The UK’s porn block is going to be a privacy disaster
With just a month to go until the UK’s controversial porn block comes into effect, reports are surfacing which raise serious security and privacy questions. Are we heading for a data protection disaster?
What is the UK porn block?
From the 15th of July 2019, anyone in the UK who wants to view adult entertainment on the internet will have to confirm their age. Only those aged 18 and over will have access to online porn. The new law falls under the Digital Economy Act (section 25), and it is designed to keep kids safer online. That all sounds fine, except the execution is all over the place,
From next month, it will no longer be enough to simply click a box confirming you are over 18 years of age. Internet users will have to provide details - most likely a username and password - for an approved age verification system. If these details cannot be provided, then instructions on how to sign up for them will be displayed. Adult sites that don’t apply these rules, whether they are based in the UK or not, can be fined and blocked. The British Board of Film Classification (BBFC) is in charge of the scheme.
So how is it potentially dangerous?
The scheme has come in for pretty heavy criticism for the way it handles data protection. The BBFC has an Age-verification Certificate Standard in place, but many feel it offers little reassurance for those who will be, let’s face it, offering up the most sensitive and private data possible once they are logged into a porn site. Who would you trust with that data?
The Open Rights Group has called the UK porn block ‘pointless misleading and potentially dangerous’. Jim Killock, Executive Director at the Open Right Group, said: “On July 15, millions of Internet users in the UK will have to make a decision about which age verification providers they trust with data about their personal pornography habits and preferences.” Killock is concerned that the BBFC’s standard offers little information on data protection and no means to punish age verification services which fail to protect user privacy.
The increased risk of cybercrime is another issue that has been raised. UK citizens who have their viewing habits compromised could be more vulnerable to fraud or blackmail. If you’ve seen the Shut Up and Dance episode of Black Mirror from 2016, this idea will strike a particularly disturbing tone.
You only have to look at what happened in the weeks and months after the Ashley Madison hack to see how seriously this kind of sensitive data can affect people lives. When more than 33 million accounts were stolen from the online dating portal marketed to people who are married or in relationships, exposed users were taking their own lives.
There must be a workaround, surely?
In fact, there are several workarounds. The age verification requirement covers all commercial adult entertainment websites (social media sites are not covered by the ban) but only internet users based or browsing from the UK are required to verify their age. That means that a simple VPN service will be enough to beat it.
In my experience, different services respond differently to VPNs in the UK. I can, for example, easily watch 4OD content from Germany, but the publically-funded BBC iPlayer is much more temperamental. So that’s method one: use a VPN to browse from a different region where the block is not in place.
Method two requires you to get up and leave the house. The BBFC will accept various approved age verification systems. One of the biggest is AgeID, which is run by Mindgeek. Mindgeek owns PornHub, RedTube and YouPorn. AgeID is a portal which provides users access to a selection of independent third party age verification sites, where users verify their age via passport, driving license, credit card or mobile SMS. AgeID itself does not store or even see your personal data, but for some, the idea of uploading ID documents to third-party verification sites is a massive concern. However, you can confirm your age without an official document, via the PortesCard method.
PortesCards can be bought in shops, where the burden of proof is on the vendor. You can show the staff your ID and they will sell you the card. Of course, there is the chance that you will be assumed to be over 18 without having to show ID, much like if you were buying booze. Either way, no data is stored on a database that can be hacked. However, there are two problems with this method.
Firstly, it doesn't really serve as a safe way to verify age. In the UK, as anyone who grew up there (like I did) will tell you: buying alcohol, cigarettes and other age-restricted products when you are underage is not that difficult. Compared to the US, for example, where I still get asked for my ID when buying alcohol (I’m 32), things are way more relaxed in Britain.
Secondly, the PortesCard code is only valid for 24-hours after purchase. This is baffling to me - the purchaser is only going to get older and thus cannot lose their verified status after it has been confirmed - and renders it useless. Who is going to pop into their local newspaper shop ask for a 24-hour porn pass? “I’d like a box of Kleenex and a PortesCard please mate.” Yeah, right! Most British people still blush when buying condoms.
Both of these official methods of age verification are pretty shoddy in terms of either achieving what they are supposed to achieve or protecting privacy, or both! Most people, I imagine, will go down the VPN route. People are already doing this to watch the Netflix libraries of other regions, for example, and my gut feeling is that most people will be savvy enough to sidestep the block and it won’t be much of a hurdle for users either over or under the age of 18.
Which brings us back to Jim Killock of the Open Rights Group. If the porn block will result in either privacy and sensitive data protection problems, or the widespread circumvention of the ban with a VPN, then what’s the point?
What do you think? Is this a security nightmare or just a pointless barrier people of all ages will easily jump over? Let us know what you think.
Via: Tech Radar
A good VPN should do the job