What’s the problem with the porn block?
Davey Winder puts the controversial ageverification plans under the microscope.
Privacy is, naturally, top of the list of concerns with the age-verification systems
This summer, the UK was due to become the first country in the world to legally require commercial providers of online pornography to implement “robust” age verification. Pornography sites that fail to check visitors are at least 18 face having their payment services withdrawn or access to their sites blocked in the UK. The checks go far beyond the cursory selection of a date of birth or a self-certifying tickbox; credit card checks, digital ID technology and even over-the-counter ID cards are amongst the solutions being offered.
While the plans have been delayed by a few months – the UK government somehow forgot to run the plans by the EU regulators - the move begs three questions: why do we need this kind of access control? Will it work? And what are the privacy implications? I’ve been talking to the people with the answers.
Safe from harm
The Digital Economy Act 2017 included provisions for commercial sites that provide adult material – pornography to you and me – to verify that all users are over 18. This would be enforced in law and apply to any such sites that are accessed online in the UK. The government’s minister of state for the Department for Digital, Culture, Media and Sport, Margot James, said: “We want the UK to be the safest place in the world to be online, and these new laws will help us achieve this.”
When any user with a UK-based IP address visits a commercially operated site with pornographic content, a static landing page without any adult material must be displayed that requires an age-verification process to be passed before the visitor can continue. There are multiple technologies that can be used to verify a visitor’s age and it will be a matter of choice for each website as to which they opt for. The British Board of Film Classification (BBFC), the same organisation that classifies and censors movies, will ensure these measures are properly implemented.
There will be an age-verification certificate (AVC) process that will allow the various systems to display a green “AV” symbol that indicates a “high standard of data protection”. However, this is not mandatory and it’s unknown how many of the age-verification schemes will apply or, indeed, whether the porn-viewing public will even know to look for it.
Of greater concern, perhaps, are the people behind these new age-verification schemes. One of the early frontrunners is AgeID ( ageid.com), which will include user-selected verification methods from third parties including text message, credit card, passport and driving licence. This has been developed by MindGeek, the parent company of Pornhub, RedTube and YouPorn.
If you don’t trust porn operators, what about your local shopkeeper? AgeChecked and AgePass involve the purchase of a voucher from a local shop, any of the 29,000 PayPoint locations in the UK, where your age will be verified face-to-face with the shopkeeper. Unlike the other systems, this won’t be free; in the case of PortesCard, ( portes.is), it will cost between £4.99 and £8.99 depending on how many devices it can be used with.
Finally, there’s ProveMyAge ( provemyage.com), which nightclub visitors may already be familiar with. This either scans your documents into an app or uses face recognition in conjunction with a proprietary age estimation algorithm. Yes, really. The privacy problem
Privacy is, naturally, top of the list of concerns with the age-verification systems. Uploading documentation such as a passport or driving license to an age-verification service that may well be owned by a porn site operator will alarm many. Equally, popping to a newsagent to buy a “porn pass” will be problematic for those not wishing to alert Mrs Jones from no. 43 to their porn habit while she’s in buying her Daily Mail.
Anonymity, or at least relative anonymity, has driven the success of online porn as much as the desire to consume it. Requiring adults who are not doing anything
illegal (although many would argue it is immoral and harmful) to identify themselves won’t sit easily with many. Criminals, meanwhile, will welcome the creation of porn user honeypots, especially if they can be compromised. And especially as there’s no statutory requirement for providers of age-verification solutions to be audited for compliance with privacy and data security standards. Sure, all solutions will need to comply with the EU General Data Protection Regulation (GDPR), but is that enough? “The UK’s new system purports to only verify age and not identity, but in reality, the strategy is full of holes,” said Paul Bischoff, a privacy advocate at Comparitech.com. “The system depends on private companies to properly handle and secure sensitive identifying data, but companies get breached all the time, and porn sites are not particularly reputable when it comes to cybersecurity.”
Bischoff is also worried that malicious websites will display a fake AV certificate logo and capture personal data that users might feel obliged to enter under the new law. Serge Acker, CEO of OCL, which is the company behind PortesCard, argues that the certification scheme “will help reassure the public and get rid of the worst solutions,” but does think it should be compulsory. He also thinks that, rather than insisting that solutions minimise data collection as much as possible, it should instead “put the emphasis on data avoidance”. Acker is concerned about gaps in the system, specifically “the implementation of the age-verification solution on the sites themselves, which could give rise to some data leaks,” he told PC Pro.
