The aims of the Online Safety Bill are entirely laudable. Measures to ensure content moderation and filtering are undoubtedly long overdue. This will necessarily require some framework for age verification. However, in its current scope the existing bill imposes obligations primarily on search engines and social media companies.
MOW has made a submission to Ofcom, who are responsible for the implementation of the bill and designation of these duties, stressing the importance of ensuring that platforms support any number of decentralised verification systems.
Our fear is that, in absence of such provisions, the Online Safety Bill might facilitate the further entrenchment of a handful of already over-mighty platforms. Indeed, giving platforms the opportunity to monoplise age authentication systems, would play directly into their data strategy – to collect as much user information as possible, whilst restricting “down-stream” services from doing the same. Hence, the constant notices to “stay signed in with Google/Apple”.
This issue of platforms bundling functionality into their offerings has been a hot topic for some time.
At the W3C, the largest web standards body, proposals for decentralised digital wallet were rejected without consideration by delegates from Google, Microsoft, and Apple, in favour of the current Payments API, which centralises this functionality in the browser. The designer of the former proposal commented that the browser manufacturers evidently “wanted to execute upon a fairly monolithic design”.
Lawmakers should consider this point carefully. Fortunately, there are a number of decentralised alternatives, which could equally support user authentication. The Credential Handler API (or CHAPI), for instance, has been designed to facilitate exchanges of verifiable credentials between digital wallets and websites, i.e., third-parties can securely issue credentials to the users’ digital wallet, which can then be presented to independent verifiers.
Use cases include payment information, but also different forms of ID or certification – for instance, proof of citizenship, a degree certificate, or age. CHAPI indeed, currently supports TruAge, a privacy-preserving age verification program in the US.
Fundamentally, there is no need to engineer undue dependence on a handful of platforms through the Online Safety Bill, nor would it be right to rely on only companies like Google, Apple, and Meta to enforce the law.
The Online Safety Bill should be a charter for a new, secure digital age, not one for further monopolisation.