harmful-communications-201910/HarmfulCommunications201908.org

Submission to the Committee on Justice and Equality on issues of online harassment, harmful communications and related offences.

• Introduction
• Self-hosting
  • Self-hosting
  • How accessible is self-hosting.
  • Regulation of self-hosted services
• Other considerations
  • Abuse
  • Behaviour
  • Content moderation
  • Investigation support
• Answers to consultation questions
  • Definition of communication in legislation
  • Harassment, stalking & other forms of online abuse
  • Harmful online behaviour and young people

CONSDONE Introduction

My name is Éibhear Ó hAnluain and I have been working in software engineering and IT systems design since 1994. I thank you for the opportunity to submit this contribution to your analysis of issues of online harassment, harmful communications and related offences.

In this submission I am seeking to highlight 3 core concerns:

• The distinction between user behaviours and online services.
• The nature of the online services from the perspective of small operators
• The potential damage legislative measures can have on small operators of online services

However, prior to addressing these topics, I would like to raise some ambiguities that this wider discussion will encounter.

• The first is the meaning of the term self-regulation. If a measure of self-regulation to address these concerns is acceptable, then it would be necessary for public-perception reasons, to be clear on what that means. Self-regulation could mean either where each service operator manages matters of harassment and harmful communications according to their own rules and processes. This is currently how the large service providers we're most familiar with operate. However, self-regulation may also refer to regulation by a non-governmental industry-funded body, following the model of the press council or the advertising standards authority, where rules and processes are agreed among the operators as a set of standards, and where decisions of compliance to these are made by this body. In order to avoid this ambiguity, I will use the term "self-moderation" to refer to the former, and the term "industry-regulation" for the latter.

CONSDONE Self-hosting

CONSDONE Self-hosting

For the purposes of this submission, self-hosting is where an individual or small group has opted to provide their own internet services, making use either of computer capacity provided by an ISP (for example, Blacknight.com, Amazon AWS) or by maintaining the computer technology themselves.

The services that the self-hoster exposes, then, are either developed specifically by the self-hoster or runs software that has been installed by the self-hoster.

The self-hoster also takes responsibility for the quality of the service that they provide, including ensuring that it is kept running and updates are applied appropriately, and so on.

This submission is primarilty concerned about self-hosting as a hobby and self-hosting engaged in by charity, non-governmental or community organisations. However, self-hosting for commercial purposes is a valid use-case, but implications of regulations on self-hosting has more a direct implication on the former use-cases, as the effect of poor regulation on vulnerable people would be more direct, immediate and serious.

CONSTODO Real examples of self-hosting

I host a number of such services:

• Éibhear/Gibiris is my blog site.
• Social Gibiris is a micro-blogging service that is federated with others using the AtomPub technology. Thus, Social Gibiris is federated with many other instances of GNU Social, Mastodon and Pleroma. This network of federated services, operated by individuals, groups and businesses, all connected together as peers, facilitate connections and communication in a way that is very little different to twitter.
• git.gibiris.org is a source-code sharing site that I use to make publicly available some of the software that I develop for myself.
• news.gibiris.org is a news-aggregation that allows me to gather all the news sources of interest to me into one location, which I can then access from wherever I am.
• cloud.gibiris.org is a file-sharing platform that I use with my family when we are collaborating on projects (e.g. school projects, home improvement projects, etc.)
• matrix.gibiris.org is an instant-messaging system which I set up for the purposes of communicating with my family and close friends.

Most of these services are hosted on a computer within my home. 3 of these services provide information to the general public, and the other three are accessible only to those who set up accounts.

2 of those services, git.gibiris.org and Social Gibiris can process or post user-uploaded information.

CONSTODO Why self-host?

There is a myriad of reasons for choosing to host one's own service. Some examples might be:

• Privacy – until recently many services were careless or outright abusive users' privacy
• Tracking – the extent to which organisations, particularly those whose business models are based on advertising, facilitate the tracking of internet users as they conduct their business or personal activities across the internet.
• Autonomy – to be able to configure ones own service is often a powerful experience.
• Community – While some of the global services with household names offer features go small businesses and community groups (like footall clubs or debating societies), often the lock-in and exclusivity involved can make it hard to include everyone who needs to be involved. Hosting your own services allows you to set the rules and codes of conduct.
• Experimentation – just by means of playing with interesting software projects can people often learn about the tools and systems they use, and grow their knowledge of the technologies involved.
• Collaboration – the softwas that implements self-hosted services often some under the terms of a Free or Open Source Software copyright licence, which allows for peope to copy and improve software, and these improvements often find their back to the original project for others to benefit.
• Protection – Governments in countries where civil rights are not regarded as highly as they are in Ireland very often delight in the greater ease involved in surveilling their populations when the record of all that activity is centralised in a single service.

