GitLab logo Email icon
admin@kaisev.net

Background

Bill S-210, An Act to restrict young persons’ online access to sexually explicit material is waiting for its third reading in the House of Commons, information about the bill is available here https://www.parl.ca/LegisInfo/en/bill/44-1/S-210.

I would suggest reading the bill before reading the letter below.

Letter

I am a Software Developer with over 9 years involved in the Information Technology, Information Security, and Information Privacy communities. I am writing due to concerns regarding bill S-210, An Act to restrict young persons’ online access to sexually explicit material, there are three major areas of concern:

  1. Privacy and safety of users
  2. Scope of regulations
  3. Efficacy of and consequences of implementation

Privacy and Safety of Users

Internet Privacy and safety go hand in hand, and as we have learned repeatedly the only effective way to protect your personal information is to share it with as few people and organizations as possible. Even large and trusted organizations make mistakes, have breaches, and inevitably leak critical user data. Any Personally identifiable information (PII) leaked on the Internet presents a threat to the victim.

Stalking and Harassment

Any publicly available PII can lead to stalking and harassment, especially for women and girls. Finding one piece of PII makes it easier to find more pieces of PII, for example finding someone's real name, age, or city can lead to finding out what schools they attended, their home address, their personal phone number, and the details of their friends and families.

Online harassment, stalking, and cyber-bullying is not resolved by simply "turning off the computer". Turning off the computer does not prevent unsolicited calls and text messages, turning off the phone doesn't stop mail, packages, vandalism of property, or harassment of family members. Victims of this abuse suffer greatly, and it can be hard to find help.

Violence

As an extension to stalking and harassment, the doxxing (public release of PII) of anyone online can lead to threats or acts of physical violence of this person.

Identity Theft

The theft of personal IDs (or images of them) such as driver's license can easily lead to serious identity theft.

Identity theft is an incredibly damaging consequence to an online world. Identity theft can cause significant financial damage, embarrassment, or the identity theft of people you care for (such as children and elderly people).

How S-210 Will Compromise the Privacy and Safety of Users

S-210 requires an age verification mechanism for any organization that makes sexually explicit content available on the Internet. This, through a matter of definition, exposes the age of the user to this organization, which is a piece of PII. Importantly, however, there is no age verification method that does not require an ID or a credit card (and that is if the regulations that come out of this act will accept possession of a credit card as proof of age). This means that these organizations will end up holding critical PII for all Canadians it interacts with.

This will, with absolute certainty, result in the theft of this data from one or several of these organizations at a large scale. It will only be a matter of time. Being anonymous on the Internet is a critical right, and must be protected.

Scope of Regulations

What Sites and Services are Affected?

Any organization that, for commercial purposes, makes available sexually explicit material on the Internet

Many message boards online offer a variety of content including informational, social, political, and sexual content. Even if the sexually explicit content is not pornographic in nature, this bill will still apply.

What Will Blocking Look Like?

Under this bill Federal Court would be required to order Internet service providers to prevent access to the sexually explicit material to young persons.

I can immediately identify two serious problems with this:

  1. Due to secure connections between devices and websites, the Internet Service Provider cannot simply "intervene" and show a screen requiring identification. If you were to attempt to do this, you would a "wrong host" error message, such as what you would see on https://wrong.host.badssl.com/
  2. Identifying individual users is impractical, frankly impossible, with current networking infrastructure. With technologies like NAT, DHCP, VPNs, and Proxies, an IP address does not simply correspond to a single user, user's IP addresses change all the time. This is not likely to change in our lifetimes.

Because of these issues, the only way for an ISP to comply with the law is to block the website for all users.

Consequences

Any message boards that have sexually explicit material on them and don't gather user's IDs may need to be permanently blocked from Canada. This is an egregious offence to freedom of information and freedom of speech, and from a social/political standpoint isolates Canadians from viewpoints and information that isn't from or explicitly targeting Canadians.

Efficacy of and Consequences of Implementation

Let's go over a scenario:

A 16 year old boy wants access to sexually explicit information on the Internet. But every site he tries to load is asking for ID! So, what does he do?

  1. Give up
  2. Buy or use a free VPN product that can circumvent these blocks
  3. Grab his mother's driver's license from her purse and use that
  4. Find an obscure, (more likely to be unsafe with predatory advertisements and viruses/malware) website that the regulators haven't found yet
  5. Find someone who has the kind of content he wants already, and ask to have it sent to him (thus encouraging social interactions with underground pornography dealers and children)
  6. Resort to digital piracy to download the content (and possibly viruses/malware along the way)
  7. Create or purchase a fake ID

This whole bill relies on people choosing option 1, and there really is no effective way to prevent any of the other options.

What will happen is people who don't want to share their IDs and people who don't have IDs will resort to other methods to get this content, resulting in intellectual property theft rising, and more importantly resulting in more cyber security risk to the Canadian people.

What can We Do Instead?

This bill will make the Internet more dangerous for Canadians and Canadian children, and will not achieve the goals it sets out to.

There is a better way! This is not an issue that can be resolved or even improved with laws, it is an issue that can be improved with education.

Internet Service Providers are continually providing stronger parental controls for home networks, and parental and Enterprise management tools for all manner of devices can give parents even more capabilities to help protect their children from far more than just sexual content.

The problem is that many parents don't know about these tools, how to use them, what they're capable of, and why it's important.

A free education program for all Canadians to teach them about the consequences and dangers of an online world, and teach parents how to monitor and control their kids' access to the Internet, would prove far more effective than the controls outlined in this bill.

Mark read and return to article list