mdennehy · January 9, 2024 23:15
diff --git a/gistfile1.txt b/gistfile1.txt
 Consultation on binding rules for video-sharing platforms to keep adults and children safe online
 Mark Dennehy <mark.dennehy@gmail.com>
 to VSPSregulation

 Hello,
 I wish to comment on the proposed binding rules that have been put forward by Coimisiún na Meán.

 I wish to prefix this by stating that I am a Chartered Software Engineer with 27 years of professional experience For most of the last decade I have been working as a senior engineer in one of the world's largest software multinationals. My role involves the handling of sensitive personal data which is governed by the various data protection laws in the jurisdictions where the company does business, including the GDPR (where such data is categorised as special category data), various US and Canadian laws (where it is categorised as PII) and other similar frameworks worldwide. I say this so that you understand that the engineering aspects of the technologies involved, the legal aspects, and the ethical aspects are all very familiar ground to me professionally.

 My comment is simply this: Do not do this very stupid thing.

 You are proposing, even if you do not appreciate that you are doing so, the creation of an unlimited number of partial copies of a database of biometric data including primary identification documents and photographs of every EU citizen including minors, which will be held in the private sector by companies in various jurisdictions worldwide, several of which have legislation which precludes the possibility of compliance with the GDPR on a fundamental level, and these companies will include those who produce pornography on the internet, as well as those who simply prey on people for money.

 None of these actors are ethically suitable data controllers for a database of this kind because of the immense potential for damage associated with its abuse.

 As every company will require access to this database to verify authentication attempts - this is a fundamental and unavoidable engineering aspect of this proposal - every company will build a local copy of it over time. How the master database gets built has been left unspecified, but even this enormous body of very legally questionable work is irrelevant compared to the local copying of it by every internet video provider currently existing or which may come into being during the lifetime of this project.

 This proliferation of local copies in and of itself would guarantee though a geometric increased attack surface that the contents of this database would be unsecurable, both in theory and in practice. Further, the economic lifecycle of these companies means that each and every one of those local copies could at any time lose its data controller and all security measures should the relevant company collapse. The potential for the firesale of local copies should be obvious in these circumstances, and this is not even accounting for the very real scenario of bad actors registering a video sharing system purely for the purpose of accessing this database, copying it and selling copies of it to third parties.

 And the argument that those in this database will all be adults, even if it had merit - which it does not as the GDPR does not cease to protect EU citizens once they reach the age of majority - would be ignoring the minor point that teenagers have a highly predictable pattern of attempting to access pornography while still legally minors. Such an access attempt in your proposal would result in said minors submitting photographs of themselves - of minors - to companies in an infamously ethically gray industry built in very large part on the exploitation of vulnerable people, including said minors. You would in effect be building a database of leads for grooming for a future industry of Epsteins. Using taxpayers money, no less.

 The fact that the proposal does not include any considerations to how this proposal would be enforced - either the detection of noncompliance nor the punishment of the same - indicates a deeply concerning lack of foresight. Which court should have jurisdiction over a video provider accessed from France by a German minor looking at content which was hosted on a content delivery network distributed between the US, Canada, Switzerland, Israel, South Africa, New Zealand and Taiwan, with payment going to accounts in Bermuda via the Isle of Man, controlled by a board of directors who reside in different jurisdictions around the world while working and meeting entirely remotely? What police force will enforce that court's orders on those orders' subjects? How will custodial sentences be possible when those sentenced may simply work remotely from jurisdictions with no extradition arrangements with the jurisdiction in which the court operates?

 For a purely hypothetical example, if we implemented your proposed system in all its detail today; how would we imprison Prince Andrew, Donald Trump or Kim Jong Un for viewing child rape videos on liveleak tomorrow?

 We have seen a large number of stupid proposals in legal areas governed by the GDPR in recent years by various departments of the Irish government, who seem to regard the creation and unplanned usage of illegal and very dangerous databases as a form of national sport. In each and every one of those cases, when challanged in court these proposals were thrown out with vigor either in Irish courts or higher EU courts or both. The outcomes in the less damaging cases have been wasted time, wasted money and squandered reputations -- in more damaging cases, murder convictions have been imperiled and lives damaged. This proposal is of such an astounding extent both in breadth and in the sensitivity of the data involved as to dwarf these prior examples. The outcome should it be adopted, simply beggars the imagination.

 As I said: do not do this very stupid thing.

