ABA Consultation Paper - Restricted Access Systems

This document is also available on the ABA web site at: http://www.aba.gov.au/what/online/restricted.htm.
(Note that paragraph 1 and paragraph 6 to the end of the covering letter are not the same as the version below, which was issued by the ABA on paper.)

[Australian Broadcasting Authority letterhead]

File Ref. 1999/0478

Dear .....

RE: RESTRICTED ACCESS SYSTEMS

Under Schedule 5 of the Broadcasting Services Act 1992, Internet content hosted in Australia is 'potential prohibited content' if it is likely to be classified 'R' by the Classification Board and is not subject to a 'restricted access system'. The Act indicates that a 'restricted access system' is an age verification device that restricts access to people 18 years of age and over.

Under the Act, the Australian Broadcasting Authority (ABA) has the power to declare a specified access control system a 'restricted access system'. A declaration made by the ABA must be tabled in Parliament.

In order to provide commercial certainty for the local Internet industry, the ABA is aiming to have a declaration in force by the commencement of the complaints investigation scheme on 1 January 2000. A declaration will therefore need to be tabled in Parliament before the end of this calendar year.

The ABA intends to commence discussions with Standards Australia to develop specifications/criteria for this purpose. The development of specifications/criteria with Standards Australia could be a lengthy process and is unlikely to meet the timeframe required to ensure that a declaration is in place by 1 January 2000.

As an interim solution the ABA intends to establish and table in Parliament provisional specifications/criteria that an age verification device will need to comply with to satisfy the legislation. The declaration will be reviewed in 12 months.

Accordingly, please find attached a 'Consultation Paper' that contains draft provisional specifications/criteria for your comment. The specifications/criteria have been drafted following consideration of a number of existing age verification systems and alternative identity and age verification processes.

In order to ensure that a declaration is in force when the complaints handling scheme commences, it would be appreciated if you could provide your comments on the 'Consultation Paper' by close of business 9 November 1999.

Comments can be sent to:

Mr Jon Porter
Online Services Content Regulation
Australian Broadcasting Authority
PO Box Q500
Queen Victoria Building NSW 1230

Email at [email protected]

If you have questions or would like more information, please contact Mr Jon Porter by phone on 02 9334 7809 or email at [email protected]

Yours sincerely

Andree Wright
Director
Policy and Content Regulation Branch

26 October 1999

==============

CONSULTATION PAPER

RESTRICTED ACCESS SYSTEMS

1. Introduction

1.1. This document sets out draft-for-comment requirements for a 'restricted access system' pursuant to Schedule 5 of the Broadcasting Services Act 1992.

2. Background

2.1. The co-regulatory scheme established by Schedule 5 of the Broadcasting Services Act 1992 (the Act) for the regulation of Internet content is based on the development of codes of practice by industry and the operation of a complaints hotline by the ABA.

2.2. The co-regulatory scheme establishes a framework in which People who are concerned about particular Internet content can make a complaint to the ABA and have that complaint investigated. The ABA will operate a complaints hotline from 1 January 2000 and will commence investigating complaints from that date.

2.3. Potential prohibited content under the Act is material that is likely to be classified 'RC' (Refused Classification) or 'X' by the Classification Board.

2.4. Content hosted in Australia that is likely to be classified 'R' but is not subject to a 'restricted access system', that is, an age verification device that restricts access to people 18 years of age and over, is also potential prohibited content.

2.5. Under the Act, the ABA has the power to declare that a specified access-control system is a 'restricted access system'.

2.6. For the purposes of the Act, a specified access-control system, in relation to Internet content, means a system under which:

: (a) persons seeking access to the Internet content have been issued with a Personal Identification Number that provides a means of limiting access by other persons to the Internet content; or; (b) persons seeking access to the Internet content have been provided with some other means of limiting access by other persons to the Internet content.

2.7. In making a declaration, the ABA must

have regard to the objective of protecting children from exposure to Internet content that is unsuitable for children and
will be guided by principles laid down in the Act which have the aim of minimising the financial and administrative burdens on the Internet industry and encouraging the supply of Internet carriage services at performance standards that meet community needs.

2.8. A declaration made by the ABA must be tabled in Parliament, in the form of an instrument, and notified in the Commonwealth of Australia Gazette.

3. Functions

3.1. A 'restricted access system' will be required, as a minimum, to perform the following functions:

Number Function Description

1. Registration The system will receive applications for registration, either in hard copy or electronically.

2. Qualification/validation The system will verify identity and age. Upon verification of identity and age, the system will allocate a personal identification number (PIN) or password to the applicant.

3. Access To gain access to Internet content subject to the system, the applicant will need to input in full, on each occasion, the issued PIN or password and date of birth. A registered user should not encounter Internet content that is likely to be classified 'R' until entered PIN or password and date of birth have been verified.

4. Registration

4.1. A person will apply for registration with the system electronically, for example, via a website or email; or in hard copy form, for example, by letter or fax.

4.2. Application forms must specify data items that are mandatory and those that are 'required'.

4.2.1. Mandatory data items for the electronic lodgement of an application are:

name of applicant;
address of applicant;
date of birth of applicant;
email address of applicant;
declaration that personal details are correct; and either
credit card details; or
digital signature.

4.2.2. Mandatory data items for the lodgement of a hard copy application are:

name of applicant;
address of applicant;
date of birth of applicant;
email address of applicant;
declaration that personal details are correct; and either
credit card details; or
evidence of identity and age, for example, certified copy (sighted and signed by a third person) of passport, birth certificate, driver's licence, senior's card or student card.

5. Qualification/validation

5.1. The system will 'qualify' an application for registration if all mandatory information requirements are provided.

5.2. The following rules will be used to invalidate an application:

if date of birth indicates that an applicant is not at least 18 years of age;
if credit card number cannot be verified;
if credit transaction is not approved by relevant credit provider; or
if evidence of identity and age has not been produced.

5.3. Upon valid registration, a PIN or password is to be issued to the registered user. It should be a condition of use that the allocated PIN or password should not be passed on to a third person under the age of 18.

5.4. An allocated PIN or password can be changed if the user and/or system administrator suspects the integrity of the data is compromised. Change of PIN or password will require provision of original registration details including PIN or password that was originally allocated.

6. Access

6.1. A registered user must, on each occasion, input allocated PIN or password together with date of birth to gain access to any website subject to the system.

6.1.1. The system must not allow for automated input of login information, for example, by saving on a cookie file stored on the user's PC the allocated PIN or password and date of birth.

6.2. Access is to be denied if entered PIN or password and date of birth do not match registered record of PIN or password and date of birth.

7. System compliance

7.1. System compliance will be tested if the ABA receives a complaint about Internet content subject to the system.

8. Privacy requirements

8.1. The system is to comply with any relevant privacy standards issued by the Privacy Commissioner.

Number	Function	Description
1.	Registration	The system will receive applications for registration, either in hard copy or electronically.
2.	Qualification/validation	The system will verify identity and age. Upon verification of identity and age, the system will allocate a personal identification number (PIN) or password to the applicant.
3.	Access	To gain access to Internet content subject to the system, the applicant will need to input in full, on each occasion, the issued PIN or password and date of birth. A registered user should not encounter Internet content that is likely to be classified 'R' until entered PIN or password and date of birth have been verified.