Ofcom has today set out DRAFT guidance on how “highly effective” UK internet age verification checks must be implemented to stop children from accessing online porn websites and services as part of the wider Online Safety Act. But concerns remain over user privacy, while broadband ISPs may be asked to block websites that fail to comply.
The new law places a legal duty on such sites to implement “robust checks” to ensure users are aged 18+. If sites fail to act, the independent regulator, Ofcom, will be able to impose financial penalties worth up to 10% of their annual worldwide turnover (max of £18m) and they could implement “business disruption measures” against third-parties, such as by imposing restrictions via internet search engines, payment providers or by requiring ISPs to block the website.
The regulator’s new guidance sets out how all of this will work. In order to do this, such sites must introduce “age assurance” – through age verification, age estimation or a combination of both – which needs to be “highly effective” at correctly determining whether a user is a child or not. Effective access controls should prevent children from encountering pornographic content on that service.
Advertisement
Ofcom expects such age verification methods to be “technically accurate, robust, reliable and fair“, while also being able to take care that “privacy rights are safeguarded” and “adults can still access legal pornography“. The draft includes a non-exhaustive list of methods that they currently consider could be highly effective. These include:
Potential Age Verification Methods
- Open banking. A user can consent to their bank sharing information confirming they are over 18 with the online pornography service. Their full date of birth is not shared.
- Photo identification matching. Users can upload a photo-ID document, such as a driving licence or passport, which is then compared to an image of the user at the point of uploading to verify that they are the same person.
- Facial age estimation. The features of a user’s face are analysed to estimate their age.
- Mobile network operator age checks. All UK mobile providers automatically apply a default content restriction which prevents children from accessing age-restricted websites. Users can remove this restriction by proving to their mobile provider that they are an adult, and this confirmation is then shared with the online pornography service.
- Credit cards checks. In the UK, credit card issuers are obliged to verify that applicants are over 18 before providing them with a credit card. A user can provide their credit card details to the online pornography service, after which a payment processor sends a request to check the card is valid to the issuing bank. Approval by the bank can be taken as evidence that the user is over 18.
- Digital identity wallets. Using a variety of methods, including those listed above users can securely store their age in a digital format, which the user can then share with the online pornography service.
The regulator added that “weaker age-checks won’t be enough“, before highlighting some examples of this. For example, a weaker method could include self-declaration of age, online payment methods which don’t require a person to be 18 [Debit, Solo, or Electron cards] and any general terms / disclaimers or warning messages.
Porn providers are also forbidden from directing or encouraging people to use circumvention measures (e.g. VPN, Proxy Servers, DNS changes etc.), although anybody under 18 who does go actively seeking such content (let’s face it, there will be a lot of active seeking) will have no difficulty finding and using circumvention measures, as has always been the case. The horse on this one bolted a long time ago.
Dame Melanie Dawes, Ofcom’s CEO, said:
“Pornography is too readily accessible to children online, and the new online safety laws are clear that must change.
Our practical guidance sets out a range of methods for highly effective age checks. We’re clear that weaker methods – such as allowing users to self-declare their age – won’t meet this standard.
Regardless of their approach, we expect all services to offer robust protection to children from stumbling across pornography, and also to take care that privacy rights and freedoms for adults to access legal content are safeguarded.”
One of the risks here stems from the fact that people will effectively be forced to share their private personal details with companies connected to unreliable porn peddlers. The infamous “Ashley Madison” data breach in 2015 highlighted just how dangerous such information could be in the wrong hands (multiple cases of blackmail and suicide etc.).
Advertisement
Ofcom thus states that all age assurance methods are subject to the UK’s privacy laws, including those concerning the processing of personal data – as overseen and enforced by the Information Commissioner’s Office (ICO). Porn services must also keep written records explaining how they protect users from a breach of these laws, which includes examples of how they might go about this (e.g. conducting a data protection impact assessment, and providing users with privacy information such as how their personal data will be processed, how long it will be retained, and if it will be shared with anyone else).