 -- 
 Mark Dennehy, BA, BAI, MIEI, CEng
	Consultation on binding rules for video-sharing platforms to keep adults and children safe online
	Mark Dennehy <mark.dennehy@gmail.com>
	to VSPSregulation

	Hello,
	I wish to comment on the proposed binding rules that have been put forward by Coimisiún na Meán.

	I wish to prefix this by stating that I am a Chartered Software Engineer with 27 years of professional experience For most of the last decade I have been working as a senior engineer in one of the world's largest software multinationals. My role involves the handling of sensitive personal data which is governed by the various data protection laws in the jurisdictions where the company does business, including the GDPR (where such data is categorised as special category data), various US and Canadian laws (where it is categorised as PII) and other similar frameworks worldwide. I say this so that you understand that the engineering aspects of the technologies involved, the legal aspects, and the ethical aspects are all very familiar ground to me professionally.

	My comment is simply this: Do not do this very stupid thing.

	You are proposing, even if you do not appreciate that you are doing so, the creation of an unlimited number of partial copies of a database of biometric data including primary identification documents and photographs of every EU citizen including minors, which will be held in the private sector by companies in various jurisdictions worldwide, several of which have legislation which precludes the possibility of compliance with the GDPR on a fundamental level, and these companies will include those who produce pornography on the internet, as well as those who simply prey on people for money.

	None of these actors are ethically suitable data controllers for a database of this kind because of the immense potential for damage associated with its abuse.

	As every company will require access to this database to verify authentication attempts - this is a fundamental and unavoidable engineering aspect of this proposal - every company will build a local copy of it over time. How the master database gets built has been left unspecified, but even this enormous body of very legally questionable work is irrelevant compared to the local copying of it by every internet video provider currently existing or which may come into being during the lifetime of this project.

	This proliferation of local copies in and of itself would guarantee though a geometric increased attack surface that the contents of this database would be unsecurable, both in theory and in practice. Further, the economic lifecycle of these companies means that each and every one of those local copies could at any time lose its data controller and all security measures should the relevant company collapse. The potential for the firesale of local copies should be obvious in these circumstances, and this is not even accounting for the very real scenario of bad actors registering a video sharing system purely for the purpose of accessing this database, copying it and selling copies of it to third parties.

	And the argument that those in this database will all be adults, even if it had merit - which it does not as the GDPR does not cease to protect EU citizens once they reach the age of majority - would be ignoring the minor point that teenagers have a highly predictable pattern of attempting to access pornography while still legally minors. Such an access attempt in your proposal would result in said minors submitting photographs of themselves - of minors - to companies in an infamously ethically gray industry built in very large part on the exploitation of vulnerable people, including said minors. You would in effect be building a database of leads for grooming for a future industry of Epsteins. Using taxpayers money, no less.

	The fact that the proposal does not include any considerations to how this proposal would be enforced - either the detection of noncompliance nor the punishment of the same - indicates a deeply concerning lack of foresight. Which court should have jurisdiction over a video provider accessed from France by a German minor looking at content which was hosted on a content delivery network distributed between the US, Canada, Switzerland, Israel, South Africa, New Zealand and Taiwan, with payment going to accounts in Bermuda via the Isle of Man, controlled by a board of directors who reside in different jurisdictions around the world while working and meeting entirely remotely? What police force will enforce that court's orders on those orders' subjects? How will custodial sentences be possible when those sentenced may simply work remotely from jurisdictions with no extradition arrangements with the jurisdiction in which the court operates?

	For a purely hypothetical example, if we implemented your proposed system in all its detail today; how would we imprison Prince Andrew, Donald Trump or Kim Jong Un for viewing child rape videos on liveleak tomorrow?

	We have seen a large number of stupid proposals in legal areas governed by the GDPR in recent years by various departments of the Irish government, who seem to regard the creation and unplanned usage of illegal and very dangerous databases as a form of national sport. In each and every one of those cases, when challanged in court these proposals were thrown out with vigor either in Irish courts or higher EU courts or both. The outcomes in the less damaging cases have been wasted time, wasted money and squandered reputations -- in more damaging cases, murder convictions have been imperiled and lives damaged. This proposal is of such an astounding extent both in breadth and in the sensitivity of the data involved as to dwarf these prior examples. The outcome should it be adopted, simply beggars the imagination.

	As I said: do not do this very stupid thing.

	--
	Mark Dennehy, BA, BAI, MIEI, CEng
No results found