Stuart Lawley, CEO of age-verification vendor AVSecure, agrees. “Some providers are asking people to enter identifiable information, such as email addresses and passwords, and are looking to store these details as part of a digital wallet,” he explained. “These methods would potentially allow companies to harvest users’ data for marketing purposes.” But Acker also points out that the BBFC certification scheme “forbids companies from retaining any unnecessary data and focuses on the purity of the verification process”.
And what about the poachers turned gamekeepers such as AgeID, where the age verification is being operated by the porn companies themselves? Lawley reckons that the companies concerned have proven their system is fit for purpose, offering maximum anonymity to the user while still meeting both the privacy demands of the regulators and the legal requirements imposed by the industry. “The question now is whether companies will choose to leverage these secure methods,” Lawley told PC Pro, and he suggests that some companies are likely to “actively eschew the privacy recommendations set out by the BBFC”.
Acker points out that the AgeID system has been under the microscope since the Digital Economy Act first raised its head, and “we know they have put a lot of effort into making sure that their system is as safe and secure as possible, as they have a lot to lose if it isn’t”. Acker also thinks the only real way to meet the privacy concerns will be to offer age-verification alternatives, including those that are completely independent and anonymous.
The PortesCard “porn pass” might be less of a risk to those worried about having their porn habits trapped in an online database. “The key is that the app and the servers store no data at all,” Acker insisted, “so there’s no data honeypot that can be hacked or divulged.” There’s still the embarrassment of asking for the card in your corner shop to overcome, though.
The alternative to allowing “the market” to provide age-verification solutions is equally thorny: let the government do it. That could create more problems than it solves according to Acker, who points out that the potential for censorship and the weaponisation of data has been proven by the Chinese. That sounds like a bit of a stretch, even to a political cynic such as me. However, it’s easier to side with Acker when he cites the poor record that the UK has in rolling out technology systems, with late delivery, budget overruns and eventual politically motivated abandonment.
The verify.gov identity assurance framework, for example, was delivered four years late and the National Audit Office recently reported that, instead of being on course to meet the projected target of 25 million users by
Far from protecting young people from the harmful effects of pornography, this legislation could perceivably drive them towards it
2020, as of February 2019 it had only reached 3.6 million people. “There’s no single group that can take on this challenge and reach the targeted end result,” Acker said. “It has to be collaborative, under close guidance of the government and the agencies whose responsibility it is to protect our privacy and penalise those who don’t comply.”
Will it even work?
The targeted end result that Acker mentions is to protect children from pornography. When the 15 July launch date was announced, Childnet’s chief executive, Will Gardner, said that “the introduction of this age verification will help in protecting children, making it harder for young people to accidentally come across online pornography, as well as bringing in the same protections that we use offline to protect children from age-restricted goods or services.”
But will the age-verification system really deliver on this promise? The kind of sites that the requirement applies to are not the ones that you would accidentally stumble across while browsing. These are commercial concerns, dealers in online porn; indeed, the Digital Economy Act legislation is quite clear in that it only applies to “commercial providers of online pornography”, not the vast swathes of porn uploaded by individuals. Those kids that the legislation aims to protect from porn, especially the tech-savvy teens, will still be able to access it simply by looking to non-commercial providers such as can be found via Google Images or Twitter, to name but two examples.
The dark web is a more worrying third, where material that commercial providers would not legally be allowed to distribute rears its very disturbing head. Far from protecting young people from the harmful effects of pornography, this legislation could perceivably drive them towards it.
I suspect that VPN usage will be the main means of avoiding age verification. Location-based barriers to content can be removed at the press of a button, as anyone who has ever wanted to watch the rugby on BBC iPlayer while abroad or US Netflix knows all too well. Alistair Kelman, director and CEO at SafeCast, which provides a safe harbour for on-demand TV and video, told me that the porn block “will be laughably easy to get around through the use of a VPN,” adding, “it’s not going to protect children on social networks either as these are excluded despite the fact that Twitter and Reddit are littered with pornographic content.” Then there’s the small matter of those commercial sites that consist of less than one-third pornographic content being exempt from the age restrictions anyway!
As with so many of the issues that are facing internet users, campaigns that focus on education and awareness will serve to confront them more effectively in the long term – something that applies equally to pornography as it does to cyber security. After all, if your children can already watch movies for free and stream music without having to pay monthly subscription fees, then they will have the technological smarts to access porn. “It’s important to remember that these new laws are just the first step in better online regulation,” Acker concluded, “whilst age restrictions won’t be in spaces such as Twitter and Facebook, remedying the issue begins with education and raising greater awareness, and the rest will follow.”