The more I learn about age verification, the worse an idea
it seems to be. I’ve written
before about the logistical problems with the policy, especially in light
of the proposed enforcement deadline of 27 April 2018. We still don’t know how
it will be enforced, who the regulator will be, or what will be considered
compliant; and there are lengthy Parliamentary processes to be completed before
we can find out.
Meanwhile the Department
for Digital, Culture, Media and Sport, and the
British Board of Film Classification
(who are tipped to be the new regulator) are refusing to engage. I
recently organised a roundtable of security experts, privacy campaigners, site
owners and age verification providers to share knowledge and discuss the
issues, and both DCMS and BBFC declined to attend. The DCMS are also refusing
to answer my questions via email.
In the absence of help from on high, those likely to be
affected by the new legislation are left picking over s 3 of the Digital Economy Act 2017,
speculating and guessing. Reading the section on age verification, one thing is
clear: it completely fails to protect the privacy of internet users.
This is a law making it
compulsory for any adult site
worldwide to verify the age of all UK users to ensure they are over 18. This
process will potentially link people’s ID to a list of every porn site they
visit. Age verification creates an exquisitely sensitive intersection of our
most private data.
You’d think that the law would acknowledge the risk of data
breaches or hacks, and provide some safeguards to ensure that anonymity and
privacy are protected. But s 3 doesn’t mention the word ‘privacy’ once. This
neglect paves the way for the sexual preferences of millions of UK citizens to
be leaked onto the internet.
The age verification marketplace
What technologies are available for age verification? It’s
the question every porn site owner wants answered, so we can start researching
the options. But annoyingly, very few products have launched yet. We won’t truly know what’s on the table until
the new regulator has not only been appointed but also published guidance about
what will be considered compliant. Until then, most age verification providers
are holding back until they can ensure their products comply with the guidance.
That makes it tricky to assess the security of age
verification solutions. In fact it will be almost impossible for many site
owners to make the required changes by April if the compliance guidelines
aren’t available until January. Most porn sites are run by one or two people
and don’t have a separate IT department; many of them rely on the same IT
freelancers to manage the technical side of things. There isn’t enough time for
site owners to assess the available options and make informed decisions.
Still, there are some product names floating around,
although you’ve had to be sitting in the right meetings to hear them. Most
systems offer a user journey that looks something like this:
- I visit a porn site, and I’m asked how I want to verify my
age. - I select the age verification method which I prefer –
perhaps one I’ve used before. - The porn site sends me off to interact with $AgeChecker.
- The first time I use $AgeChecker, it asks me to provide some
details they can use to verify my age – perhaps a credit card, phone number,
Facebook account or photo ID. - Once $AgeChecker has verified that I am over 18, it gives me
an ‘over 18’ token. - $AgeChecker sends a ‘yes, over 18’ back to the porn website.
- I’m age verified and able to look at porn.
- Each subsequent time I use $AgeChecker, I don’t need to
re-submit my ID, I just show them my token.
Step 4 is the tricky part.
There are a number of different solutions being developed. Here are some
of the methods currently on the table:
- Yoti – install an app on your phone, take a selfie, and
upload it to Yoti along with your photo ID. They do face recognition and
confirm that the selfie is you. - Veridu – provide access to your entire Facebook account
history, they do a machine learning analysis of it and guess whether you’re
over 18 based on things like how old your friends are, whether you go to 36th
or 16th birthday parties, and other criteria. - VeriMe – your mobile phone provider knows you’re over 18 if
you’ve submitted ID to turn off the default adult content filter. You give
VeriMe your mobile number and they ask your phone provider whether you’re over
18 or not. - Experion – the credit check database knows whether you are
over 18 or not. - Credit cards – your bank knows whether you are over 18 or
not. - AVSecure – you take your ID to a shop and get the shop assistant
to give you an ‘over18’ token which you can then use online.