Very often, as with me, the reason to self-host is a combination of more than 1 of these reasons.

CONSDONE How accessible is self-hosting.

In a previous, similar, submission¹[here]] and here.], I provide an outline of the challenges before someone who wants to set up their own services. There are few, and they are small. In summary, the reasons for this are:

• The Internet is mechanism for computers to find each other and then to share information with each other. The mechanism is defined in a set of publicly-available documents describing the relevant protocols.
• Due to the maturity and age of these protocols, software needed to use them is now abundant and trivially easy to get and install and run on a computer. Such software is also very easy to develop for moderately-skilled software engineers.
• Neither the protocols that define, nor the software that implement the internet regard any computer to be superior or inferior to any other computer. For this reason, there is no cost or capacity barrier for someone to cross in order to run an internet service: if you have the software, and the internet connection, then you can expose such a service.

Clear examples from the past of how the accessibility of the internet technologies has benefited the world include the following:

• The Linux operating system kernel began life in 1991 as a college project – Linus Torvalds wanted to write a computer operating system that was accessible to all. Linux-based operating systems now form the basis of a significant proportion of internet connected computing devices globally² (including 73% of smartphones and tablet computers, somewhere between 36% and 66% of internet-facing server computers), and 100% of supercomputers.
• The Apache web server started development when a group of 8 software developers wanted to add functionality to one of the original web server software packages, NCSA httpd. The Apache web server now powers 43.6% of all web sites³[https://w3techs.com/technologies/overview/web_server/all]]. Incidentally, the no. 2 on that web page, with nearly 42% share of websites is nginx. It also started out as a project by an individual who wanted to solve a particular project.].
• The Firefox web browser was initiated by three software developers who wanted to make a light-weight browser based on the Mozilla code-base. At the height of its popularity, Firefox was used in 34% of web-page requests, despite not coming installed by default on any computer or mobile device. However, its real impact is that it was instrumental in breaking the monopoly that Microsoft's Internet Explorer held since the late '90s, resulting in far richer and more secure web.

When we look at the main services that society is currently struggling with, we need to consider the following historical facts:

• Facebook started out as a crude service, developed in Mark Zuckerberg's room in Harvard University, to allow users (men, of course) to rate the women in the university in terms of "hotness".
• Google started out as a search engine called "Backrub". Development initially took place in a garage.
• eBay was originally an auction service tagged onto the personal website of its founder, Pierre Omidyar.
• LinkedIn was initially developed in Reid Hoffman's apartment in 2003.
• Shutterstock, a leading provider of stock images, was founded by a photographer, John Oringer, who developed the service as a means to make available 30,000 of his own photographs.

The ease with which internet technology can be accessed has given rise to the explosion of services that connect people, and people with businesses.

It is critical to note that many of these technologies and services started out with an individual or small group developing an idea and showing it can work prior to receiving the large capital investments that result in their current dominance.

All of the above technologies and services can be considered truly disruptive. In their respective domains, their arrivals resulted in a dramatic improvements in internet technologies and services.

However, There are many alternatives to the systems that we are familiar with, all developed by individuals, or small, enthusiastic teams:

• Twitter isn't the only micro-blogging service: there's also GNU Social, Pleroma, Mastodon.
• An alternative to Facebook is diaspora*
• Nextcloud and Owncloud are examples of alternatives to Dropbox.

In the cases of all these alternatives, users can sign up for accounts on "instances" operated by third-party providers, or users can set up their own instances and operate the services themselves.

Many of these services can federate with others. Federation in this context means that there can be multiple instances of a service, communicating with each other over a defined protocol, sharing updates and posts. For users, federation means that they can interact with other users who aren't necessarily on the same node or instance. For administrators of instances, federation means that they can configure their instances according to their own preferences, rather than having to abide by the rules or technical implementation of someone else.

CONSDONE Regulation of self-hosted services

While it is attractive to create regulations to manage the large, profit-making organisations, it is imperative that such regulations don't harm the desire of those who want to create their own services.

