12.800 --> 00:23.120
Yeah, small announcement as you might see, Felix was not able to join us today due to the

00:23.120 --> 00:26.560
flu that is I think spreading around.

00:26.560 --> 00:32.920
I am Elina or CaliC, I'm a spokesperson of the K's Computer Club and I'm primarily

00:32.920 --> 00:38.360
doing EU policy stuff and have been working on the so-called chat control file for the

00:38.360 --> 00:46.920
last four years now with my lovely colleague, Ella, who is head of policy gear at Adry.

00:46.920 --> 00:53.560
And we will talk about a verification today and both the legal and the technical aspects

00:53.560 --> 00:58.800
and why we think that the open source communities need also to have that eye on this

00:58.800 --> 01:02.160
topic because it's coming for us hard.

01:02.160 --> 01:07.640
So Ella, I feel like to start it with the law stuff.

01:07.640 --> 01:12.920
Thank you, CaliC, yet I am a legal and policy person, so I'm just going to set the scene

01:12.920 --> 01:19.800
around what we're seeing at EU level when it comes to age verification in the last few years.

01:19.880 --> 01:25.680
We wanted to talk about age verification because for us following closely EU law making,

01:25.680 --> 01:28.560
it is one of the hottest topics right now.

01:28.560 --> 01:35.200
We have law makers left, right, and centre proposing it as the solution to almost any kind

01:35.200 --> 01:38.160
of online harm that you can imagine.

01:38.160 --> 01:42.840
And we are super concerned about that from a digital human rights perspective.

01:42.920 --> 01:49.720
It's a very blunt tool and it comes with a lot of intended and unintended consequences.

01:49.720 --> 01:56.440
So together and with our colleagues, we've been really resisting this flood, this rise in

01:56.440 --> 02:00.520
thinking that age verification is the silver bullet.

02:00.520 --> 02:04.440
So around why it's such a big digital rights issue for us.

02:04.440 --> 02:09.240
We kind of see it on three levels, there's the data protection level, the privacy level

02:09.240 --> 02:12.680
and the discrimination level, at the data protection level.

02:12.680 --> 02:19.480
If you have to verify your age to get onto chunks of the internet, by definition, you're

02:19.480 --> 02:25.240
giving up some of your personal data and that's always going to come with risks of leaks,

02:25.240 --> 02:28.600
of facts, of what's going to happen with that information.

02:28.600 --> 02:31.000
And we've seen it already.

02:31.000 --> 02:36.600
Pornhub, for example, in the past used to require all of their content creators to upload

02:36.680 --> 02:41.560
a scan of their passport, which they held in a non-secure space.

02:41.560 --> 02:42.600
That was a few years ago.

02:42.600 --> 02:47.800
So you're putting yourself at risk your personal data at risk potentially.

02:47.800 --> 02:53.080
But then let's say you could theoretically, and we'll come to that, build a system that was

02:53.080 --> 02:55.960
completely data protection compliant.

02:55.960 --> 03:02.400
We're still opposing that as edgery because the privacy impacts are potentially so profound.

03:02.480 --> 03:08.480
There is a step change for our free expression by saying that suddenly big parts of the internet

03:08.480 --> 03:12.240
are contingent on showing your identity documents.

03:12.240 --> 03:14.560
And I'm also a sociologist of tech.

03:14.560 --> 03:20.720
If we think back in some of the worst atrocities that have happened in human history,

03:20.720 --> 03:25.200
they have been linked to really strictly controlled identity protocols.

03:25.200 --> 03:27.840
So we really have to think of it in that sense.

03:28.800 --> 03:34.320
There's also in the privacy bucket the chilling effect that comes from the use of these tools.

03:34.320 --> 03:40.240
Even if your government or a service provider is telling you, yet trust us everything's fine,

03:40.240 --> 03:46.640
we know that a lot of people will choose not to use certain services because of the age verification.

03:46.640 --> 03:52.320
And that then links to the issue of discrimination, which is that there are chunks of society

03:53.040 --> 04:00.080
disproportionately minoritized people for whom these systems do not work as well or do not work at all.