The privacy and security implications of these various
methods have been ably
covered by Alec Muffett in his piece from a year ago. It’s well worth a
read, but the chief takeaways are:
- It’s a really bad idea to habituate the British populace to
bad security patterns, such as giving random websites permission to see your
social media details, phone number and credit card details. - Age verification will lead to ripe pickings for identity
fraudsters to collect credit card details on fake websites. - This sort of data exchange is disproportionate to the task
at hand, and won’t stop under-18s from looking at porn anyway: ‘You cannot
solve social problems with software’ (Ranum’s Law).
What most of the available technologies have done
is create a system that stops the porn site itself from seeing the user’s ID.
When you hear them talking about how much they respect privacy, that’s
usually what they mean. They do this by making a third party – the age
verification provider – the intermediary of the transaction.
Age verification providers will see what porn websites we
visit (because they’ll see the site’s request for our age verification status)
and they’ll also see our personal ID. If any of this data is retained, the
potential for accidental leaks or data breaches, or malicious misuse of the
data for advertising or profiteering, is enormous.
Under the Digital Economy Act 2017, the new age verification
regulator will have power to regulate commercial porn websites – but not age
verification providers. The Government have created a market for age
verification technology which is completely unregulated. With no privacy
safeguards enshrined in the law, the Government is expecting the market to
magically protect user privacy. But that’s not how the market works.
Free markets tend to throw up monopolies: the more money you have, the easier it is to
make money. Search engines have Google, social media has Facebook, and porn has MindGeek.
This company goes out of its way not to advertise itself,
but they reportedly own approximately 90% of the free adult ‘tube’ sites on the
internet such as PornHub, YouPorn and RedTube. They’ve bought porn brands such
as Brazzers and Digital Playground, and thereby established a near monopoly on both production and distribution. Now, age
verification will allow them to also become the gatekeepers of porn.
Regulatory capture
‘MindGeek’s dominance should serve as a cautionary tale of
the dangers of consolidating production and distribution in a single
monopolistic owner.’ (Slate)
MindGeek aren’t based in the UK – their head office is
officially located in Luxembourg, although a lot of management decisions seem
to be made in their Montreal office. This is, perhaps, one of the reasons that
the Digital Economy Act 2017 is so careful to include all websites accessible
within the UK, not just those based here. Tube sites make some of their money
by allowing users to upload pirated content made by producers like myself, and
then monetising it via advertising; the resulting content is free to the end-user.
MindGeek is the biggest porn company in the world, and the means by which a lot
of under-18s access porn. They’ll be
under the microscope, and aren’t going
to have a choice but to comply with age verification.
Instead of just complying, they’ve taken it one step further
and have developed their own solution: AgeID.
AgeID won’t handle age verification itself; it
will operate as an aggregator of other age verification solutions. From what
I’ve heard, it’ll probably work like this.
You’ll visit a site like PornHub, and you’ll be asked something like: do
you want to verify your age via your credit card, social media profile, credit
record, photo ID or phone number? You’ll pick one, be bounced to a relevant age
verification provider, show them your ID, and then be bounced back to MindGeek
with a ‘Yes’ or ‘No’. If yes, you’ll create an AgeID login consisting of a
password and an email address. After that, any time you want to access a
MindGeek website, you’ll be able to use the same login without needing to
re-verify. And here’s the clever bit: they’ll be making the same system
available – at a fee – to any other porn site who wants it.
It’s easy to see the advantages of this sort of federated
solution. Most people prefer a streamlined browsing experience. Users might
find they prefer to browse websites where they can use their AgeID login,
without having to re-verify every time. MindGeek are banking on the fact that
most users who look at porn paysites also look at porn tube sites, and they’re
offering a cost effective, frictionless user experience across the adult web.
They’re also intending to compete on cost. They haven’t
launched their pricing yet, but the latest I’ve heard is that they’re offering
a sliding scale monthly licensing fee to porn site owners based on how many UK
visitors they have. It sounds like they’re hoping to undercut most other age
verification providers. For many small site owners, this discount could be a
deal-breaker; the only way they can afford age checks and stay online.
The end result? The Government has written MindGeek a blank
cheque. Once age verification is in effect, smaller sites like mine will
effectively have to pay a ‘MindGeek tax’ to our biggest competitor, who has
established market dominance by pirating our content. If MindGeek had made the
rules, this would be called extortion. Since the State has created this
situation, however, there’s a better name for it: regulatory capture.