A regulation that apply liability to a service-provider for someone else's behaviour, is a regulation that can be adhered to only by organisations with large amounts of money to hand. For example, if the regulation was to apply liability on me for a posting made by someone else that appears on one of the services that I run (and originally posted somewhere else – these are federated services after all), I would have to shut it down; I am not able to put in place the necessary infrastructure that would mitigate my liability[fn:copyrightDirective:This assumes that my services aren't forced to shut down by the new EU Copyright Directive anyway]. Given that my services are intended to provide a positive benefit to me, my family members and my friends, and that I have no desire to facilitate harmful behaviour on these services, a law forcing me to shut these services down benefits no one.

Similarly, a regulation that demands responses from services on the assumption that the service will be manned at all times, requires individuals who are self-hosting their services to be available at all times (i.e. to be able to respond regardless of whether they are asleep, or overseas on a family holiday, too ill to respond, etc.)

This submission comes from this perspective: that small operators should not be unduly harmed by regulations; the likelihood of this harm coming to pass is greater when such small operators are not even considered during the development of the regulations. If regulations have the effect⁴ of harming such small operators, the result will not just be the loss of these services, but also the loss of opportunity to make the Web richer by means of the imposition of artificial barriers to entry. Such regulations will inhibit the development of ideas that pop into the heads of individuals, who will realise them with nothing more than a computer connected to the internet.

CONSTODO Other considerations

While the main focus of this submission is to highlight the potential risk to self-hosters from regulation that neglect to consider the practice, I would like to take the opportunity to briefly raise some additional concerns

CONSDONE Abuse

To date, all systems that seek to protect others from harmful or other objectionable material (e.g. copyright infringement, terrorism propaganda, etc.) have, to date, been very amenable to abuse. For example, in a recent court filing, Google claimed that 99.97% of infringement notices it received in from a single party in January 2017 were bogus⁵:

A significant portion of the recent increases in DMCA submission volumes for Google Search stem from notices that appear to be duplicative, unnecessary, or mistaken. As we explained at the San Francisco Roundtable, a substantial number of takedown requests submitted to Google are for URLs that have never been in our search index, and therefore could never have appeared in our search results. For example, in January 2017, the most prolific submitter submitted notices that Google honored for 16,457,433 URLs. But on further inspection, 16,450,129 (99.97%) of those URLs were not in our search index in the first place. Nor is this problem limited to one submitter: in total, 99.95% of all URLs processed from our Trusted Copyright Removal Program in January 2017 were not in our index.

That a single entity would submit more than 16 million URLs for delisting in a single month is staggering, and demonstrates a compelling point: there is no downside for a bad-faith actor seeking to take advantage of a system for suppressing information[fn:downside:The law being used in this specific case is the US Digital Millennium Copyright Act. It contains a provision that claims of copyright ownership on the part of the claimant are to be made under penalty of perjury. However, that provision is very weak, and seems not to be a deterrent for a determined agent: https://torrentfreak.com/warner-bros-our-false-dmca-takedowns-are-not-a-crime-131115].

The GDPR's Right to be Forgotten is also subject to abuse. An individual from Europe continues to have stories related to him excluded from Google searches. However appropriate on the face of it, the stories this individual is now getting suppressed relate to his continued abuse of the Right to be Forgotten⁶. That the "right" can be abused in this way is counter to the public interest, as it can now be used like a "Super Injunction".

While the GDPR allows for search engines "… exercising the right of freedom of expression and information", if they are presented with Right to be Forgotten demands, they have to choose between serious sanctions if they don't filter the results when they should have, or no sanctions if they suppress the results when they didn't need to.

In systems that facilitate censorship[fn:censorship:While seeking to achieve a valuable and socially important goal, this legislation, and all others of its nature, facilitates censorship: as a society, we should not be so squeamish about admitting this.], it is important to do more than merely assert that service providers should protect fundamental rights for expression and information. In a regime where sending an e-mail costs nearly nothing, where a service risks serious penalties (up to and including having to shut down) and where a claimant suffers nothing for abusive claims, the regime is guaranteed to be abused.

CONSTODO Behaviour

Much of the focus on legislative efforts to deal with harmful or objectional material on services that permit uploads from users is on what the service providers do about it. Many argue that they are not doing anything, or at least not enough.

CONSTODO Content moderation

CONSTODO Investigation support

CONSTODO Answers to consultation questions

The follows are some answers to the questions posed in the call for submissions.

CONSTODO Definition of communication in legislation

1. There are currently significant gaps in legislation with regard to harassment and newer, more modern forms of communication. Is there a need to expand the definition of ‘communications’ to include online and digital communications tools such as WhatsApp, Facebook, Snapchat, etc. when addressing crimes of bullying or harassment?