However, a new report from the European Policy Information Center (EPICENTER), in conjunction with the free market think tank the Institute of Economic Affairs (IEA), claims that age verification still seriously threatens user privacy. It warns that “mandatory age verification could significantly increase the amount of sensitive data held by third parties and the frequency at which it is collected, exposing users to privacy breaches and abuse.”
The report also says that effective age verification is “practically impossible” due to the many tools that will enable users to circumvent controls. This bypassing of controls could inadvertently direct “traffic towards less regulated and less secure platforms, thereby exacerbating risks”. Giacomo Lev Mannheimer, report author, warns of a tendency by politicians to “promise the impossible without fully understanding the dynamics of what they are trying to regulate and without giving sufficient consideration to the side-effects of the proposed solutions.”
Giacomo Lev Mannheimer said:
“The age verification mandate within the Online Safety Act poses a significant threat to privacy and user freedom by creating a database linking individual identities with adult content consumption. Hopefully, Ofcom’s code of conduct about age verification will take into account these concerns.
Improper regulation of adult content undermines the internet as a hub of unparalleled freedom and innovation. Policymakers must strike a balance by tackling illicit activities while safeguarding user privacy, free expression, and digital innovation.”
All of this comes before we even get into the complicated question of which ISPs would be required to impose blocks against websites that fail to comply (only the biggest players, or the smallest ones?). Not to mention the question over what kind of systems they would be required to adopt in order to filter out those websites (a basic DNS filter or more complex / expensive filtering).
Advertisement
Never mind the fact that ISP-level blocking of any type is merely a placebo, the equivalent of leaving a door wide open with the words “do not enter” stuck outside (i.e. very easy to circumvent) – there’s not a lot that can be done about that without removing the content at source (that would require international law and regulation).
Blocking is one of the additional options that Ofcom can impose via so-called “business disruption measures“, which apply to third parties (e.g. broadband ISPs and mobile operators) that are in a position to take action to disrupt the business of a porn service and thereby “reduce the risk of harm to UK citizens and consumers“.
Types of Business Disruption Measures
a) Service restriction orders require ‘ancillary providers’, such as search engines and payment services which facilitate the provision of the service, to take steps aimed at disrupting the non-compliant service’s business in the UK. For example, search engines may be required to remove a non-compliant provider from its search results.
b) Interim service restriction orders are similar to service orders but are made on a temporary basis. The court must be satisfied that the service is likely to be non-compliant and that the resulting level of risk of harm, and the nature and severity of that harm, are such that it would not be appropriate to wait to establish the failure to comply before applying for the order.
c) Access restriction orders require a service which enables access to a service, such as an internet access service or an app store, to take steps to restrict access to a non-compliant provider, for example, by removing its app from the app store. These orders can be applied for by Ofcom if we consider that a service restriction order or an interim service restriction order has not proved sufficient to prevent significant harm to individuals in the UK from the contravention in question or would be unlikely to do so.
d) Interim access restriction orders are similar to access restriction orders but are made on a temporary basis, if the court is satisfied that the service is likely to be non-compliant and that the resulting level of risk of harm, and the nature and severity of that harm, are such that it would not be appropriate to wait to establish the failure to comply before applying for the order.
Crucially, Ofcom can’t simply impose these, as they must first seek approval from a Court and may consult with the ISPs too before raising such an application (at least with respect to the blocking option). We did ask specifically about the technical options they would expect and whether all ISPs – of any size – would be required to implement such filters, but we didn’t get a clear answer to these queries.
“We will consider on a case-by-case basis what the appropriate action would be to effectively restrict access to the service under consideration and, where possible, we would engage with the third parties who may be the subject of a business disruption measure before making an application to Court for such an order,” said Ofcom’s spokesperson to ISPreview.
Meanwhile, many have questioned whether such a system is even necessary, since all of the major ISPs already offer optional network-level filtering systems that cover porn and these are usually enabled by default. Lest we also forget that there could be impacts in other areas too, such as on sex workers (i.e. pushing them off-line and back onto the streets). Likewise, there’s the question of freedom of expression, not least with respect to the debate over what is porn and what is not (i.e. general nudity, medical content and erotic stories). The puritanical approach being taken by the Government seems to create a few grey areas.
