The government is acting negligently on privacy and porn AV

We asked the BBFC to tell government that the legislation is not fit for purpose, and that they should halt the scheme until privacy regulation is in place. We pointed out that card payments and email services are both subject to stronger privacy protections that Age Verification.

The government’s case for non-action is that the Information Commissioner and data protection fines for data breaches are enough to deal with the risk. This is wrong: firstly because fines cannot address the harm created by the leaking of people’s sexual habits. Secondly, it is wrong because data breaches are only one aspect of the risks involved.

We outlined over twenty risks from Age Verification technologies. We pointed out that Age Verification contains a set of overlapping problems. You can read our list below. We may have missed some: if so, do let us know.

The government has to act. It has legislated this requirement without properly evaluating the privacy impacts. If and when it goes wrong, the blame will lie squarely at the government’s door.

The consultation fails to properly distinguish between the different functions and stages of an age verification system. The risks associated with each are separate but interact. Regulation needs to address all elements of these systems. For instance:

  1. Choosing a method of age verification, whereby a user determines how they wish to prove their age.

  2. The method of age verification, where documents may be examined and stored.

  3. The tool’s approach to returning users, which may involve either:

    1. attaching the user’s age verification status to a user account or log-in credentials; or

    2. providing a means for the user to re-attest their age on future occasions.

  4. The re-use of any age verified account, log-in or method over time, and across services and sites.

The focus of attention has been on the method of pornography-related age verification, but this is only one element of privacy risk we can identify when considering the system as a whole. Many of the risks stem from the fact that users may be permanently ‘logged in’ to websites, for instance. New risks of fraud, abuse of accounts and other unwanted social behaviours can also be identified. These risks apply to 20-25 million adults, as well as to teenagers attempting to bypass the restrictions. There is a great deal that could potentially go wrong.

Business models, user behaviours and potential criminal threats need to be taken into consideration. Risks therefore include:

Identity risks

  1. Collecting identity documents in a way that allows them to potentially be correlated with the pornographic content viewed by a user represents a serious potential risk to personal and potentially highly sensitive data.

Risks from logging of porn viewing

  1. A log-in from an age-verified user may persist on a user’s device or web browser, creating a history of views associated with an IP address, location or device, thus easily linked to a person, even if stored ‘pseudonymously’.

  2. An age verified log-in system may track users across websites and be able to correlate tastes and interests of a user visiting sites from many different providers.

  3. Data from logged-in web visits may be used to profile the sexual preferences of users for advertising. Tool providers may encourage users to opt in to such a service with the promise of incentives such as discounted or free content.

  4. The current business model for large porn operations is heavily focused on monetising users through advertising, exacerbating the risks of re-use and recirculation and re-identification of web visit data.

  5. Any data that is leaked cannot be revoked, recalled or adequately compensated for, leading to reputational, career and even suicide risks.

Everyday privacy risks for adults

  1. The risk of pornographic web accounts and associated histories being accessed by partners, parents, teenagers and other third parties will increase.

  2. Companies will trade off security for ease-of-use, so may be reluctant to enforce strong passwords, two-factor authentication and other measures which make it harder for credentials to leak or be shared.

  3. Everyday privacy tools used by millions of UK residents such as ‘private browsing’ modes may become more difficult to use to use due to the need to retain log-in cookies, increasing the data footprint of people’s sexual habits.

  4. Some users will turn to alternative methods of accessing sites, such as using VPNs. These tools have their own privacy risks, especially when hosted outside of the EU, or when provided for free.

Risks to teenagers’ privacy

  1. If age-verified log-in details are acquired by teenagers, personal and sexual information about them may become shared including among their peers, such as particular videos viewed. This could lead to bullying, outing or worse.

  2. Child abusers can use access to age verified accounts as leverage to create and exploit a relationship with a teenager (‘grooming’).

  3. Other methods of obtaining pornography would be incentivised, and these may carry new and separate privacy risks. For instance the BitTorrent network exposes the IP addresses of users publicly. These addresses can then be captured by services like GoldenEye, whose business model depends on issuing legal threats to those found downloading copyrighted material. This could lead to the pornographic content downloaded by young adults or teenagers being exposed to parents or carers. While copyright infringement is bad, removing teenagers’ sexual privacy is worse. Other risks include viruses and scams.

Trust in age verification tools and potential scams

  1. Users may be obliged to sign up to services they do not trust or are unfamiliar with in order to access specific websites.

  2. Pornographic website users are often impulsive, with lower risk thresholds than for other transactions. The sensitivity of any transactions involved gives them a lower propensity to report fraud. Pornography users are therefore particularly vulnerable targets for scammers.

  3. The use of credit cards for age verification in other markets creates an opportunity for fraudulent sites to engage in credit card theft.

  4. Use of credit cards for pornography-related age verification risks teaching people that this is normal and reasonable, opening up new opportunities for fraud, and going against years of education asking people not to hand card details to unknown vendors.

  5. There is no simple means to verify which particular age verification systems are trustworthy, and which may be scams.

Market related privacy risks

  1. The rush to market means that the tools that emerge may be of variable quality and take unnecessary shortcuts.

  2. A single pornography-related age verification system may come to dominate the market and become the de-facto provider, leaving users no real choice but to accept whatever terms that provider offers.

  3. One age verification product which is expected to lead the market — AgeID — is owned by MindGeek, the dominant pornography company online. Allowing pornographic sites to own and operate age verification tools leads to a conflict of interest between the privacy interests of the user, and the data-mining and market interests of the company.

  4. The online pornography industry as a whole, including MindGeek, has a poor record of privacy and security, littered with data breaches. Without stringent regulation prohibiting the storage of data which might allow users’ identity and browsing to be correlated, there is no reason to assume that data generated as a result of age verification tools will be exempt from this pattern of poor security.