Politics, privacy and porn: the challenges of age-verification technology

During the UK’s 2015 general election, the Conservatives pledged to protect children online by requiring all sites with pornographic content to verify a visitor’s age, with the threat to block any websites that did not have such systems in place.

This pledge for age verification subsequently formed part of the Digital Economy Act 2017, which was given royal assent just before Theresa May’s snap election in 2017. Section 14(1) in Part 3 of the Digital Economy Act states: “A person contravenes this subsection if the person makes pornographic material available on the internet to persons in the United Kingdom on a commercial basis other than in a way that secures that, at any given time, the material is not normally accessible by persons under the age of 18.”

Websites and age-verification providers who have been awaiting the announcement of when the age-verification requirements will come into effect, now know that their systems will have to be up and running by 15 July 2019. Although the age-verification element of the Digital Economy Act was initially expected to be implemented in April 2018, it was delayed, keeping stakeholders in suspense.

One of the reasons for the delay has been Brexit diverting attention away from the Digital Economy Act. “This work is a world-leading step forward to protect our children from adult content, which is currently far too easy to access online,” says a spokesperson for the Department of Digital, Culture, Media and Sport (DCMS), adding that the government was "taking the time to get the implementation of this policy right and to ensure it is effective."

In the lead-up to the announcement of the implementation date for age verification, digital age-gates were placed on the “ethical” adult film I Want Fourplay, which was made as part of the Channel 4 documentary Mums Make Porn. Using AgeChecked, viewers were required to authenticate their age by proving they were over 18. 

“In order to verify themselves, users can choose from a range of methods, using a mobile app, credit card or driving licence, for example,” says AgeChecked CEO Alastair Graham. “Once the set-up and initial age check is complete, the user will be provided with an age-verified account.”

Although AgeChecked takes steps to ensure data and credentials are anonymised, there remains the danger that a data trail could be created, which could hypothetically be misused. “It has a potential to track people across everything they watch and could end up being an enormous database of people’s personal sexual preferences,” says Jim Killock, director of the Open Rights Group. “If that leaked, it could have devastating consequences for people.”

Under the age-verification section in the Digital Economy Act, an overseeing body will ensure that the requirements are adhered to. On 21 February 2018, the secretary of state designated the British Board of Film Classification (BBFC) as the age-verification regulator, given its experience in enforcing age ratings for other media. As the regulator, the BBFC will be responsible for assessing and determining the age-verification arrangements to comply with the Digital Economy Act.

The Digital Economy Act’s targeted approach makes it clear that age verification is currently intended only for the purpose of accessing pornographic material, with Section 15 providing a comprehensive definition of what it means by pornographic material, including “any other material if it is reasonable to assume from its nature that it was produced solely or principally for the purposes of sexual arousal, and that any classification certificate issued in respect of a video work including it would be an 18 certificate”.

Websites that fail to comply with the legislation could face financial penalties of up to £250,000 or 5% of their global turnover (whichever is higher) and potentially be blocked by UK ISPs. Given the huge number of websites that the BBFC will need to monitor, Section 2 of the organisation’s Guidance on age-verification arrangements states that the focus will be on those sites that are most frequently visited, particularly by children, and those that are reported by stakeholders and the public. 

“There are tens of thousands of pornographic websites and the BBFC will only get around to blocking a fraction of that,” says Killock. “The more it blocks, the harder and more expensive it is for it to maintain those blocks accurately, as websites can change their web addresses frequently.”

It is also unclear how websites that host both pornographic and non-pornographic content are expected to comply with this legislation. “The tricky thing about this legislation – and one of the intensely frustrating things for a number of sex bloggers – is that it is really unclear what the impact on us will actually be,” says sex blogger Girl on the Net. “I publish a lot of writing about feminism, sex education and other related topics, so sticking me in the same category as PornHub seems absurd.”

Andrew Glover, chair of the Internet Service Providers Association, has similar concerns, saying: “It is important to clarify that the primary focus of age verification is targeted at commercial online pornography providers.”

At its core, the Digital Economy Act requires websites to install age-verification barriers to all adult content. However, the legislation and supporting guidance documents by the BBFC do not specify exactly how this verification should be undertaken. 

“It is a challenge to try to find some genuine form of authentication that is also secure in privacy terms, great in security terms and reasonably achievable to the average person who simply wants to do something legal,” says obscenity lawyer Myles Jackman.

