Benutzer:Liberaler Humanist/Die Auswirkungen des Klarnamensgesetzes auf die Wikipedia/English

aus Wikipedia, der freien Enzyklopädie
The effects of the clear name law (Klarnamensgesetz) on Wikipedia

Under Orwell's title "Federal Law on Care and Responsibility on the Net", the Austrian Federal Government announced a law on the "ID card obligation on the Internet". This project was presented in the television news by a person who was irascible but had little technical expertise. In the meantime, the draft law already passed by the Council of Ministers has been published. A glance at the draft shows several requirements that Wikipedia can only fulfil with changes to the project principles.

Summary

§ 3 Fig. 1 Z1 defines the scope of application of the Klarnamensgesetz as "service providers of an online information service" who themselves or through users of their site operate a forum - defined in Section 2 (3) as "the online function for the exchange of messages or presentations with intellectual content (posting) by users with a larger group of other users", which is aimed at "users in Austria". §3 Para. 2 No. 1 restricts this scope to "service providers whose service has more than 100,000 registered users in Austria", "whose turnover in Austria in the previous year exceeds 500,000 Euro" (No. 2) or who receive press subsidies under No. 3. The German-language Wikipedia had 3,167,000 registered users as of today. Due to the deletion of IP addresses after three months, there is no possibility to evaluate the origin of all these accounts. However, a T-test indicates that over 400,000 accounts were registered by Austrians. As further explained in §3, in case of doubt the broadcasting and telecommunications regulator estimates the number of users. On the basis of the above estimate, the regulator would conclude that Wikipedia falls within the scope of the Klarnamensgesetz. The project, or the service provider, WMF, must therefore consider how it can comply with this law.

Fig. 3 Z 1 stipulates that users must create a "registration profile". The term "registration profile" is not defined, it is assumed in the following that a user profile is meant. Paragraph 4 reads as follows: "In the registration profile used for authentication, each user must register as a poster, stating his first name, surname and address. In doing so, the user must specify a user name that appears in the forum as the name of the author of the posting". In order to prevent the input of false information, a verification of identity verification is foreseen: "The Service Provider shall ensure the verification of the User's identity on the basis of documents, data or information originating from a credible and independent source by means of the design of the registration process". For each new application, therefore, someone must check the consistency and authenticity of a registration form, photo ID or similar document. However: "After the verification has been carried out, the documents and information used for the verification must be deleted immediately", the service provider is thus spared the secure storage of this data, but must prove that he has verified these documents. Write access may only be granted after verification of the personal data, according to para. 5 "routinely periodically performed verification procedures" - whereupon remains unclear - are to be carried out, "registration profiles" are to be deleted at the request of the user or after more than one year of inactivity.

§ 4 fig. 1 and fig. 2 reduce existing data protection provisions in comparison with the previous provisions, e.g. § 90 para. 7 Telecommunications Act 2003: "The service provider shall disclose the first name, surname and address of the poster to a third party upon the latter's justified written request. (Z 2)" A justified request within the meaning of para. 1 shall only exist if "the third person can credibly demonstrate, by proving his identity, that the identification of the poster is an indispensable prerequisite for the establishment of the identity of a third person in order to be able to contest this poster by means of a private accusation of defamation (§111 para. 2 Paragraph 4 provides "In the case of justified indications that the content of a posting could have produced the objective facts of slander or insult or that the content could otherwise give rise to the concrete suspicion of a criminal offence, the service provider must produce a record of the posting in question which enables complete and faithful reproduction. The service provider shall also make available this more detailed recording by means of a request pursuant to para. 2 or a request pursuant to para. 3. No link may be made between the identity of a poster and the content of a posting with the service provider".

§ 5 prescribes the appointment of a representative to ensure the implementation of and compliance with the Clear Name Act. Par. 4 requires the appointment of a representative who is resident in Germany and can be reached "immediately" pursuant to Par. 2, with reference to the provisions arising from §9 Par. 4 VstG. This representative carries a high responsibility, §8 exp. 2 threatens misconduct with an administrative penalty of up to 100,000 €, §7 sets penalties for the service provider of up to 500,000 € for the first offence. § 9 establishes a high threshold for the quality of data verification: "No fine shall be imposed on the service provider and the responsible agent shall not be punished if the identification of the poster as a prerequisite for legal proceedings against this poster fails, but the service provider can credibly demonstrate that he has used all means at his disposal to ensure verification of the identity". If a user's identification fails, this constitutes a punishable breach of duty of care which, according to the explanatory notes to the draft, cannot be punished if the "best effort principle" is adhered to. According to § 12, the law is to enter into force on September 1, 2020, and the preparatory work is to be completed by March 31, 2020.