Ofcom expect to publish their final guidance in early 2025, after which the Government will bring these duties into force.
“We will consider on a case-by-case basis what the appropriate action would be to effectively restrict access to the service under consideration and, where possible, we would engage with the third parties who may be the subject of a business disruption measure before making an application to Court for such an order,” said Ofcom’s spokesperson to ISPreview.
In other words we haven’t got a clue……
Perhaps Ofcom might consider keeping under 18s safe from nuclear leaks
https://www.theguardian.com/environment/2023/dec/05/ministers-pressed-by-labour-over-cyber-attack-at-sellafield-by-foreign-groups
I doubt foreign state actors will be bothered with court order, Ofcom assumes that the Sellafield attackers are not “online porn websites” or connected with them.
Outside of Ofcom’s remit, which is probably for the best.
More “what about the children” misdirection at taking away users privacy.
Age restricted content is blocked by default on most ISPs. Mandate that for all then place the responsibility on the parents.
We don’t need this at all, it’s going to end in data breaches with blackmail and extortion for the less tech savy who don’t know what a VPN is.
“We don’t need this at all, it’s going to end in data breaches with blackmail and extortion for the less tech savy who don’t know what a VPN is.”
Can’t wait to see some politicians being exposed 🙂
@Ben the last thing that anyone wants to see is politicians exposing themselves on porn sites
Especially when they’re watching porn on their smart phones in the House Of Commons.
I can understand why they are doing it, but to be honest, is it not up to the parents to police things? I know they can’t police everything, but as been said on here, some ISPs will block stuff and there is software that can be put onto a computer.
I know things are different from when I was a child and this sort of thing is easier to get now, but you can’t protect them from everything, I saw porn mags when I was pretty young and yes I know they are nothing like what can be seen on the net these days.
the only way you are going to stop kids watching stuff you don’t want them to watch is to take away their computers, consoles and phones.
What is needed in this country is decent sex education, one that tell them that what they see in porn is not real life, well for most people anyway.,
And kids are probably most adept at circumventing restrictions anyway.
As you say Big Daddy. I bet most 14 year olds are better at using VPNs than most parents (I say that as a parent who knows how to use a VPN). I hate the false way this will make parents feel safe and ignore the problem when the kids will just waltz round it using simple online guides. Parents need to parent here (and I know that isn’t easy but its the only way). Its just conning ourselves.
It is up to parents, but nowadays increasingly the state wants to take your kids away
Why even give a smartphone to a 10 year old?
While the proliferation of porn is certainly a contributor to the downfall of society and the likes of Tiktok and Onlyfans being at the forefront of it, using some random group like the kids as an excuse to crack down on individual liberty is becoming far too common
State mandated sex education is definitely NOT the answer. Decades ago I was given condoms as a 12 year old. MPs are voting down bills to expose what kids as young as 7 are now being taught. In the US they have literal oral intercourse books in primary school libraries. It is pure evil
This is the real issue. Why be a parent and deal with problems when you can enforce an unworkable policy on people instead and never have to have that awkward conversation with your teenager about le bird and le bees. Whatever you do to stop a kid going on the internet via technical means, they will find a way around it. They will just talk to their mates at school, or ask ChatGPT how to do it. Now what about stuff like built-in VPNs like Apple’s private network or google’s one VPN? these come built in to phones now and you simply have to tap a button to use it so it’s as uncomplicated as it gets. It’s a cat and mouse game the parent will always lose so the better option is to sit the child down and talk to them about the dangers of the interwebs instead of trying desperately to build some walled garden internet around them to keep them safe. Heck my kid was playing Roblox the other day and someone pasted some rather rude stuff in the chat. I had to have a conversation with my son and tell him that if he wanted to continue playing Roblox then I had to turn off the chat.
@SAM Nordic countries teach sex ed, at a much younger age, and have the lowest issues of sexual crimes. The more normal you make education about these things, the less damage can be done. If a child doesn’t understand what a pedophile is asking them to do, why would the question it. But if they know its something sexual, more likely to talk to someone and report it.
