Online porn age-verification checks delayed for six months

Age verification (AV) to view online pornography will be pushed back for a third time because of an administrative error, the Department for Culture, Media and Sport (DCMS) announced today.

The changes, which will require porn sites to implement age-verification technology, were due to go live on 15 July 2019, having already been delayed from April 2018. Today, culture secretary Jeremy Wright told the House of Commons he had discovered on Friday 14 June that an essential notification had not been made to the European Commission (EC) when laying out the guidance to sites.

The error, which undermines the legal basis of AV, will result in a six-month delay in implementing the new rules. According to Wright, since discovering the blunder, the DCMS scrambled to find a way to reduce the impact on the intended timescales, but failure to do so left the department with no option but to offer an apology and say it will investigate the reasons for the error.

“I recognise that people have campaigned passionately for a verification to come into force as soon as possible to ensure children are protected from pornographic material that they should not see,” said Wright. “I apologise to them all for the fact that a mistake has been made, which means these measures will not be brought into force as soon as they, and I, would like.

“Although my statement is an apology for the delay, it is not a change of policy, or a lessening of this government’s determination to bring changes about age verification for online pornography that need to happen.”

Under the age-verification rules, described by the UK government as a world first, porn sites will need to deploy technology to carry out the checks or will face sanctions, such as having payment services withdrawn or being blocked for UK users.

The British Board of Film Classification (BBFC) was tasked with ensuring compliance with the new laws and cyber security firm NCC Group has created a voluntary certification scheme, the Age Verification Certificate (AVC), to assess the data security standards of age verification providers.

The AVC will enable age-verification providers to choose to be independently audited by NCC, and then certified by the BBFC. The BBFC is also expected to publish information on its age-verification website to help companies decide which product to use.

Technical challenges in determining the specific ages of people seeking to access pornography online have been raised during consultation on the Online Harms whitepaper, said Wright. He added that new guidance on the matter has been commissioned and will be published in the autumn.

The government’s response to the consultation around online safety will be released before the end of 2019, and the regulatory framework will be enforced “as soon as possible”, said Wright.

Grilling the minister straight after his statement, Labour MP Cat Smith said the AV delays are “letting children down”, quoting reports that say 70% of eight to 17-year-olds have seen images and videos that are unsuitable for their age in the past year. Smith said the rise in mobile device use strengthens the case for online porn regulation.

She also challenged Wright about the viability of the verification process and whether he was confident that personal data being provided to commercial porn sites would be safe from leaks or hacks.

Smith also questioned whether tech companies are “outsmarting the government” and whether he government plans to catch up, considering that age checks can easily be circumvented through fake profiles and encryption software.

Wright responded by saying it is “perfectly feasible” to reconcile the requirements for data privacy with the need to protect children from material they should not see. He then mentioned the role of the BBFC in ensuring compliance with the new rules as well as the General Data Protection Regulation (GDPR). But he accepted there are challenges around keeping up with technology advances.

“It is important that we understand changes in technology and the additional challenges that these will throw up,” said Wright. “We are working through it now.”

He added that the DCMS is in talks with browser developers about what can be done about encryption, because it can make it “more difficult, if not impossible” for internet service providers (ISPs) to prevent access to sites when necessary.  

“But it is possible for browsers to solve that and we are talking to them now about how that might practically be done,” said Wright.

Responding to the third postponement of the age verification rules, Open Rights Group (ORG) executive director Jim Killock said this is an opportunity for the government to address the “many problems that the ill-thought-out policy poses”.

Age verification providers have warned that they are not ready to comply with the rules, said Killock, while the BBFC’s standard to protect data has been shown to be ineffective.

“The government needs to use this delay to introduce legislation that will ensure that the privacy and security of online users is protected,” he added.

The ORG published a report into the BBFC’s Age Verification Certificate Standard, which slammed the scheme as “pointless, misleading and potentially dangerous”, providing little assurance to the estimated 20 million adults who watch porn in the UK.

The report outlined measures for AV providers to demonstrate that they will keep users’ data safe. According to the ORG, the fact that the scheme is voluntary leaves the BBFC “powerless” to penalise or discipline those who fail to protect consumer data and makes it difficult for consumers to know which providers can be trusted.

To address that, the report’s recommendations include granting the BBFC statutory power to mandate compliance and fine anyone who sign up to the certification scheme then violates the rules later.

The ORG also argues that a comprehensive review of the BBFC standards for handling highly sensitive AV data is needed. The BBFC should also provide better direction to content providers around security, use of pseudonyms and data retention, it said.

The ORG said the current guidance is “vague and imprecise” and often refers to industry standards that are yet to be published, which “critically undermines” the scheme’s transparency and accountability.