04:00.080 --> 04:06.640
And all that we get then with these systems is the entrenchment of the discrimination and the

04:06.640 --> 04:13.520
marginalization that communities like undocumented people, racialized people, sex workers,

04:13.520 --> 04:16.960
and other targeted communities already face online.

04:17.840 --> 04:24.720
In the past in the last few years at EU level, it has been possible for providers of

04:24.720 --> 04:34.800
different types of online services, social media, apps, other kind of services to use age verification

04:34.800 --> 04:40.160
if they want to. And increasingly under the GDPR and the digital services act,

04:40.160 --> 04:44.960
we have seen regulators more and more saying that especially for services that have a lot of

04:44.960 --> 04:51.760
miners on them, so social media, that the interpretation is they do need to start using

04:51.760 --> 04:58.320
age verification more. But we're now in a place where it's creeping towards being

04:58.320 --> 05:04.640
de facto mandatory or potentially completely mandatory. So we have some new interpretive guidelines

05:04.640 --> 05:10.640
under the Digital Service Act article 28 specifically that are quite prescriptive about how

05:10.720 --> 05:16.240
especially social media services probably should be using age verification systems.

05:17.280 --> 05:22.400
But potentially even more worrying than that, we have the child sexual abuse regulation

05:22.400 --> 05:28.480
more commonly known as chat control. And although it's the mass surveillance and the encryption

05:28.480 --> 05:33.360
breaking that's generally getting the most attention from chat control, what a lot of people don't

05:33.680 --> 05:41.280
know is that that law also has potentially mandatory age verification for private chats.

05:41.280 --> 05:48.880
So your signal, your WhatsApp, your telegram DMs, your emails, potentially all of these channels

05:48.880 --> 05:55.920
if this law passes could be subject to age verification because this law is based on the premise

05:55.920 --> 06:03.040
that sending a private message is inherently risky. So we could be potentially a few months away from

06:04.000 --> 06:11.520
if certain lawmakers get their way whereby we cannot exercise our right to communicate with other

06:11.520 --> 06:20.560
individuals privately in the digital age without using our identities. And bringing it also

06:20.560 --> 06:29.920
specifically to the open source context, it's not just the communication services themselves,

06:30.000 --> 06:35.280
where they might have to use age verification, it's also app stores. There's going to be a big

06:35.280 --> 06:43.040
obligation potentially put on app stores to verify the age of their users and control access

06:43.040 --> 06:50.560
then to all the apps in their app stores. And this chat control bill, it relies on the definitions

06:50.560 --> 06:55.440
that are in a law called the Digital Markets Act, which is actually aimed at kind of raining in

06:55.520 --> 07:00.960
the power of big tech. So in principle, we support the Digital Markets Act, it's got a lot of

07:00.960 --> 07:07.120
potential to open up fair competition and to be really beneficial for the open source community.

07:08.080 --> 07:13.600
But the chat control bill does not limit this to gatekeepers. It doesn't say it's only the

07:13.600 --> 07:18.880
Google's and the app stores that have to use age verification, although that's problematic too.

07:19.840 --> 07:25.760
But it would also impact, for example, after it being forced to then bring in age verification

07:25.760 --> 07:32.240
controls to access the app store as well as to access a lot of individual apps. So we're potentially

07:32.240 --> 07:39.760
seeing an absolute landslide, in fact, it's my final slide. This is what is in the chat control bill

07:39.760 --> 07:46.720
around software application stores. It's not that they may do this, they shall take what's

07:46.800 --> 07:52.240
considered by the European Commission as reasonable measures. But as I've already explained,

07:52.240 --> 08:00.720
the risk profile of this law is done so that communicating privately is seen as inherently the highest

08:00.720 --> 08:08.800
risk thing you can do online, along with sharing pictures and sharing URLs. So 10 minutes left.

08:09.760 --> 08:14.880
So I will then move on to Kelly C to give you the technical side of this.

