Although Britain’s GCHQ and the NSA seem to be in bed together on most things, invading the privacy of innocent users supposedly in the name of national security, every once in a while the UK does something that makes the US online surveillance machine seem like it is tamer in comparison; its online age check is one of those times.

The GCHQ has already expressed a Chinese-esque plan to create the Great UK firewall, but now the UK, which previously dabbled in porn blocking, wants online age verification services to ensure that people viewing porn are age 18 or over; the dangerous implementation of the system has outraged privacy advocates.

Age-checking kids

In the US, when a person wants to view “mature” content for gaming or something more risqué, the online age verification allows you to simply pick some dates, usually from a birth date drop-down; if a person is 18-years-old or older, then the content is available. It’s up to the user to decide if that answer is truthful.

At the symposium “Online Age Checking: The Time Has Come,” one proof of concept for the UK’s plan suggested verifying kids' attributes “against school data” or verifying “against school user account.” One “benefit” would be that notifications would be sent to parents for consent. One explanation for how it would work suggested that a child would need to register with a service provider which then makes sure the child had signed in on a “trust platform” with a school ID.

On top of that, “out of band authentication, e.g. Google authenticator, device ID, location awareness, parental consent, phone number match, etc. could be added.” There is a video about the online age-checking POC here.

Porn-browsing adults please verify age via banking account?

But the UK’s proposed age verification to view porn won’t stop at checking for ages from 5 to 18. Forget about privacy and anonymity for porn viewing since adults will also hit an Age Gate. As the Open Rights Group pointed out, “Current proposals for age-verification systems suggest using people's emails, social media accounts, bank details, credit and electoral information, biometrics and mobile phone details. The use of any of this information exposes pornography website users to threats of data mining, identity theft and unsolicited marketing.”

Proposed age verification plan

The proposed online age-checking draft, a provision in the Digital Economy Bill, did not specify any particular age-checking tools to be used in the age verification framework; however, it suggested the age-checking could be used not only for accessing porn or other adult content, but also for “buying age-restricted merchandise online [e.g. e-liquids (nicotine), adult materials, dangerous goods]; using online services (e.g. dating services, gaming or gambling websites); and accessing online age-gated material (e.g. education and health).”

The BSI Group, which prides itself in having been the world’s first National Standards Body, has taken down the draft of the BSI Security Standard, also called a publicly available specification (PAS), so that it is “no longer available to be viewed;” public comments were only allowed until October 13 at any rate.

Nevertheless, it seemed to hit Cory Doctorow’s radar after network security consultant Alec Muffett, who is also on the Open Rights Group board of directors, ripped into the ridiculousness of PAS 1296.

No privacy safeguards

David Austen, who will most likely become the regulator of the Age Gate, said, “Privacy is one of the most important things to get right in relation to this regime. As a regulator, we are not interested in identity at all. The only thing that we are interested in is age, and the only thing that a porn website should be interested in is age.”

That’s nice except there are no privacy safeguards and Austen will leave the market to implement age verification systems; the Open Rights Group asked, “What could possibly go wrong?”

The group pointed out that some implementations may involve “vast data trawls through Facebook and social media,” or linking “people’s identity across web services,” or piggybacking “upon payment providers.” The UK government has a privacy-friendly age verification system called Verify, but doesn’t intend to use it.

Open Rights Group wrote:

If the government wants to have Age Verification in place, it must mandate a system that increases the privacy and safety of end users, since the users will be compelled to use Age Verification tools. Also, any and all Age Verification solutions must not make Britain’s cybersecurity worse overall, e.g. by building databases of the nation’s porn-surfing habits which might later appear on WikiLeaks.

What if it’s not just WikiLeaks? Let’s take a freaky hypothetical scenario. As the creepy clown epidemic in the US moved to also include clown sightings in Britain, there has been a 213 percent spike in clown-related porn on Pornhub and a 50 percent increase on xHamster.

Whether or not that is a Halloween thing or based on some other twisted reason, who would want that linked to their banking, credit and electoral information, or even a social media account using a “real” name such as Facebook supposedly enforces? Stupid comments on Facebook and other social media platforms have cost people jobs, loans, insurance…and the list goes on.

It won't stop kids, but opens adults to chances of life-wrecking leaks

The UK cracked down on revenge porn, but that does nothing to stop people from requesting photos be nudeshopped via Photoshop so it can be used for revenge porn; nor can it stop “porn bombing, the worrying new face of revenge porn.” As sick as revenge porn is, a determined person will find a way.

In the same way, determined under-aged people will find a way to browse porn; a simple solution would be using a proxy to view porn which is hosted outside of the UK.

It’s not that the idea to keep inappropriate material out of the reach of children is a horrible one, just that it will likely fall short of that goal. Meanwhile for adults, as Open Rights Group said, viewing porn will be linked to real-life identities and “could be vulnerable to Ashley Madison-style leaks.”