Sex ed isn’t just about sex, its also about health too.
Sweden is now the rape capital of the world so not a very good argument
Regardless, the problem is not why kids become criminals, the problem is the evil forces that are trying to sexualize kids
This is a clear job for parents, not the state
The IETF (Internet Engineering Task Force) discussed an option to disclose credentials securely at its meeting last month. The proposed working group (currently called “spice”) would develop a protocol to allow selected information to be disclosed, consistent with data minimisation techniques.
For example, it should be possible to disclose that I am over 18 without providing my actual age or any other details. Such a system would avoid the need to register with multiple sites, which would be particularly helpful in instances like this. The actual data would be stored by a trusted party.
That technology already exists and is offered commercially by several providers e.g Yoti. In terms of age verification all the site gets is a yes or no and no further information. However, the problem is this ‘trusted provider’ does get all of your information including the sites you have agreed to share information with. This is just as bad, IMO, perhaps even worse than having to verify directly with each individual site. It’s a big fat target for hackers.
Here we go again. I never cease to be amazed at the sheltered and naive upbrings these wazzocks must have had. Most people can’t even control their kids access to the WI-Fi, let alone anything else. Easy enough to VPN to a foreign country that has never even heard of OFCOM, let alone complies with it.
Why not the other way around?
Why don’t the government produce a bbc (we all pay the fee) kids browser that restricts access to any and all adult content.
Then make parents (I am one) responsible for ensuring kids only use that browser on the internet.
Adults are then free to look at whatever is not illegal but adult and kids are sheltered from the worst of the net.
Adults letting kids look at adult internet should then be given community service, not fines as that won’t stop the poorest or richest.
The state is not a competent entity, and the bbc is a biased organization that would just take the opportunity to corrupt kids further. The bbc tax needs to go
There are many things you should do without wanting to rely on big daddy Sunak such as blocking Tiktok, Instagram, Onlyfans from their phones. You can even set up alerts to warn you if your child is trying to seek this content. Don’t stop there and prevent kid from accessing other types of harmful content. It is insane the amount of parents still believing that disney+ is safe for kids when they are literally pushing their nefarious agenda on so many of the new shows
All these tools already exist but parents are just not using them. On most home broadband and mobile connections porn and other adult content is blocked by default, so it’s not just parents being lazy or disinterested, they are actively disabling these filters.
@John if a parent doesn’t know that the filter exists, all it takes is for the child to Google “how to disable filters” and they can access the router configuration and disable anything they want.
Better still, the child logs in to the router and sets themselves up as Admin, turns off all the filters, then sets a password lock on the router that the parents can’t even access to switch the filters back on.
@ RightSaidFred
“ Better still, the child logs in to the router and sets themselves up as Admin, turns off all the filters, then sets a password lock on the router that the parents can’t even access to switch the filters back on.”
I’d be so proud if my child did this.
I run a separate routing fw, currently a pfsense vm, so a bit more complex than most households & the password isn’t written under it!!
Lol this is the KGB/FSB wet dream come true. Oh you want to watch a bit of hey hey do ya? Ok let’s just have a picture of your ugly mug first to confirm you’re 18 before we let you watch girls gone wild 23. Don’t worry we won’t tell anyone honest and we’ve got “bank grade” security so there’s absolutely zero chance of us getting hacked and a list of your favourite porn sites leaked. Nope. No chance.
When I was on Sky, plusnet and TalkTalk all the warez sites were banned with a message saying blocked by order of the high court. I then switched to a small bit player ISP and none of these warnings are there the sites just come up. I am hoping these porn blocks are the same thing.
As an employee of one of these ISPs which doesn’t have to block websites or provide parental controls, I hope we manage to stay under the radar, too.
I don’t like the idea of having to share card info, or my ID with services which I’m not paying for. I’d rather go down the VPN route.
Or, you know, parents could do their job.
I’m suspicious of self-selected types who flock to work in these places. Their politics are what guides them, not any altruism for other people in this country.
1984
Perhaps if the female body wasn’t so obscene this would be less of a problem.