Impact on Wikipedia

In October 2018, the Bar Association criticised the "poor quality of legislation". The draft of the law on clear names is also one of the many bad laws. The attentive reader may have noticed the word "registration profile". What is a "registration profile"? Outside this draft, the term appears a few times in connection with Apple device management software. Is it a "user account" or is the "registration profile" an administrative act? The use of an invented term in a central place is indicative of the quality of the design and the competence of the authors and questions whether the unclear feasibility of such puzzling specifications was an objective taken into account in the creation. The intention of this law was, as originally claimed, to facilitate the prosecution of crimes on the Net. There is no information available to suggest that it has failed due to the lack of identifiability of posters. In Austria there has been no conviction to date on the basis of processing in Wikipedia. This is not due to the fact that no cases were reported. Experience to date has shown that although the police take action in the event of imminent danger, proceedings are discontinued. There are also no civil law proceedings known which would have been conducted in Austria due to WP processing. Although there has been no case to date in which the clear name law would have had to be applied in Wikipedia in order to comply with it, extensive changes have been made to Mediawiki and the administrative apparatus of Wikipedia.

The clear name law excludes the active participation of anonymous users. This alone is not a problem, a user account obligation would meet with at least partial approval in Wikipedia. The activation of user accounts would prevent the only known Austrian person haunting Wikipedia from their activities, provided that this person would be bound to Austrian IP addresses.

The main problem is the implementation of a verification process. Checking documents is a workload that cannot be done with WMAT's (Wikimedia Österreich, the local existing resources. §Section 3 (4) explicitly states that the data and documents used for verification shall be deleted after completion of verification. Due to this deletion obligation, it is not possible to obtain and archive an extract from the Central Register of Residents for the respective user at the price of a few euros. It is questionable whether users can release the operator from the obligation to delete and thus enable the operator, despite the threat of punishment under § 7 Para. 1 No. 1, to enable the storage of documents submitted for verification, such as a registration slip and an affidavit. With this procedure, a legally compliant verification could be achieved at least for the active users known to the municipality by name. It cannot be assumed, for example, that the digital submission of a manipulable copy of an identity document corresponds to the best-effort principle. The recruitment of new authors, in particular from the federal states, is hardly possible if a personal visit to the WMAT office including possible travel from the federal states is necessary for verification.

Although it is possible to create a data verification protocol to be signed by several processors, it is doubtful that this meets the requirements of the best-effort principle. Limited resources are no argument for the lack of compliance with legal requirements. Just as a lack of security measures in the event of a data theft can cause the liability of a service provider, a lack of resources to implement professional user verification is not a reason that would exempt WMAT from complying with the highest standards. The use of an external solution seems to be the only way to comply with this law. The decisive factor here is not only the obligation to check the data accurately, but also § 4 Para. 4, which requires that the naming of user data to third parties must be carried out by an external body: "In the case of justified indications that the content of a posting could have produced the objective facts of slander or insult or that the content could otherwise give rise to the concrete suspicion of a criminal offence, the service provider must produce a recording of the posting in question which enables complete and faithful reproduction. It is not possible for the service provider to create a recording of a posting without not capturing the content of the posting. However, §4 (4) continues by stating: "The service provider may not establish a link between the identity of a poster and the content of a posting". According to this, it is not possible for the service provider itself to provide such information to third parties, since the content of the posting and the identity of the user would inevitably be identifiable. The use of an external, specialized body for user verification is not only necessary for reasons of due diligence, since the service provider may only be able to identify either the content of his postings or its identity, the use of an external solution for identification is unavoidable.

There are numerous providers of identification solutions, but they are not free of charge. According to Epicenter.works Telekom Austria has promoted the use of the system "Mobile Connect Global ID", the broadcasting and telecom regulator seems to support this system, according to a report of the standard the draft is tailored to this system. Mobile Connect is actually a login system that is supposed to replace passwords with verification via mobile devices.