08:15.840 --> 08:21.920
Yeah, I think like very early on, I want that the chat control file will lead to age verification

08:21.920 --> 08:28.880
and also like to force decentralization of the open source ecosystem. Before I get to those

08:28.880 --> 08:37.200
impacts, maybe get some terminology clear. There has been a workshop by the internet architecture board

08:37.520 --> 08:45.360
and what web consortium late last year. So all like the definitions I have here can also be

08:45.360 --> 08:51.440
read up in the summary of their workshop. And I think it's really good to have some more terminology

08:51.440 --> 08:57.120
here to understand the risks and the harms that the age verification architect just could do.

08:58.800 --> 09:05.280
Also to evaluate them further because we are at a time where age verification or age assurance

09:06.240 --> 09:14.400
like the umbrella term for everything that provides some identity with information about the

09:14.400 --> 09:21.360
age of their user. While age verification is like a really specific thing, mostly tied to your

09:21.360 --> 09:27.760
national identity. And then there are other technologies like age estimation where there is a

09:27.760 --> 09:34.640
see like your face and the difference of just that are being classified or like your behavioral

09:34.640 --> 09:40.800
data. So what age are you leaning towards and your behavior or the social media platform. There's

09:40.800 --> 09:46.400
also something that is being done. And of course like the third thing is like inference, we all know

09:46.400 --> 09:51.280
that if you buy cigarettes, you need to use your credit card, if you're buying that somewhere in

09:51.280 --> 09:59.040
an automatic to verify that you of age. So that being all those technical possibilities being

09:59.040 --> 10:04.640
late out, which can be inherently problematic, as Ella said, like porn upstairs issues in the

10:04.640 --> 10:12.000
past as well as a discord using a lot of data for doing age assurance. But there are also other

10:12.000 --> 10:19.440
problems when it comes to the implementation. So the question is where are we implementing that?

10:19.440 --> 10:26.720
Of course, what most policymakers think of is like service level, right? So any social media platforms

10:26.720 --> 10:32.720
very fine the age of their users before they are able to join. But there are also other things being

10:32.720 --> 10:39.520
discussed in other jurisdictions, which is like browser levels. So the browsers would have like

10:39.520 --> 10:47.840
your age flag and presented to all like sites you're surfing to. And that would be really problematic

10:47.840 --> 10:52.800
because then it's way harder to circumvent. And the same goes for the operating system level, which

10:52.800 --> 10:58.720
is very similar to parental controls for those who don't have kids and don't know it. So you can

10:58.720 --> 11:05.120
set up a device as a for a child user and then you have a certain control over what apps they're

11:05.120 --> 11:09.760
able to download the age that is being set and operating system level and so on and so forth,

11:09.760 --> 11:17.600
most of the operating system providers offer that. And this is also like deeply then

11:17.600 --> 11:24.000
embedded into the operating system, which makes it also harder to circumvent but also more

11:24.000 --> 11:31.200
riskier depending on what data is being collected and being stored. The next thing which I think

11:31.200 --> 11:36.800
is even more important when it comes to rating the risk and the harms of a certain architecture

11:36.800 --> 11:43.040
is the different roles that are needed. So of course there is usually a verifier in the case of

11:43.040 --> 11:49.760
most age verification situations. It's like a perperterian software provider that's health

11:49.760 --> 11:56.880
the service to you as a service. And then there's a forcer, it would be usually like the platform

11:56.880 --> 12:03.040
for example on the app store and forcing what is needed. But then there's also something that

12:03.040 --> 12:08.880
makes the things more complicated because we are speaking of like a global construct and there

12:08.880 --> 12:14.800
might be different laws and different jurisdictions. So you need to also probably select the policy

12:14.800 --> 12:22.960
that is being enforced and lastly but most importantly there's also like a need for rating because

12:22.960 --> 12:30.560
the content needs to be rated in order to decide who should be able to exit and this is like

12:30.560 --> 12:36.160
with like platforms it might be rather easy saying like social media as band for people under

12:37.120 --> 12:42.720
16 but if we talk about the broader web then that might be very difficult. And in all those

12:42.720 --> 12:51.200
constructs those different parties can be also merged in some kind of way because like meet

