July 31, 2018 | Mike Morel

Dear MP, Age Verification needs real privacy protections

Porn histories for 20m people? What could possibly go wrong?

Dear Member of Parliament,

It’s summer recess but there’s unfinished business that needs tending.

Your constituent sent you this link because they are worried that Parliament is about to make a very big mistake. Soon, you will be asked to approve “Guidance on Age Verification Arrangements” as a statutory instrument produced by DCMS to implement requirements for pornographic websites to confirm the age of their customers.

The SI is delayed. It may be that DCMS are considering changes to protect privacy. Or perhaps they are not. We need to know, to see if they are proposing anything useful, or just new fig leafs for privacy.

We believe that the privacy dangers posed by Age Verification (AV) have been gravely underestimated. AV technology will process some of the most sensitive personal data imaginable. The BBFC’s draft guidance lacked even the basic privacy protections required for other digital tools like credit card payments and email services. Yet porn companies are notoriously bad at keeping personal data safe. We don’t yet know exactly what changes the DCMS is planning for the final guidance, but our briefing will help you to identify inadequate privacy safeguards when you see them.

Read our full briefing here

The BBFC has no powers to introduce specific privacy arrangements. If the draft guidance is any indication, the BBFC and DCMS hope that the Information Commissioner and fines for data breaches will eliminate threats to privacy. But how will fines address the harm created by the leaking of people’s sexual habits?

Specific and high standards for data privacy are needed, just like card payments and electronic communications have. When privacy risks are high, regulation has to be tighter than general data protection provides.

Data that is leaked cannot be revoked, recalled or adequately compensated for, leading to reputational or career damage and even suicide. If log-in details are acquired by teenagers, personal and sexual information about them may become shared and lead to bullying, outing or worse.

Data breaches are only one aspect of the risks involved. Many problems stem from the fact that users may be permanently ‘logged in’ and tracked across websites. Users may choose to keep a record of websites visited. These records may be exposed if account details are inadvertently shared. New risks of fraud, abuse of accounts and other unwanted social behaviours can also be identified.

Very sensitive data needs very specific protection. If the data gets leaked, the government will be to blame, for failing to make sure high protections are in place.

We need binding privacy protections and requirements, not lax guidelines or recommendations.


1 Send your concerns to Jeremy Wright MP, Secretary of State for Digital, Culture, Media and Sport.

Email: jeremy@jeremywright.org.uk

Telephone: 01926 853650

2 Vote against the BBFC draft guidance until rigorous privacy measures have been legislated.

Read our full briefing here