The person linked from the entrance video turns out to the horror of knowledgeable circles to be the Minister for Europe, Art, Culture and Truth Media. His news presence refers to a software solution. The explanatory notes to the draft law also suggest such a solution: "The obligation of the service provider would be fulfilled, for example, if the data necessary for legal prosecution were confirmed by means of 2-factor authentication with a mobile telephone number or if the service provider had ensured that it could obtain the data necessary for legal prosecution in the event of justified enquiries, if necessary in cooperation with the telephone service operator". The use of a service like Mobile Connect minimizes the administrative effort for the service provider, documents the user verification, which is not possible if the data submitted for information has to be deleted, and prevents a data protection problem, since the data does not reach every verifying website operator in the first place. The periodic checking of data correctness is also only possible if, like a provider, you are in regular contact, e.g. through invoices, and false data, e.g. an address, is noticed through returning letters. Apart from the fact that Mobile Connect or the provider creates a list of websites where a person has a user account and the security-relevant problem of a single physical access point for all accounts of a person, Mobile Connect, supported by the GSM Association, appears to be a practicable solution for user verification which - relevant to the WP - does not allow multiple accounts in a legal way. The apparent costs are stated in the explanatory notes to the draft to be 4 years at €100,000 for 50 companies. Proportionally, WMAT would thus incur costs of 500 € per year, which can be financed with the current budget. However, Mobile Connect is proprietary software, which is not free for the verifying site operator and cannot be installed in Mediawiki for lack of a free license. Should the use of Mobile Connect be the only way to verify user names in accordance with the German law on clear names, the project principle of using free licenses would have to be abandoned. The agreement of the global community to such a step is unlikely. Should there not be a solution which does not exclude for cost or copyright reasons or which cannot be implemented in accordance with the law, the write access for Austrians in the current form would not be maintainable.

In addition to this main problem, there are several comparatively harmless side problems. Pursuant to § 3 Para. 2 No. 2, the Klarnamensgesetz applies to service providers whose turnover in Austria exceeds € 500,000. In 2018, WMAT had a turnover of € 433,000. If the 100,000 user threshold could be bypassed, an expansion of activities would only be possible to a limited extent, due to inflation, administrative tasks would have to be relocated abroad in the medium term, donations from Austria would have to be kept below the threshold in any case, e.g. with the university project or the BDA cooperation, it would have to be ensured that no monetary advantage would result from this.

According to § 5, WMAT would be obliged to appoint a personally liable representative resident in Germany to ensure compliance with the provisions of the Klarnamensgesetz. Due to this liability, it is not possible to find someone to take over the function of the representative including liability for an imperfect verification solution. For this reason, solutions other than those proposed by the legislator are not practicable. Without certainty for the representative not to be punished with existentially threatening penalties, such a penalty cannot be found, which is why considerations for the personal examination of documents and for the preparation of an own documentation protocol do not seem feasible.

According to § 3 (5), there is an obligation to check the accuracy of the data within the framework of "routine periodic checks". Since the obligation to provide evidence can only be fulfilled by an external body, this point can be left to such an external provider. § Section 3 (6) No. 1 requires that a "registration profile" be deleted at the request of a user or of a user who appears to be on a par with him "Deregistration of the poster from the online information service". The deletion of user accounts is currently not possible. For licensing reasons, it is not permitted to delete a user account and thus the user name required for author identification. Z 3 stipulates that a "registration profile" must be deleted if inactivity lasts longer than one year. A license-compliant solution could also be found for this.

§ 4 creates a security breach. Anyone is permitted to obtain the identity of a user from the service provider on the basis of a plaintiff's intention, the actual performance of which is not relevant to the matter. This possibility of obtaining user identities will - probably not unintentionally - prevent users from contradicting self-promoters and PR agencies or editing articles that certain "documentary filmmakers" consider their property. It is not clear why third parties are given such access to information about user identities and why it is not reserved for the authorities. Currently, pursuant to § 90 (7) TKG 2003 and § 53 (3a) Sicherheitspolizeigesetz, only courts, public prosecutors' offices or the security authorities are permitted to collect the IP address of a website operator and the data of the subscriber from the provider. Pursuant to Section 74 of the Code of Criminal Procedure, these authorities must comply with the Data Protection Act and the principle of legality and proportionality when processing such data. Proponents of this law claim that the obligation to provide identification in the public domain will thus also be implemented in the network. However, this only applies to the police, not to every person who has run off. Imagine certain groups carrying out a private identity check in front of a synagogue, a party restaurant or other event for the purpose of recording ideological opponents. Why this should be possible on the Internet cannot be explained meaningfully.

A solution with minimal damage?

