EU 'net neutrality' may stop ISPs from blocking child abuse material
Voluntary blocklists will be, er, blocked themselves
Analysis A single paragraph slipped into yesterday's net neutrality guidelines suggests they don't quite deliver the consumer protections that many people think.
Guidelines published yesterday by the Body of European Regulators of Electronic Communications (BEREC), which stretched to 45 pages [PDF] declared that ISPs would be forbidden from implementing any traffic control at all, seemingly including parental access controls and preventing advertising traffic from spamming connected devices, even when requested by consumers.
Although the guidelines are not legally binding, national regulators will be obliged to draw upon them to inform their decisions upon whether EU laws on “measures concerning open internet access”, as per Regulation 2015/2120, have been breached.
The guidelines would prevent ISPs carrying out practices which would be perfectly legitimate for users to undertake themselves. Many of these services are regularly implemented at the ISP level.
Many modern devices do not allow client-side blocking, including almost everything running on the Android platform. Additionally, mobile operators including Three have supported the drive towards ad-blocking at their own level, with Tom Malleschitz, chief marketing officer of Three UK, stating earlier this year:
The current ad model is broken. It frustrates customers, eats up their data allowance and can jeopardise their privacy. Something needs to change. We can only achieve change by working with all stakeholders in the advertising industry – customers, advertising networks and publishers – to create a new form of advertising that is better for all parties.
The offending paragraph of the BEREC guidelines explains:
78. By way of example, ISPs should not block, slow down, alter, restrict, interfere with, degrade or discriminate advertising when providing an IAS, unless the conditions of the exceptions a), b) or c) are met in a specific case. In contrast to network-internal blocking put in place by the ISP, terminal equipment-based restrictions put in place by the end-user are not targeted by the Regulation.
The exemptions it mentions are found in the original EU regulation:
Those exemptions in full
While Joe McNamee, executive director of the pressure group European Digital Rights, was quick to say that "Europe is now a global standard-setter in the defense of the open, competitive and neutral internet," the prohibition would seemingly also prevent ISPs from implementing the Internet Watch Foundation's blocking initiative, which companies use to to protect their consumers from accidentally accessing to child sexual abuse content.
The IWF told The Register: “Our vital work helping the internet industry to protect their customers from criminal child sexual abuse imagery will not change.”
That, however, may be a matter for the courts to decide.
Speaking to The Register, privacy campaigner Alexander Hanff said the guidelines "use adblocking as an explicit example, but it is an example. The same would be true of parental controls offered by the ISP because they are essentially the same service, they both block specific content at the request of the customer."
"I have made a lot of noise regarding adblocking over the past couple of years and have wide support from privacy/data protection regulators and the European Commission supporting a citizen's right to block advertising," added Hanff. "As a result the adtech industry have been aggressively lobbying to outlaw these practices and this paragraph in the BEREC guidelines is an obvious result of that lobbying."
The intent of the regulation is to protect users' access to the internet without interference from ISPs, but users' voluntary request for their ISPs to provide such a service would not be respected under the guidelines, potentially leaving popular ISP services in breach of the EU regulations.
Ofcom, the national regulator in the UK, declined to speculate on whether existing ISP services would potentially be in breach of the guidelines, merely telling The Register that it would “monitor compliance with the new rules, and look into any complaints received. We will consider any potential breaches as they arise in accordance with our interpretation of the Regulation, and drawing upon the BEREC Guidelines to inform our approach.”
Hanff said, if paragraph 78 stands, "citizens will be forced to manage adblocking on every device independently - in a family household that could be dozens of devices and will only increase in the future as we adopt more and more smart technologies."
"It makes far more sense from a privacy and security perspective to be able to manage all these devices from a single point and an ISP service is a sensible approach because it blocks these risks before they ever reach the customer's home network," added Hanff. ®