12:51.200 --> 12:57.040
their minds apply their own age assurance service and so they are handling the data by other

12:57.040 --> 13:01.120
would argument it's always due to have a third party doing the verification because then

13:01.120 --> 13:05.280
the provider doesn't have to deal with the data so there are a lot of technical and playing

13:05.280 --> 13:12.480
locations here that haven't been evaluated probably I would say. Basically what we are seeing here

13:12.480 --> 13:18.400
is like rolling out a release without every testing it because we don't know what the impact

13:18.400 --> 13:25.200
will be on the broader web we don't know what the impact will be on the open source ecosystem

13:25.200 --> 13:31.280
and nobody ever talks about that and this is like very problematic and this is not a theoretical

13:31.280 --> 13:42.160
thing when we look at different laws the most public one right now is the social media

13:42.160 --> 13:49.520
minimum age in Australia I think you all heard about it and they are requiring social media platforms

13:49.520 --> 13:55.520
to verify the age of their users and when there are under 16 they are needing them to band them

13:55.520 --> 14:02.720
actually this is like Felix parts so we could pull in some experience from GitHub because

14:04.320 --> 14:10.400
GitHub actually has been contacted by the Australian thesafety commission and they considered that

14:10.400 --> 14:17.760
GitHub might fall under this bill and might need to verify their users and band users under 16

14:17.760 --> 14:25.040
from their platform luckily GitHub was able to convince the Australian thesafety commissioner

14:25.040 --> 14:32.160
that GitHub is exempt from the law but we can see here that is getting it's getting very problematic

14:32.160 --> 14:39.760
for code host of themselves and I think another example would be the UK where Wikimedia is

14:39.760 --> 14:46.800
suing against the online safety act which is also going for age verification in order to not have

14:46.880 --> 14:56.720
Wikimedia or Wikipedia under required age assurance regime which would be very problematic also

14:56.720 --> 15:03.680
leaning towards like access to open knowledge and it even got worth because the Germans are also in

15:06.480 --> 15:12.000
we have a treaty in Germany that nobody really talks about it's the German treaty and protection

15:12.000 --> 15:18.480
of mine as in the media or as we say the young media starts for track and it requires all

15:18.480 --> 15:25.280
providers of operating systems that are typically used by children to include a chart protection

15:25.280 --> 15:33.040
filter in the operating system but even worse they also need the operating system to only run

15:34.080 --> 15:40.000
app stores that also have a child protection filter and that's not enough they also need

15:40.880 --> 15:47.840
the users only be able to use browsers that also enforce some kind of child protection filters

15:48.480 --> 15:58.800
so child-proofing the internet the German way and this is very problematic on so many levels

15:58.800 --> 16:06.320
I think for open source distributions one could argue like yet children typically

16:06.800 --> 16:13.520
don't use them well I think it's a bad argument as we try right now to run more people on open

16:13.520 --> 16:20.720
source but secondly it also leads to the direction of criminalizing open source projects

16:21.920 --> 16:30.080
the argument being okay they don't adhere to our laws so they can only be used by criminal persons

16:30.080 --> 16:34.800
so we try to ban them and this is also not theoretical that happened in France before

16:36.880 --> 16:42.720
and as I said before there are a lot of implications here because if you do age verification

16:42.720 --> 16:47.600
you need a verify I have to need a verify I need to have some part of like centralization

16:47.600 --> 16:51.760
and if you want to do a decentralized then you need to build your own solutions and this is problematic

16:51.760 --> 16:56.000
so you might go back to centralization then you need to compute the data somewhere so there's a lot of

16:56.640 --> 17:06.960
things that needs to be considered and yeah I think now is really the time to speak up

17:08.960 --> 17:14.560
only from a privacy perspective but also like go back to your communities to your projects

17:14.560 --> 17:24.800
think about what that would mean for your projects if that would be a problem and what would

17:24.800 --> 17:32.080
be the implications and what also would be the risk of rolling out such an infrastructure

17:32.080 --> 17:42.160
without evaluating the risk but also like the harms that it could for could cause yeah

17:54.800 --> 18:01.520
okay