What will no longer be acceptable is for websites to rely solely on a disclaimer declaring that a website is inappropriate for children, or for visitors to confirm their age without cross-checking information.  The BBFC said in its guidance document that it will “adapt a principle-based approach when assessing new age-verification arrangements” and that this will focus on age verification at the point of registration or access to pornographic content, and that the proof of age is based on data that cannot reasonably be known by another.

Buying or viewing adult content is not the same as buying other age-restricted products, such as alcohol or cigarettes, because it carries social stigma. There are numerous careers, such as those in education and healthcare, where a person’s name on a customer list for legally accessible adult websites could have significant repercussions. 

“The fundamental flaw in age verification at the moment is that it combines identity with status,” says Serge Acker, CEO of OCL, provider of age-verification system Portes. “Pretty much every method out there requires you to share your identity in order to be able to say to the service that you are over 18.”

“The fundamental flaw in age verification at the moment is that it combines identity with status”

Any form of data processing in relation to such personal material is always fraught with risk, and the consequences that can result in this data being misused are horrendous. There have already been historical examples of such misuse, such as when the Ashley Madison website was hacked and personal data was used to blackmail users. “There is no real technical solution that is going to stop any parties or actors who really want to get it,” says Jackman.

Age-verification providers need to be able to confirm a person’s age in such a way that is transparent, secure and anonymised. As this confirmation needs to happen for every piece of content on the website, there is the risk of an audit trail of a user’s viewing habits being created. The BBFC recognised this and has stated that it does not “require that age-verification arrangements maintain data for the purposes of providing an audit trail”.

However, this highly sensitive information is also useful for companies. It has already been seen how similar information is used with other video-streaming platforms. From YouTube to Netflix, a person’s viewing habits are used to aggregate content in line with what they have watched and liked, all in the name of maintaining their interest and therefore being able to show them more adverts, as well as adverts that align with their interests. What is personal for the user is valuable business information for websites.

Despite the intensely private information involved, the legislation contains no compulsory privacy laws. Instead, there is a non-statutory certification scheme, where websites can be independently vetted by a third party to confirm that their privacy standards are, according to the BBFC’s guidance on age-verification arrangements document, “above and beyond legal obligations, to address data security, data minimisation, and prevention of the misuse of data”.

However, this is only a voluntary scheme and although some sites have already agreed to abide by the certification scheme, there is no compulsion for them to continue doing so. “We have seen this time and time again, such as Facebook and Google declaring what they will not monetise and then they just change their minds,” says Killock. “This is not any different.”

The prevalent method for verifying an individual’s age is using AgeID, where a user registers and verifies an AgeID account using their email address and password, before choosing from a list of third-party providers to verify their age using credit card, passport or driving licence, which confirms either a pass or fail to AgeID. 

“Due to the intentional separation of AgeID and its providers, AgeID can neither see, nor store any of this age-verification data,” says James Clark, director of communications at AgeID. “This has been independently assessed and confirmed by cyber security firm NCC Group.”

A face-to-face alternative is Portes, which involves buying a physical voucher that requires proof of being over 18. This voucher contains an activation code to confirm that a specific device is used by someone over 18.

Now that the timing has been announced, there is still the prospect that these age-verification requirements could expand to cover other age-restricted material online, such as buying cigarettes and alcohol, as well as for social media. On 8 April 2019, UK prime minister Theresa May announced in a video post on Twitter that there would be a legal duty of care to keep users safe on social media.

May’s announcement came in the wake of Facebook CEO Mark Zuckerberg’s comment that social media needs to be regulated. However, it was May’s concluding statement – “It’s time to keep our children safe” – which was the most telling, as it indicated that age restrictions for social media could be on the way.

Although well intentioned, imposing age-restriction gateways to adult-related content carries significant security and privacy challenges that will need to be overcome, lest this highly personal information is obtained by malicious actors.

It is felt by many that the voluntary privacy certification scheme is a step in the right direction, but the fact that it is not statutory means that website owners will be constantly tempted to use this additional information about their visitors.

Depending on the success of this legislation, it could well be expanded to provide greater protection for children in other areas of the internet, including the use of social media and purchase of age-restricted items.

“Government has always had in mind that this age verification for adults was the first step and that there are many more things online that need to be verified because in the real world they are,” says OCL’s Acker.