   Éibhear comment

   (Address in introduction) It is necessary not to assume that the current services that operate will be the primary services in 5 or 10 years' time.

2. What lessons can be learned from models used in other jurisdictions such as the UK, New Zealand, Australia and other European countries where legislation is now in place to address these issues? How do we establish an appropriate model without compromising free speech?

   Éibhear comment

   (Address in answer to specific questions) UK: duty of care is inappropriate. New Zealand: allowing a committee to decide what is objectionable, thus restricting not only those who want to share objectionable material, but also those who want to report on it.

3. How do we ensure that any legislation that is enacted is flexible enough to keep up with changing and advancing technologies, new apps and other online forums, including the more familiar social media sites?

   Éibhear's comments

   (Core concern) Hmm. This is the meat of the submission.

CONSTODO Harassment, stalking & other forms of online abuse

4. Online harassment can take the form of on-consensual taking and distribution of intimate images or videos, otherwise known as ‘revenge porn’, ‘upskirting’, ‘downblousing’ and other forms of sharing of imagery online without consent. What approaches are taken to addressing these issues in other jurisdictions?

   Éibhear's comment

   No answer for this

5. New offences are proposed to cover these issues in Deputy Brendan Howlin’s Private Members Bill on this subject. Is the creation of new offences necessary, or is existing legislation sufficient? Should other forms of image-sharing issues - such as exposure - also be addressed?

   Éibhear's comment

   No answer for this

6. What kind of oversight and regulation of online service providers is possible/used in other jurisdictions? Currently, online providers are self regulated. Is a proactive, self-regulating approach from online companies to activities such as revenge porn and other forms of harassment preferable to the creation of more laws?

   Éibhear's comment

   Important to know the difference between "self regulated", and pro-active moderation. These service moderation according to their own rules; there is no industry authority like the press council or the advertising standards authority, which are self-regulatory regimes.

7. Is any data provided by online service providers in relation to the reporting or prevalence of activities such as upskirting/revenge porn/cyberbullying and other online behaviour that can be used to develop and draft future legislation?

   Éibhear's comment

   No data. However, services should be encouraged to issue reports on their moderation efforts.

8. To what extent are An Garda Síochána equipped and resourced to deal with the issues arising from harmful online communications such as these?

   Éibhear's comment

   No answer for this

9. Should ‘cyberstalking’ be treated as a separate offence to online harassment? What constitutes stalking-type behaviour online? Is there a need to legislative specifically for this activity?

   Éibhear's comment

   No answer for this

10. Based on the findings of other jurisdictions such as in the UK, An Garda Síochána will require consistent training in order to maintain an appropriate level of knowledge with regard to indictable behaviours. Are resources available for this?

    Éibhear's comment

    No answer for this

11. Fake accounts/troll accounts used to harass or target others with abuse – what measures can be taken in relation to these without effecting freedom of expression?

    Éibhear's comment

    Care needs to be taken to ensure manage/prevent false identification of accounts as 'fake' or 'troll'.

12. Do other jurisdictions have statutory measures to protect victim identities in cases of online harassment being released online posthearings, etc?

    Éibhear's comment

    No answer for this

CONSTODO Harmful online behaviour and young people

13. How do we most appropriately regulate social media platforms to prevent cyberbullying and inappropriate sharing of personal images?

    Éibhear's comment

    take details from earlier submission.

14. For young people who participate in such online behaviour as consensual image sharing, how can it be ensured that they are not inadvertently criminalised when legislation is enacted? What safeguards can be put in place?

    Éibhear's comment

    No answer for this

15. Deputy Brendan Howlin’s Private Members Bill provides that those under 17 should not be fined/imprisoned but put into relevant education or supports. Would these supports be part of the same educational supports offered to all young people/schools or would they be a separate entity? Are current supports being utilised? Are there sufficient resources to provide for such a provision when enacted?

    Éibhear's comment

    No answer for this

---

¹

Available [[http://www.gibiris.org/eo-blog/posts/2019/04/15_harmful-content-consultation.html

²

https://en.wikipedia.org/wiki/Usage_share_of_operating_systems

³

[[https://w3techs.com/technologies/overview/web_server/all

⁴

unintended, one hopes

⁵

https://www.techdirt.com/articles/20170223/06160336772/google-report-9995-percent-dmca-takedown-notices-are-bot-generated-bullshit-buckshot.shtml

⁶

https://www.techdirt.com/articles/20190320/09481541833