Can MindGeek be trusted to keep porn use private?
The biggest porn company in the world, which collects huge
amounts of browsing data to feed into its advertising algorithms, has top-notch
web security, right? You’d be forgiven for thinking that MindGeek would be both
motivated and capable of keeping the private porn preferences of its users
private and safe. But their record gives cause for concern.
PornHub recently suffered a
year long malvertising attack. In 2012 a YouPorn data breach revealed
the email addresses, usernames and passwords of a million porn viewers. The
same year hackers
romped through Digital Playground, leaking 73,000 user details and numbers,
expiry dates and security codes for 40,000 credit cards. Chat logs and login
details for 800,000 Brazzers subscribers were
leaked in 2016. MindGeek has suffered breach after breach after breach.
AgeID will give MindGeek access to a unique new seam of profitable
data: information about what porn sites AgeID users log into across the Web.
MindGeek won’t see your ID, but they will know your email address and password;
data that they have repeatedly compromised in the past. AgeID therefore creates
the very real risk of a database of the sexual preferences and porn browsing
history of 25 million people, linked to their identifying credentials, being
leaked or hacked.
High stakes
Sexual information is private for a reason. Many people have
secrets to keep, and the consequences of privacy breach can be catastrophic.
The data
breach of extramarital affair dating site Ashley Madison is a sobering
example. The site failed to keep user data secure, resulting in a breach that
led to scandal for politicians and CEOs, blackmail, identity fraud, and two
suicides.
Currently the UK Parliament and US Congress are both
staggering after multiple revelations of sexual misconduct amongst their
members. The investigation into First Secretary of State Damian Green has also
revealed allegations
that extreme pornography was found on a parliamentary computer in his office.
It doesn’t take much imagination to see how tempting a target an international
porn database would be for hackers, if there was a chance that the porn habits
and emails of politicians might be on it.
It’s not only public figures who stand to suffer in the
event of a large-scale porn data breach. The most marginalised members of
society also have a lot to fear. The kind of sex we like to have, and fantasise
about having, can have extraordinarily high stakes for those experiencing
homophobia and transphobia. LGBTQ people who are not out to their families
stand to lose their homes and their relationships; in the case of young or
vulnerable people, this poses a very real risk to their survival. Being outed is
also dangerous for members of the BDSM community – there are no laws protecting
the rights of people into BDSM from discrimination, and in this country your
private sexual practices can get you fired.
Speaking recently at ORGcon, Jim Killock , Executive
Director of the Open Rights Group, said that ‘in the age of the Internet
digital rights are human rights’. Jobs, homes and lives; the stakes of personal
privacy are high.
Security protocols
The most confidential data is data that isn’t retained
anywhere. But there’s nothing in the text of the Digital Economy Act 2017 to
prevent age verification providers from retaining the identifying details we
use to verify our age, or storing records of the websites we visit. We are
simply being asked to take it on faith that they won’t.
An example of an insufficient security system is one with both
bad protocols, and bad faith. In the case of age verification, an insecure system
would be one where data was collected, and we were therefore forced to trust
providers to keep it secure; but the providers weren’t trustworthy.
Trust is necessary but not sufficient to create a secure
system. Perhaps we might trust this age verification provider or that one; but
for a truly secure age verification system, providers should be meeting
security goals because of legal or logistical requirements – in other words,
for reasons that are baked into the protocols. If the database doesn’t exist,
it can’t be abused.
Age verification providers, including MindGeek, might say
they aren’t collecting data, and that they don’t intend to; but as long as they
could, we are forced to take this on trust. If they can’t collect it because
the law or the protocols prevent them from doing so, we don’t have to trust
them. This is best practice.
There are a number of ways to build protocols that achieve
this. Here are just a few:
- Blinding: replace durable, transparent names (of eg users or
websites) with short-lived, opaque identifiers. - Minimum data: the transaction does not require any more data
to be transferred than is absolutely necessary. - Separation of authority: avoid aggregation; each authority
only sees the minimum amount of data. - Least privilege: grant exactly the amount of privilege
(permission to do something) required for the transaction, and no more. Every
privilege granted opens more surface for attack.
