Google Australia Level 18, Tower 1 Darling Park 201 Sussex Street Sydney NSW 2000
Tel: 02 9374-4000 Fax: 02 9374-4001 www.google.com.au
completed, the access seeker can subsequently access content within that classification category by entry of that password or other unique identifier.
Schedule 7 (and, to Google’s knowledge, existing internet and mobile content regulation in Australia) does not require age verification to occur each time a user wishes to access a piece of age-limited content. Rather, CSPs have been permitted to implement a ‘one off’ verification process. Google submits that the status quo is appropriate to meet the Government’s policy objective of protecting children from exposure to content that is unsuitable for children, in a manner that poses the greatest flexibility and least administrative burden on industry. Google submits that the Declaration should be drafted in a manner that enables a CSP to verify age in a manner that is appropriate in the context of the technological realities of that content service.
Clause 6 states that a RAS must not provide access to relevant content unless the person has entered “his or her access key”. As the clause is currently drafted, a CSP would be in breach of clause 6 immediately a person enters an access key which he or she (that is, the person who entered the key, and whether or not the key had been validly issued) was not entitled to use. Google submits that if ACMA chooses to retain a clause similar to the current clause 6, this drafting should be amended to permit the provision of relevant content in response to the entry of an appropriately allocated key, unless the CSP is actually aware that the person entering the key is not the person to whom the access key had been allocated.
The drafting is specific to the use of access keys, rather than accommodating the use of alternative access limitation systems. Of course, the drafting would need to be amended in this regard if ACMA adopts Google’s suggestion of a declaration based access control system for certain types of services and content.
Detailed implementation requirements
Google notes that the current detailed requirements of the RAS may cause unintended consequences for industry. Consider the following scenario:
A hosting service provider CSP receives a take down notice from ACMA in relation to a piece of content. The CSP implements a RAS which is broadly consistent with the requirements in the Declaration. The RAS successfully operates to prevent a child of 15 from accessing the content in question. However ACMA later determines that the CSP’s quality assurance plan has not, in ACMA’s opinion, adequately dealt with the proposed audit provisions (see clause 12 (d)–(f)).
In this scenario, the detailed and prescriptive nature of the Declaration may have the unintended consequence for the CSP that despite responding to the take down notice in the time required by Schedule 7, and despite ensuring that the offending content has been made subject to an access control system that is effective in ensuring that persons younger than 18 cannot access the content, the CSP may be in breach of Schedule 7 as the access control system may not properly be considered to be a “Restricted Access System” for the purposes of clause 14 of Schedule 7.