Government Sets Tough Age Verification Rules for Internet Porn Ban

blocked website parents network level isp filter

The UK Government is understood to have sent final terms to Age Verification Providers for the related BBFC certification scheme, which appears to set strict rules for how such providers must verify a user’s age before allowing them to access a porn site. As before, broadband ISPs must block websites that fail to comply.

Under the new rulescommercial websites” and “apps” that contain pornographic content must introduce an Age Verification system. All of this will be regulated by the British Board of Film Classification (predicted to cost them around £4.4m), which also gains the power to force broadband ISPs and mobile network operators into blocking those that fail to put “tough age [18+] verification measures” in place.

NOTE: The BBFC will also be able to direct ISPs to block access to sites containing “extreme pornography“, regardless of whether AV controls are in place.

However thus far the proposals have been beset by concerns over the potential for weak privacy safeguards (e.g. handing passports and payment details to companies linked with porn peddlers = incredibly dumb), costs, the impact upon sex workers (i.e. pushing them off-line and back onto the streets), freedom of expression and technical limitations (easy to circumvent).

In particular a big question mark has remained over how the Age Verification system will actually work, which is vitally important because the infamous ‘Ashley Madison‘ hack has already highlighted just how dangerous such information could be in the wrong hands (multiple cases of blackmail and suicide etc.).

Despite this it looks increasingly likely that the system could go live in May 2019 and a leaked post from the private porn industry site xbiz.net appears to have revealed some further details about how the AV system is set to work. As part of that the Government looks to have set some very strict rules.

Related systems will reportedly be subjected to penetration testing, detailed audits (covering operational procedures over and above GDPR and the 2018 Data Protection Act) and “oneroues” reporting obligations with inspection rights attached. In other words AV providers will find it to be a fairly costly system to run, which seems intended to deter weaker solutions and encourage good standards for data handling and privacy.

Key Points of the New AV System

– Must collect only the minimum amount of personal data, enough to verify a users age. The user’s identity shall NOT be verified as part of the process. Some systems (e.g. AVSecure) won’t even retain consumer data like IP and email address details.

– No information about the requesting website that the user has visited shall be collected against their activity (i.e. if the database were ever breached then you couldn’t link a user to a specific site / content etc.).

– AV providers must only share the results of an age check with the requesting website.

– No data relating to the physical location of a user shall be collected during the AV process.

– No data collected during the AV process can be used for any other purpose, such as marketing or building digital wallets. AV providers must also avoid marketing such services to users both during and immediately after the process (note: this can still be done but it must be completely separate from the whole AV process).

– Users will get the option to verify their age without being required to setup an account with the AV provider.

– A prominent green coloured AV accreditation “kite mark” symbol will be used to help promote approved systems (no doubt scammers will quickly catch on to the idea of faking this).

The exact details of what data users will need to provide in order to verify their age are still unclear and we’re confused about how this will work if the user’s identity is not also verified. Previously we’ve seen suggestions of driving license and passport data being supplied, but this would surely identify the user too, although it sounds like the AV system simply won’t bother to check if those details are correct.

Similarly it’s unclear how people will be able to get off-line passes from shops, which is another supported method, without a shop keeper needing to check the user’s identity first (not that many people would be happy about having to ask for such a thing in a public shop). By the sounds of it this approach will be exploitable via fake IDs.

In any case the AV system will most likely involve some degree of geo-blocking (i.e. only showing up for those on a UK based IP address), which means that it should be easy to circumvent since IP addresses make for fairly useless indicators of geographic location (i.e. easy for end-users to spoof via VPN, Proxy Servers and all sorts of other methods).

The catch here is that what the Government seem to be doing is using porn sites as a testbed to develop a system of age verification that could later be applied across a much wider category of sites (e.g. social networks), which by default effectively treats every internet user as if they’re a child (the recent Online Harms White Paper hinted at wider use of AV). Not at all insulting.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: