Microsoft, Google & Co: German states completely lost the plot with porn filters
Operating system filters are supposed to protect minors from porn and hate. Manufacturers consider this to be technically, legally and practically incorrect.
(Image: Daniel AJ Sokolov)
The porn filters adopted by the German federal states in all operating systems create new dangers instead of better protection for minors. Tech companies and associations are complaining about this. They criticize the fact that existing solutions for the safety of children and young people are being watered down. At the same time, they fear incompatibilities with European law. The EU Commission must intervene.
The core of the JMStV reform: end devices such as smartphones, laptops and PCs, which are usually used by under-18s, are to be set to child or youth mode at the touch of a button by parents with filters at operating system level in order to protect children from age-inappropriate content such as porn, violence, hate, hate speech and misinformation on the internet.
"Microsoft has been providing a powerful youth protection solution with Family Safety for many years," a company spokesperson told heise online. "For us, it is crucial that the JMStV supports the development of appropriate solutions in line with the practical needs of parents and children. We have therefore actively participated in the legislative process with statements and discussions and have also pointed out problems with the technical implementation of individual elements. We continue to focus on a constructive dialog – with politicians, as well as with supervisory authorities and the responsible self-regulatory bodies."
"Secure search function" required
In a position paper to the EU in July, the Windows manufacturer pointed out that the requirements would lead to fragmentation within the EU, as they would impose obligations specific to Germany. This contradicts the goal of promoting a harmonized digital market in all member states. Challenges exist in the implementation of the JMStV from a "technical, legal and practical perspective".
Microsoft states that operating systems must always have a youth protection device that complies with the JMStV. Furthermore, "apps" would be comprehensively regulated. In common parlance, this refers to all types of software applications. However, the authors of the JMStV apparently assumed a narrower understanding when they alluded to programs "that serve to directly control a program or the content of telemedia". This could be understood to mean only streaming apps and browsers. In principle, however, even basic functional applications such as PDF readers or Office packages are able to access content from the network. Such an interpretation of the term would "pose major practical problems, particularly in the PC sector".
According to Microsoft, this planned obligation to have a "secure search function" in the browser when protection mode is activated raises numerous questions. As this term is not defined at all, providers of operating systems would bear the risk of deciding "whether a search engine provides a mechanism that would be legally sufficient under this regulation". A blacklist for a wide range of search engines, including metasearches, would be necessary for the German market.
Massive overblocking of downloads
In general, the installation of apps should only be possible via distribution platforms that comply with the JMStV if the youth protection device is activated. According to Microsoft, the authors apparently had mobile operating systems in mind, where the app store is typically the central or even only intended installation path for software. For other device categories – especially PCs –, however, this is "not the rule." Such a store does not even exist for Linux. The same applies to age ratings for software, which are "practically non-existent" in the PC sector for programs that can be freely installed from the Internet or via data carriers.
The user experience in the PC sector therefore always includes the expectation of being able to obtain additional applications freely from the Internet, the US company emphasizes. Windows, for example, is "traditionally designed as an open operating system that supports the installation of software from the Internet via browsers". In addition, large parts of the software landscape in the PC sector are only available as free installations. This applies to the entire range of youth protection-neutral offerings such as image editing programs or system programs as well as child and youth-specific offerings including learning platforms or translation offerings.
In the case of PCs, this regulation therefore effectively leads to an almost complete blocking of the main installation path for software or at least to massive overblocking when the parental control function is activated, criticizes Microsoft. Many applications "that are essential or even system-critical for the daily use of the PC and at the same time completely unproblematic from the point of view of the protection of minors" are affected. This would almost certainly lead to fundamental acceptance problems: Parents would be allowed to remove this block individually or deactivate the youth protection device altogether.
Age interface undermines IT security
Microsoft sees further incompatibilities in connection with the Digital Markets Act (DMA): Among other things, the new EU competition rules are about obtaining software via different channels. In addition, the age classification previously used via IARC would first have to be formally recognized, which would lead to a legal limbo.
Another regulation implicitly obliges operating system providers to maintain an external "age interface", Microsoft points out. It requires "that the age information must be readable in the operating system". Application providers with their own protection solution would be obliged to read this age information and only "play" suitable offers. However, there is no technical standardization for this. Attackers could also use such an interface to specifically identify children's or young people's end devices. From an IT security perspective, this is unacceptable.
Google and FSFE: Amendment not comprehensible
Google refers to a statement to the federal states from 2022. "Apps are age-rated in the stores," writes the Android and ChromeOS manufacturer in the statement. Such applications can already be filtered at operating system level according to preset age levels. The most important content providers have also developed state-approved youth protection programs. "It is incomprehensible why these diverse approaches should be thwarted by a complicated realignment of the state treaty," Google wonders. "This is all the more true as there is a complete lack of justification for the necessity of the legal realignment." Apple did not comment on the state decision when asked by heise online.
"The JMStV amendment's approach of guaranteeing the protection of minors in the media through technical specifications for operating systems is wrong and disproportionate," warns Johannes Näder, Project Manager at the Free Software Foundation Europe (FSFE). "This approach creates uncertainty for the developers and users of numerous free software distributions: Who is considered a provider and is obliged to implement the requirements? Do individuals, small companies and research institutions also have to comply if they develop specialized operating systems for scientific purposes, for routers or other special hardware? Who faces fines for non-compliance?"
Näder also misses at least one requirement that youth protection devices must always be implemented as free software and interfaces as open standards. This is the only way for users to check "that the software in question offers the desired level of security".
EU Commission observes
The JMStV amendment creates technical obstacles by introducing "a different age classification system that contradicts internationally established standards", says Nick Kriegeskotte, Head of Infrastructure & Regulation at Bitkom, in a similar vein. Country-specific technical obligations for all types of operating system providers are also more than questionable. Youth media protection should be technically feasible and legally compliant and rely on market-proven solutions.
According to Kriegeskotte, Bitkom is calling for compliance with European law so that the free movement of goods and the freedom to provide information society services and audiovisual media services are not unlawfully restricted. The threat of infringement proceedings would mean enormous uncertainty for the companies concerned. In principle, the Commission has prepared itself for such a step.
A mandatory youth protection device at operating system level as a "one-size-fits-all" mechanism may appear to offer a "simple" solution at first glance, says Alexandra Koch-Skiba, Head of the Complaints Office of the eco Association of the Internet Industry. The idea behind it is probably to allow underage users "to be left alone with content on a digital device without further supervision or accompaniment". On closer inspection, however, many difficulties become apparent. Koch-Skiba believes it is a good thing that parents first have to consciously activate parental controls and that operating system providers can also fulfill their obligations through existing account and profile-based solutions.
(ds)