Tell the Government to protect porn privacy
The BBFC have released their public consultation calling for views on their regulations for age verification technology for use on porn sites. Respond to the consultation today to tell them to consider privacy!
Last Monday, the BBFC released a public consultation calling for people’s views on the guidance they plan to issue to age verification providers.
Under the Digital Economy Act, websites will soon have to ensure that all UK users are above the age of 18 before allowing them to view pornographic content. As the age verification regulator, it is the BBFC’s job to dictate how these age verification systems should work.
We have written in the past about the dangers of age verification - highlighting the lack of a focus by the Government on the potential privacy concerns. That was back in 2016, and this consultation paper proves that not much has changed since then. The Government have proved their lack of interest in user privacy by appointing the BBFC an especially narrow role that allows them only to issue guidance on how tools should work practically, and does not allow them to outline any requirements for tools to meet certain privacy standards.
Somebody needs to consider privacy
The consultation document highlights something that we has been worried about for a while - that a large regulatory gap would be left in the age verification landscape, with no group being assigned to the mammoth task of ensuring that age verification systems take user privacy seriously. The BBFC are given the job of only assessing the suitability of tools for verifying user age, and the closest that the Government’s system gets to addressing privacy is by noting that the BBFC should notify the Information Commissioner's Office (ICO) when it suspects an age verification tool is not complying with data protection laws.
Merely requiring that tools comply with the relevant data protection laws does not set a particularly high bar for user privacy. This still leaves a lot of scope for users’ data to be used in ways they may not expect. Users may be incentivised to “consent” to advanced data collection and usage within long Terms of Service or Privacy Policy documents that they cannot reasonably be expected to read.
To make things worse - the ICO aren’t even taking a proactive approach to assessing AV tools themselves. They will only take an interest when the tools are referred to them as a concern by the BBFC - who have confirmed in the past that they have neither the interest, nor the expertise, to deal with data protection issues.
The Government had the chance to make privacy a core focus of the Digital Economy Act during the drafting phase but instead decided to take the dangerous and irresponsible decision of leaving the market to decide on how the tools should work. This was a bad choice, but one that could be corrected. Privacy should be brought to the forefront of concerns about how AV tools must be structured, and an oversight body should be given the task of reviewing these tools continually for compliance with good privacy practices. This could be the BBFC, but it could just as easily be another body with experience in the area.
Towards a new data protection standard?
When considering how to protect the data of people who use age verification tools, the Government should consider how immensely sensitive data becomes when it links a person’s identity to their sexual preferences and activity. This is a move that would see hacks and leaks having a disproportionate impact on the LGBT community, and on people with niche sexual interests. In the wake of the Ashley Madison data breach, the impact of the leaked data led to multiple people being driven to suicide.
Certain classes of data, such as financial data, require stronger protection than is even offered by data protection law. Cardholder data must be held to the rigorous guidelines for security specified in the Payment Card Industry Data Security Standard. This is a legally enforceable measure, and anyone who breaks it gets shut down.
When considering the severity of past data breaches, such as the Ashley Madison leak, it is easy to see that age verification data is at least as sensitive as financial data, if not more.
Similarly, email and electronic communications must meet higher legal privacy standards than general data protection because they are particularly sensitive.
Does the government really believe that detailed information about someone’s sexuality is less worth of protection than card details and emails? The DEAct suggests that this is the position they've adopted.
At ORG, we would call for the Government to amend the law as it stands to ensure that a rigorous, legally enforceable data protection, privacy and security standard is implemented - ensuring that this kind of data is held under strict rules that reduce the impact of possible future data breaches.
If you agree, and want to make sure that user privacy is prioritised - then write to the BBFC and let them know that strong privacy is a must for age verification.