For Wikipedia, the law on clear names creates a trilemma between compliance with legal requirements, compliance with project principles and the maintenance of author-friendly conditions. Finding a balance between these requirements is not possible. Maybe it paid off that we didn't follow the hints from the leaked "Project Ballhausplatz" and the ÖVP lets us get away with a hint with the fence post. Wikipedia has over three million user accounts. The scope of the Klarnamensgesetz includes websites with more than 100,000 registered users in Austria. The fact that IP addresses with which it is possible to locate users are deleted is not proof that they do not originate from Austria. A total of 203,000 users have more than 10 edits. Deleting inactive accounts is not enough to fall below the threshold. If one were to record the origin of newly logged accounts and extrapolate these values to the total duration of the project, the threshold would probably be exceeded. § 3 para. 2 subpara. 1 refers to the total number of user accounts, not the number of active users in the respective year. Inactive users cannot be deducted from the number of users, since they must be deleted after one year of inactivity. It is not possible for Wikipedia to prove that it has less than 100,000 registered users from Austria, but all assumptions and known data support this. At least for the first year Wikipedia would fall under the scope of the Klarnamensgesetz. After this first year, however, all inactive accounts would have to be deleted. What would remain would be a few hundred active accounts from Austria in each year, with which Wikipedia would no longer fall within the scope of application.

A fulfilment of the clear name law would be connected with high expenditure, would be however due to the deletion of inactive accounts after one year no longer necessary. It would be simpler to ensure in advance that in no case more than 100,000 user accounts created by Austrians exist. For this purpose, the location of registered users could be determined for another year. User accounts that log on from countries other than Austria will receive a different flag than those that log on from Austria. There are three user groups shortly before the deadline: A first group of users who did not log in from Austria, a second group of users who used Austrian IP addresses or deposited an .at-Email address and a third group of users who did not log in during the survey period. The third group must be asked to state its status, user accounts from this group are assigned to the first two groups. On the deadline all accounts from the third group which have not yet made a statement of their status are to be deleted. Since the clear name law provides for the deletion of "registration profiles", deposited email addresses must also be deleted, by means of which proof of ownership would be possible after the deadline. The deletion of user accounts is therefore to be regarded as permanent. What remains is a large number of non-Austrians and a much smaller and probably below the threshold of 100,000 number of Austrians. The loss of numerous inactive accounts would result in considerable savings through the unnecessary conversion alone, including the creation of a version of Mediawiki not under a free license due to the API, for the introduction of which consent would not be certain. Such a measure would meet with resistance, in view of which it does not appear certain that a withdrawal from Austria including the closure of the write access would not be the simpler option for Austrians.

Many of the problems of the Klarnamensgesetz, e.g. the "registration profile" or the tailoring of the law to a product which does not yet process addresses, can be explained by a legislative process free of expertise. Perhaps with consistent laws one expects too much from a government led by a lawbreaker. There are, however, reasons against incompetence as the sole cause of the problem. "Message control" is one of the terms that characterises government activity, which is otherwise often characterised by silence. Even before the 2017 elections, the Austrian People's Party (ÖVP) was not very close to the glossy newspapers, whose reporting on the Austrian People's Party (ÖVP) was reminiscent of the homage paid in sectarian postille. The copyright amendment shows that the conservatives sometimes act as the political arm of the media industry. In Austria, too, at least parts of the media landscape are in the special interest of the ÖVP; the costs for government advertisements in mainly tabloid media rose to € 6.5 million in 2018.

The concept of Message Control does not fit into spaces in which citizens can exchange positions and come to a different opinion than the one decreed from above. The fact that the clear name law is primarily directed against virtual spaces to the discourse underlying democracy becomes clear in §3, para. 3, which excludes sales and product rating portals from the scope of the law. The encyclopedia as a tool of enlightenment is for a party in which quite a few supporters of the Austro-Fascist corporative state run around, which as an identity-forming ideal draws a rural, pre-modern society that has never existed in reality before, and which in very general terms mixes the social and moral ideas of the 19th century with market radicalism, "Evil" probably does indeed. Free knowledge is not compatible with message control. The media policy ideal of this government seems, as in many things, to be the 1930s, in which there was a small number of media that functioned only in one direction. A reduction in the new media would also have the advantage for the government-related media - with a few exceptions, the entire media sector is close to the ÖVP - of a smaller number of alternatives, which would theoretically lead to a higher number of readers and thus to higher rates for advertisements.

We can therefore not expect to receive political support on issues such as Article 13, and we must expect further pitfalls to be interpreted. The circumvention of these pitfalls may cause discomfort and collateral damage to completely unaffected users from other countries, with many inactive non-Austrians having to find their account deleted on return. Despite these disturbances, whether the affected uninvolved Germans and Swiss could rightly demand the avoidance of the collision with the problem of Austria, we must not back down. As the enlightening project of the present we are morally in the right. Our opponents are bad people who do wrong. But if you listen to them for a longer time, as you have already done with Article 13, you cannot take them seriously any more to a level that would make the problem the cause to appear serious and insurmountable.