Gov Confirms Second Try at UK Internet Age Verification System –

IP Address vector concept

The Government has today confirmed that the new Online Safety Bill will, among many other changes, have another go at introducing a controversial internet age verification system, which will target “all websites” that contain pornographic content. Sites that fail to comply will be blocked by broadband ISPs and mobile operators.

The change would impose a legal duty on such sites to implement “robust checks” to ensure users are aged 18+. If sites fail to act, the independent regulator Ofcom will be able to fine them up to 10% of their annual worldwide turnover or can block them from being accessible in the UK. Bosses of these websites could also be “held criminally liable” if they fail to cooperate with Ofcom.

NOTE: The new duty will not capture user-to-user content or search results presented on a search service (e.g. Google), as the draft OSB already regulates these. Providers of regulated user-to-user services which also carry published (i.e. non user-generated) pornographic content would be subject to both the existing provisions in the OSB and the new proposed duty.

Regular readers will know that this idea was first proposed via the Digital Economy Act 2017 (summary), but at the time it was only focused upon commercial websites and apps that predominantly contained pornographic content and allowed user-generated content. Under that approach, the British Board of Film Classification (BBFC) would have been handed the responsibility for regulating it, seemingly without any judicial oversight to prevent poor censorship decisions.

By comparison, the new standalone provision ministers are adding to the proposed legislation will require providers who publish or place pornographic content on their services to prevent children from accessing that content. This will capture commercial providers of pornography, as well as the sites that allow user-generated content (i.e. not just PornHub, but social media sites like Twitter too etc.).

Any companies which run such a pornography site which is accessible to people in the UK will be subject to the same enforcement measures as other in-scope services.

Digital Minister, Chris Philp, said:

“It is too easy for children to access pornography online. Parents deserve peace of mind that their children are protected online from seeing things no child should see.

We are now strengthening the Online Safety Bill so it applies to all porn sites to ensure we achieve our aim of making the internet a safer place for children.”

Once again, the onus this time around will be on the companies themselves to decide how to comply with their new legal duty. Ofcom may recommend the use of a growing range of age verification technologies available for companies to use that minimise the handling of users’ data, or so we’re told.

The bill does not mandate the use of specific solutions, but “all companies that use or build this technology will be required to adhere to the UK’s strong data protection regulations or face enforcement action from the Information Commissioner’s Office,” said the government. But often enforcement action tends to come after such systems have failed, and by then the damage could be significant (more on that later).

According to today’s announcement, such age verification technologies “do not require a full identity check.” Users may need to verify their age using identity documents, but the measures companies put in place “should not process or store data that is irrelevant to the purpose of checking age.” Solutions that are currently available include checking a user’s age against details that their mobile operator holds, verifying via a credit card check, and other database checks including government held data, such as passport data.

NOTE: MindGeek, which runs major sites like PornHub, YouPorn and RedTube, previously proposed to use a mix of credit card, mobile SMS, passport or driving licence based identification through their own AgeID system to manage the process – this will also be licensed out to other sites (i.e. one-click verification across many sites). But some fear this will give such firms too much power over rivals and smaller sites.

However, the Government has spent years trying and failing to introduce such an AV system due to a variety of complex issues, and it’s not yet clear whether they’ve actually resolved all of those. For example, we’re not yet convinced that the new system will be able to work without forcing people to share their private personal details with unreliable porn peddlers. The infamous “Ashley Madison” hack highlighted just how dangerous such information could be in the wrong hands (multiple cases of blackmail and suicide etc.).

Executive Director of the Open Rights Group, Jim Killock, said:

“There is no indication that this proposal will protect people from tracking and profiling porn viewing. We have to assume the same basic mistakes about privacy and security may be about to be made again.

The proposal could force people to age verify before using Google search or reading Reddit. This appears to be a huge boon to age verification companies, for little practical benefit for child safety, and much harm to people’s privacy.”

All of this comes before we even get into the complicated question over which ISPs would be required to impose blocks against websites that fail to comply (only the biggest players, or the smallest ones too?), as well as what kind of systems they would be required to adopt in order to filter out those websites (a basic DNS filter is one thing, but more complex and expensive filtering would not be so easy).

Never mind the fact that ISP-level blocking of any type is also merely a placebo, the equivalent of leaving a door wide open with the words “do not enter” stuck outside (i.e. it’s very easy to circumvent) – there’s not a lot that can be done about that without removing the content at source (that’s more of a challenge for international law and regulation).

Meanwhile, many have questioned whether such a system is even necessary since all the major ISPs already offer optional network-level filtering systems, which are usually enabled by default. Lest we also forget that there could be impacts in other areas too, such as on sex workers (i.e. pushing them off-line and back onto the streets). Likewise, there’s the question of freedom of expression (i.e. what is porn and what is not, like general nudity and medical content). Ofcom will have to tread carefully.