Menu
Ireland's political and cultural magazine
56 October-November
Coming for your data
By Gerard Cunningham
T
hink of the children!” became the
catchphrase of Helen Lovejoy, a
character in The Simpsons in the
1990s: a single transferrable
response to any issue that was
generating controversy. The character
satirised the use of the phrase in American
political discourse, leading to proposals
ranging from “Parental Advisory” stickers on
rap albums to the “Clipper chip” proposals to
allow government agencies to break computer
encryption.
The Online Safety Act became law in the
United Kingdom in 2023, but its measures
didn’t really kick in until this Summer. On 25
July last, the UK passed the deadline for some
websites to implement strict age verification.
The UK Act requires internet companies to
protect children from inappropriate material,
hate speech, bullying, child sexual abuse
material (CSAM), and fraud. Social media
sites, online forums and dating websites
among others were obliged to put in place
stricter age-verification systems. So although
the law is written to protect children, in
practice it means all adults have to go through
stricter age checks just to use mainstream
platforms including Facebook, Google and X.
How should this work? Most solutions seem
to require either that users upload ocial ID
and selfies, or register using a credit card. The
problem, as privacy campaigners and human
rights groups have pointed out, is that every
adult using the internet in the UK is obliged to
surrender their privacy. Verification apps will
record phone numbers, and assign devices
unique identifying numbers, for example,
thus providing a way to track internet users
on every site they visit: information of great
value to advertisers.
Certainly, age-verification data may not be
reused for advertising without informed
consent, and sharing biometric or
identification data for marketing is unlawful.
In principle, providers must store such data
securely, restrict its use to age confirmation,
and delete it when no longer required.
Nonetheless, privacy groups warn that
indirect tracking for advertising purposes
remains possible. Pseudonymous identifiers,
manipulative consent mechanisms, expansive
data collection, and adtech partnerships
could allow profiling despite legal safeguards.
While formally restricted, commercial
incentives make exploitation tempting,
The problem is, once
you build a backdoor
for security agencies
to enter an encrypted
chat, there’s no way
to stop anyone else
including social media
and advertisers from
exploiting it
prompting campaigners to call for stronger
oversight and enforceable protections against
‘function creep’.
One of the first eects of the legislation in
Britain was a surge in internet searches for
information on virtual private networks
(VPNs) which allow users to spoof their
geographic location. VPNs have been popular
in corporate circles for some time, allowing for
more secure communications between
dierent business locations, or for remote
workers to connect securely to their
workplaces, as well as for consumers hoping
to bypass geographic restrictions – an Irish
person hoping to listen to the BBC Sounds
app for example.
This in turn has led to calls for the
government to ban VPNs, which won’t go
down well with financial institutions and
others who rely on them as part of their
internal security frameworks.
Around the same time as the UK Act came
into eect, similar obligations came into eect
in Ireland, under the oversight of Coimisiún na
Meán, but with much less fanfare. Perhaps
wisely, An Coimisiún has so far stood back,
perhaps waiting to see how the UK fares before
going down the same path.
No doubt both An Coimisiún and the
government parties will be aware that, while
Ireland may be a much smaller country with a
population a fraction the size of the UK, it is
also host of the European headquarters for
many internet companies. The decision of the
Data Protection Commissioner, confirmed in
June (see DPC Case Reference: IN-21-7-3) that
the Department of Social Protection acted
illegally in using biometric data and facial-
recognition technology in the Public Service
Card because the DSP had no proper legal
basis for collecting and processing such
sensitive personal data, leading to a fine of
€550,000, may also have given pause for
thought to big tech.
Curiously, the European Union also seems
determined to ignore the implications of the
General Data Protection Regulation, pushing
ahead with proposals to scan all user-content
in messaging and chat apps in the EU. The EU
passed GDPR to protect privacy, but is now
pushing measures that could override it by
enabling blanket surveillance.
The problem is, once you build a back door
for security agencies to enter an encrypted
chat, there’s no way to stop anyone else from
finding and exploiting the same trick. Privacy
and security become a thing of the past.
At the time of writing, the proposal hangs
in the balance, with Germany vacillating
between opposing the measure and taking an
undecided position, subject to further
negotiations (Ireland is backing the measure).
As things stand, EU ministers are due to vote
on the proposals in mid-October.
Regulators in he UK nd Irelnd re
fvouring Child Proecion over Privcy
MEDIA
