Government Sets Tough Age Verification Rules for Internet Porn Ban

The UK Government has sent final terms to Age Verification Providers for the related BBFC certification scheme, which sets strict rules for how such providers must verify a user’s age before allowing them to access a porn site. As before, broadband ISPs must block websites that fail to comply. The system will begin in July 2019.

Under the new rules “commercial websites” and “apps” that contain pornographic content must introduce an Age Verification system. All of this will be regulated by the British Board of Film Classification (predicted to cost them around £4.4m), which also gains the power to force broadband ISPs and mobile network operators into blocking those that fail to put “tough age [18+] verification measures” in place. Hefty fines could also be imposed.

However thus far the proposals have been beset by concerns over the potential for weak privacy safeguards (e.g. handing passports and payment details to companies linked with porn peddlers = incredibly dumb), costs, the impact upon sex workers (i.e. pushing them off-line and back onto the streets), freedom of expression and technical limitations (easy to circumvent).

In particular a big question mark has remained over how the Age Verification system will actually work, which is vitally important because the infamous ‘Ashley Madison‘ hack has already highlighted just how dangerous such information could be in the wrong hands (multiple cases of blackmail and suicide etc.).

Despite the Government has today confirmed that the new system will go live on 15th July 2019 and a leaked post from the private porn industry site xbiz.net appears to have revealed some further details about how the AV system is set to work. As part of that the Government looks to have set some very strict rules.

Related systems will also be subjected to penetration testing, detailed audits (covering operational procedures over and above GDPR and the 2018 Data Protection Act) and “oneroues” reporting obligations with inspection rights attached (aka – Age-Verification Certificates). In other words, AV providers will find it to be a fairly costly system to run, which seems intended to deter weaker solutions and encourage good standards for data handling and privacy.

Key Points of the New AV System

– AV providers must collect only the minimum amount of personal data, enough to verify a users age. The user’s identity shall NOT be verified as part of the process. Some systems (e.g. AVSecure) won’t even retain consumer data like IP and email address details.

– No information about the requesting website that the user has visited shall be collected against their activity (i.e. if the database were ever breached then you couldn’t link a user to a specific site / content etc.).

– AV providers must only share the results of an age check with the requesting website.

– No data relating to the physical location of a user shall be collected during the AV process.

– No data collected during the AV process can be used for any other purpose, such as marketing or building digital wallets. AV providers must also avoid marketing such services to users both during and immediately after the process (note: this can still be done but it must be completely separate from the whole AV process).

– Users will get the option to verify their age without being required to setup an account with the AV provider.

– A prominent green coloured AV accreditation “kite mark” symbol will be used to help promote approved systems (no doubt scammers will quickly catch on to the idea of faking this).

The exact details of what data users will need to provide in order to verify their age are still unclear and we’re confused about how this will work if the user’s identity is not also verified. Previously we’ve seen suggestions of driving license and passport data being supplied, but this would surely identify the user too, although it sounds like the AV system simply won’t bother to check if those details are correct.

Similarly it’s unclear how people will be able to get off-line passes from shops, which is another supported method, without a shop keeper needing to check the user’s identity first (not that many people would be happy about having to ask for such a thing in a public shop). By the sounds of it this approach will be exploitable via fake IDs.

In any case the AV system will most likely involve some degree of geo-blocking (i.e. only showing up for those on a UK based IP address), which means that it should be easy to circumvent since IP addresses make for fairly useless indicators of geographic location (i.e. easy for end-users to spoof via VPN, Proxy Servers and all sorts of other methods).

Margot James, UK Minister for Digital, said:

“Adult content is currently far too easy for children to access online. The introduction of mandatory age-verification is a world-first, and we’ve taken the time to balance privacy concerns with the need to protect children from inappropriate content. We want the UK to be the safest place in the world to be online, and these new laws will help us achieve this.”

The catch here is that what the Government seem to be doing is using porn sites as a testbed to develop a system of age verification that could later be applied across a much wider category of sites (e.g. social networks), which by default effectively treats every internet user as if they’re a child (the recent Online Harms White Paper hinted at wider use of AV). Not at all insulting.

UPDATE 12:47pm

The Government has just sent out an official press release to confirm the mid-July launch of this system. Apparently further details will shortly be made available via the BBFC’s related website – https://www.ageverificationregulator.com .

Jim Killock, Executive Director of Open Rights Group, said:

“The government needs to compel companies to enforce privacy standards. The idea that they are ‘optional’ is dangerous and irresponsible.

Having some age verification that is good and other systems that are bad is unfair and a scammer’s paradise – of the government’s own making.

Data leaks could be disastrous. And they will be the government’s own fault.

The government needs to shape up and legislate for privacy before their own policy results in people being outed, careers destroyed or suicides being provoked.”

Andrew Glover, Chair of the UK ISPA, said:

“ISPA supports the Government’s commitment to protecting child internet safety, and our members have long been at the forefront of online safety.

The new age verification measures are targeted at online pornography providers and are intended to prevent children from stumbling onto sites that contain commercial pornographic material. ISPs have an enforcement role in this policy to block websites that do not comply with these regulations and it is important to clarify that ISP blocking will only be used as a last resort. Our members are expecting high levels of compliance from online pornography providers, and it is the role of the regulator, the BBFC, to ensure that these sites remain committed to age verification.

Age verification represents a significant change to online content regulation. It is therefore important that this new policy is introduced sensibly and proportionately and that the public’s expectations are managed effectively. Our members will work collaboratively with the BBFC, providing constructive input to ensure that any challenges are swiftly addressed and the implementation of the regime is as effective as possible.”