BA Breach and Porn Viewing Age-verification

Laurence Eastham on two disparate topics that collided in his time-line this week and made a connection that goes beyond the mere chronological.

First, the BA data breach. I may be making a big assumption but I tend to assume that BA has top-of-the-range, state-of-the-art protection against data breach. Certainly you would expect then to have the means to protect payment data. (I note that every news item covering the BA breach mentioned that passport information was not accessed; no doubt that was of somewhat minor consolation to those about to embark on a trip abroad with a compromised credit card.) But they have suffered major data breach through, we are told, ‘a sophisticated attack’; one wonders what sort of attack would qualify as ‘unsophisticated’, bearing in mind the context.

The second topic concerns the age-verification proposals that derive from the Digital Economy Act 2017. There is a crowdfunding appeal at https://www.crowdjustice.com/case/resistav/, which aims to produce the funds to challenge the proposed implementation of this scheme. The age-verification scheme had rather fallen off my radar so, while I think any such court action has a very steep slope to climb, this was a welcome reminder of a piece of legislation which I thought was flawed at both the political level (it is a prime example of ‘something must be done’) and the practical level (we will move on to cries of anguish when it is ‘exclusively revealed’ that teenagers circumvent barriers to access porn – just as they have for decades). Neil Brown’s article on this topic gives an excellent insight into the basic proposals and I found the Open Rights Group briefing on the situation most enlightening.

Whatever one’s views on the rights and wrongs of the initial legislation, and on the reliability and motives of the likely controllers of the age-verification process, it is hard to argue with the view taken by the Open Rights Group that the data that will be shared via the age-verification scheme is super-sensitive. Even if you have never looked at porn in your life (a fact which might be shaming in certain contexts), you have to agree that one’s viewing history in this area above all needs special protection.

What the BA data breach shows is the obvious: if there is valuable information that can be accessed online, it needs to be strongly protected – and even then it might be accessed. The GDPR is a protection but it’s not enough in this context. Given the risks here, those holding age-verification data, and the very wide-range of super-sensitive information that will flow from it, will be well advised to make sure that they float small-scale subsidiaries with a relatively small turnover in the UK and will not be intimidated or incentivised by the prospect of huge GDPR fines.

In the ideal world, the government would just give up on a flawed proposal that reflects an evanescent popular will, but its track-record on that isn’t great. At the very least, there needs to be more incentive to ensure protection of this data edges as close to watertight as is possible. Just like BA had.


Published: 2018-09-10T13:30:00

    0 comments

      This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

      Please wait...