From what I’ve been told, MindGeek’s AgeID system fails to
employ any of these basic security protocols. User data is not blinded; AgeID
can connect an age verification transaction to an email address and password.
Website data does not seem to be blinded either; MindGeek could if they wanted
access or retain the list of websites that a given user has accessed via AgeID,
and we merely have to take it on trust when they say they won’t. As a content
provider and an AV provider, MindGeek does not have separation of authority;
the same company will own your PornHub, Digital Playground and Brazzers account
details, which might well contain your credit card details and other
information, and your AgeID account. We can only trust that this data won’t be
aggregated, even though they have a clear profit motive to store data about
what porn people look at.
Data protection
The deadline for age verification enforcement to begin
coincides with the introduction of the GDPR . Age verification technologies
will need to be GDPR compliant. GDPR gives the individual the right:
- to be informed about what data is collected and how it is
used, - to access their personal data that has been retained,
- to rectify inaccurate or incomplete data,
- to allow data erasure under
certain circumstances, - to object to the use of data especially for direct marketing
purposes, - not to be subject to a decision when it is based on
automated processing or profiling.
Data protection provides a certain baseline privacy
standard.
However, Facebook is a good example of how easily an online
company can persuade users to consent to use of their data. All an organisation
like MindGeek needs to do is create enticing user experiences; perhaps asking
something like, ‘Do you want us to provide you with personalised porn
recommendations?’ and they can process users’ browsing data while complying
with GDPR. As the
Open Rights Group explains, ‘[d]ata protection law is simply not designed
to govern situations where the user is forced to agree to the use of highly
intrusive tools against themselves.’
PAS 1296
A ‘PAS’ is a Publicly Available Specification, and PAS 1296
is the
privacy standard for age verification which the Digital Policy Alliance have
been working on for well over a year. Ironically, it’s not currently
publicly available; it was meant to be published in spring 2017, but we’re
still waiting. This makes it hard to assess its suitability.
However, the draft that was published in October last year
was pretty weak on privacy. The Open
Rights Group’s verdict was that it ‘says little
about security requirements, data protection standards, or anything else we
are concerned about,’ describing it as ‘very generic’ and lacking ‘meaningful
enforcement’.
I’m told by members of the Digital Policy Alliance that the
new draft of the PAS 1296 is considerably more robust, and has taken feedback
(including the Open Rights Group’s) into account. I’m looking forward to being
able to read it and see for myself. But however strong a stance PAS 1296 takes
on privacy, ultimately it is a voluntary specification. The age verification
regulator has
no authority to regulate age verification providers, only to regulate online
commercial pornography providers. Without mandatory privacy protections, there
will be little incentive for age verification providers to comply with the
recommendations of the PAS.
Privacy safeguards
So far, most of the available age verification technologies
offer little assurances regarding privacy and security. AVSecure seems like the
most promising from a privacy perspective, and I’m in communication with its
creators and looking forward to finding out more about it. There might be other
anonymity-respecting solutions on the horizon; for instance Privacy Pass,
an open source browser extension that offers anonymous authentication via
blockchain, seems to
have promise as a component for age verification, although that’s work that
has yet to be done. But even if some age verification providers excel on
privacy, we shouldn’t have to take it on faith that they’ll do so; and with
MindGeek threatening to establish a monopoly on the age verification of
everyone who looks at tube sites, the situation for adult publishers is bleak.
We need age verification to be based on technologies (such
as blockchain) where data is blinded by default; and we need legislation
requiring age verification providers to uphold privacy standards that protect
the anonymity of web users. This could be based on the PAS, but in a form that
is legally enforceable. Likewise, we need a mandatory web security standard
which age verification software must comply with. This will only happen if the
government has some jurisdiction to regulate age verification providers: and
that will require a change in the law.
Pandora Blake is a feminist pornographer, sex worker and
sexual freedom campaigner. This article is an edited version of a blog post published
on http://pandorablake.com/blog
