View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 11, 2018updated 12 Apr 2018 12:32pm

Porn Age Verification Rules – Expensive, Ineffective and a Hacker’s Delight

What is the best method of protection for vulnerable website users? Verification takes the lead.

By April Slattery

CORRECTION – This article has been updated to remove an inaccurate characterisation of AgeID’s privacy policy, which can be found here

Malcolm Tucker, the foul-mouthed government Director of Communications in the BBC political sitcom ‘The Thick of It’, helped to popularise the word ‘omnishambles’ – a term for a situation of total disorder.

Looking at the proposed new regulation that will force pornography websites to implement an age verification system or face hefty penalties, which has now been delayed until at least the end of the year, it’s hard not to think of what Tucker would make of it all. Part of the Digital Economy Act 2017 and initially due to become a reality this April, the Department for Digital, Culture, Media and Sport (DCMS) has been forced to postpone as it attempts to iron out a raft of data protection vulnerabilities.

What Will the Impact Be?

When these new rules do eventually come into force they will undoubtedly have an impact on the UK’s online adult entertainment industry. But whilst the protection of children from online pornography is undoubtedly a valid concern, are the new rules going to improve the situation – or will it put the data of adults at risk, whilst failing to stop under-age viewers from accessing pornography?

The Conservatives made age verification for online pornography a key part of its election pledge, vowing to introduce stringent checks to stop children’s exposure to harmful sexualised content online. Plans were subsequently announced in July 2017 by then Minister of State for Digital and Culture, Matt Hancock, to ensure that adult websites which do not put robust age verification systems in place will be blocked so that content users are no longer able to access them.

Whilst everyone agrees that more could be done to protect children and vulnerable groups from harmful content, for many these new rules are simply a draconian step towards new levels of censorship that will never be achieved, without drastically changing the face of the internet. On top of that, it’s unlikely that an age verification system will be anywhere near as effective as the government hopes.

Freedom and Power

Critics point out that these changes will be dangerous to online freedoms in the UK, because for the very first time the government will have the power to block websites without needing a court order – surely a first for a democracy? Industry insiders are even warning that these rules are a step towards a ‘Great Firewall of Britain’, potentially as far reaching as the internet restrictions put in place by the Chinese. It is certainly true that the US and EU states have not gone as far as the UK government wants to.

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

Furthermore, the government has wiped it’s hands of the technicalities raised by the legislation, preferring instead to leave it up to the Internet Service Providers and the adult entertainment industry itself to implement and control the verification system – partly because they don’t want to be accused of censoring the internet but mainly because they don’t want to foot the bill, or carry the risk of any age verification system being compromised which could lead to huge amounts of sensitive personal data being stolen or exposed.

The simple fact is that any age verification system that requires a user to submit personal details to verify their identity will be of interest to cyber criminals. Combined with the fact that these systems are covering access to pornographic websites and that interest level increases as the opportunities to exploit that data increase. We are not only looking at attacks that could result in identity theft, but also opening the possibility for blackmail and ransom demands.

Storing Personal Data

The Ashley Maddison hack led to at least two suicides and countless resignations and divorces – no wonder the government wants to distance itself from the implications of a potential breach of the age verification system. It’s well within the capabilities of most cyber criminal organisations to extract the data from an age verification system, and the UK government is about to authorise a giant golden egg that many hackers will find irresistible.

The most likely age verification system to be used – AgeID – is owned by MindGeek, who claim to be the world’s largest adult entertainment operator and run sites such as PornHub and Brazzers. There’s the risk that any breach of Age ID will dwarf the Ashley Maddison fiasco. MindGeek believe that between 20 and 25 million Brits will sign up to their system in the first month alone, which represents a huge target for an attacker. MindGeek claim that AgeID ‘has been built from the ground up with data protection, data minimisation and the principles of privacy by design at its core, whilst also complying with the GDPR. This is why we do not store any personal data entered during the age verification process. Due to the encrypted nature of AgeID’s login credentials, such data cannot be exposed in the unlikely event of a hack.’

Safeguarding Sites

There’s also the fact that this system would not only be easy for a user to bypass, it will also fail to protect the very people it’s designed to safeguard.

Adult websites that are not hosted in the UK simply won’t bother to add a verification system – why would they? – whilst those in the UK will be forced to do so at their own expense. So, the legislation will then block access to non-compliant sites, but the cost of doing so falls onto the individual ISPs themselves, not the government.

On top of that users will be able to easily bypass any verification system by using a Virtual Private Network. Simply install a popular VPN service on your computer and, hey presto, the adult website thinks you’re visiting from the US, or Azerbaijan, or Vietnam, and skips the age verification stage. The government itself accepts that this will be a reality, although it apparently thinks that your average punter is more likely to hand over their data than to install a VPN.

What is the Real Problem?

The real killer, though, is that the core group that this legislation is aiming to protect doesn’t access online pornography in the same way as adults do. Young people are far more likely to watch and exchange explicit material through the likes of Tumblr, Twitter, SnapChat, WhatsApp and Dropbox rather than via a XXX website. In fact, several industry representatives have already voiced concerns that both Tumblr and Twitter are massive purveyors of pornographic material yet are rarely mentioned in government debates. When you realise that the government can’t introduce age verification systems onto the very services which young people are using to access pornography, then you see that the whole thing is, at best, poorly thought out.

Although the idea that there should be an age limit for watching pornography is a popular one – according to a YouGov poll last year, eight out of ten people think there should be an age limit for accessing porn over the internet – another recent survey by broadband comparison website Broadband Genie highlights that 55% of web users would not trust their personal details with third party verification websites.

A more effective solution would be to focus on educating young people properly about the internet and adult material, highlighting risks and providing services and outlets for them to raise concerns. But those things are complex and time-consuming and expensive and have to be provided by government. In an attempt to absolve it’s responsibilities, and pass the buck on to the private sector, ministers will be implementing a piece of legislation that will cost ISP’s a lot of money, generate a huge amount of income for a purveyor of pornography, put millions of British adult’s data at risk and fail to tackle the issue of under-age access to pornography.

It is difficult to think of a piece of legislation that will be as expensive and ineffective as this is going to be. Malcolm Tucker might kindly refer to it as an omnishambles.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU