UPDATED — Privacy & Cyber Security Concerns around Changes to Adult Site Age Verification in the UK

UPDATE 20/10/2019:

The UK Government has finally scrapped the legislation to require all UK based citizens to have some form of age verification to watch adult content in the UK. While I would like to see some form of controls around the viewing of adult material on the Internet, this was not it as it potentially provided a means for the government to track individuals and had great consequences for the privacy of those individuals.

While the scrapped approach was purely unworkable, since people would just resort to VPN’s to bypass the UK restrictions, the UK Government is still looking to bring in age verification in some form. I guess we will have to wait and see what comes of this.


UPDATE 21 June 2019:

The UK Government have delayed the launch of the legislation quoted in the original post by at least 6 months while they comply with a European Union notification. The original post continues below.


I have been debating whether or not to post about this subject but I think there are sufficient privacy concerns related to this to warrant a mention. I also hope that parents will read this post and become more aware of the issues that the UK government are trying to address since self regulation in this area has proven ineffective. Ultimately it is down to parents to police their children’s access to the internet and the sites/content they are looking at.

What is changing?

On 15th July 2019 (see update), the UK government is enacting legislation to force all adult content sites accessible within the UK to verify the age of any visitor from a UK location and only allow access to permitted individuals over the age of 18. This is possible by tracking your IP address to a UK issued value.

The new rules are described in full in the press release by the Department for Digital, Culture, Media & Sport. They explain:

Adult content is currently far too easy for children to access online. The introduction of mandatory age-verification is a world-first, and we’ve taken the time to balance privacy concerns with the need to protect children from inappropriate content. We want the UK to be the safest place in the world to be online, and these new laws will help us achieve this.

The introduction of age-verification to restrict access to commercial pornographic websites to adults is a ground breaking child protection measure. Age-verification will help prevent children from accessing pornographic content online and means the UK is leading the way in internet safety. On entry into force, consumers will be able to identify that an age-verification provider has met rigorous security and data checks if they carry the BBFC’s new green ‘AV’ symbol.

I want to make this point very clear. I fully support age verification on adult sites and protecting children from this type of material, which can range from the innocuous glamour photography to the most depraved and explicit material. There is too much freely available adult material on the surface web today, and it is not that hard to just stumble upon it.

So, what’s going to happen?

Any website distributing adult content as more than 30% of its content, or gaining income from adult content, will be required to verify the age of the visitor via a number of approved means. There are a number of exceptions, e.g. Social Media sites. There will be several ways to obtain a permit’:

  • There will be an online process
  • A process whereby age can be verified in person in shops in the high street.

These will be regulated and approved by the UK government (alarm bells should start ringing).

The online version will require you to upload an image of some form of photo Id (e.g. a Passport, driving licence) and you will then be given a reference to enter into the website. How much these will be checked I don’t know yet, but pretty much guarantee can be spoofed.

The high street method will require similar checks, but the shop owner will probably use more common sense methods to verify the age of the requester.

I see a number of issues with this.

Uploading personally identifiable information to a website is risky at the best of times, and regarding my passport I am very cautious about where I post that information (typically only when I have to as part of overseas travel). The authenticating website will be regulated by the UK government, and they won’t be allowed to retain any of these details longer than is required by law. However, do you really trust them not to retain them and/or disclose them, or their services security not to suffer a data breach? These services will be grade-A targets for hackers due to the amount of personally identifiable information these sites will process and there will be unregulated/fake services set up just to harvest personally identifiable information by cyber criminals, probably in offshore/unregulated locations.

Because this information is personally identifiable, it will also be possible for the government and/or law enforcement to gather the identities of people acquiring these permits and possibly track which sites they visit. What can they do with this info – well, take a guess.

If you are going to acquire your permit in person in a shop, then in all likelihood less personal information will be gathered, but I am not sure yet what information the shop owner will need to record. Also, a reputable/high street retailer will in all likelihood not want to offer this service, so it will be forced to the more seedy areas – just an observation at this point.

If effective this will have the effect of limiting the access to adult material to people above the age of 18. It will also limit the access to predators, which is a good outcome.

How enforceable is this?

This will be enforceable by UK law and any adult website (irrespective of which country it is hosted in) not complying will be restricted, possibly blocked from the UK network and fined. Anyone trying to access these sites without the ‘permit’ will not be allowed access.

However, depending on how effective the implementation of the block is on the website, there will in all likelihood be ways to circumvent it. I expect these hacks will be sold/disclosed on bulletin boards hosted outside of the UK and on the dark web.

Also, by using a VPN you can spoof your location to be somewhere outside of the UK, bypassing the block. This may eventually lead to additional regulations forcing VPN providers to enforce this regulation, similar to those being imposed in Russia to block certain websites via VPN’s. VPN providers typically do not track what websites you visit, but if the UK legislators impose rules, they will have to.

I personally don’t this this will be fully enforceable, especially when VPN’s are used. However, using a VPN may raise additional suspicions as to what you are looking at on the web. The fact that you are connecting to a VPN will be tracked by your ISP, and due to other UK laws this has to be recorded and be available for disclosure to the UK law enforcement agencies. I can pretty much guarantee access via VPN’s and the TOR network are being monitored already by the GCHQ and the NCSA in the UK.

There are already rules about age restrictions on your ISP account in the UK, which you can choose to remove. This rule will not be removable – you will have to have a permit.

Conclusion

I fully support any initiative that restricts adult material to adults, especially since self regulation has proven ineffective. What I call into question are the privacy aspects, the ability to track legitimate access by adults by choice and potential for another attack surface to emerge for cyber criminals to exploit.

There will be unregulated sites tricking people into providing personal info that are hosted outside of the UK in largely unregulated countries. Permits acquired in this way will not work and your information could be sold on the dark web. I also call into question how secure the regulated services will be and whether or not the permits will be gathered via data breaches and sold on the dark web from both the provider and the adult site being accessed. If this happens, your legally obtained permit could give rise to you being investigated by law enforcement.

The regulations can be circumvented by using a VPN, and free VPN’s are very easy to acquire. Free VPN’s are often not the best for privacy anyway, and to obtain a reputable VPN will cost money.

I hope this post has been informative and that parents will look into this in more detail. Ultimately it is down to parents to police their children’s access to the internet and what sites they are looking at.


Headline photo provided by Micah Williams on Unsplash

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: