Posted at 22:20 on 16 Nov 2017 by Pandora / Blake

The more I learn about age verification, the worse an idea it seems to be. I’ve written before about the logistical problems with the policy, especially in light of the proposed enforcement deadline of 27 April 2018. We still don’t know how it will be enforced, who the regulator will be, or what will be considered compliant; and there are lengthy Parliamentary processes to be completed before we can find out.

Meanwhile the Department for Digital, Culture, Media and Sport, and the British Board of Film Classification (who are tipped to be the new regulator) are refusing to engage. I recently organised a roundtable of security experts, privacy campaigners, site owners and age verification providers to share knowledge and discuss the issues, and both DCMS and BBFC declined to attend. The DCMS are also refusing to answer my questions via email.

In the absence of help from on high, those likely to be affected by the new legislation are left picking over Section 3 of the Digital Economy Act, speculating and guessing. I’m not a lawyer, but reading the section on age verification one thing is clear: it completely fails to protect the privacy of internet users.

This is a law making it compulsory for any adult site worldwide to verify the age of all UK users to ensure they are over 18. This process will potentially link people’s ID to a list of every porn site they visit. Age verification creates an exquisitely sensitive intersection of our most private data.

You’d think that the law would acknowledge the risk of data breaches or hacks, and provide some safeguards to ensure that anonymity and privacy are protected. But Section 3 of the Digital Economy Act doesn't mention the word ‘privacy’ once. This neglect paves the way for the sexual preferences of millions of UK citizens to be leaked onto the internet.

The age verification marketplace

What technologies are available for age verification? It's the question every porn site owner wants answered, so we can start researching the options. But annoyingly, very few products have launched yet. We won’t truly know what's on the table until the new regulator has not only been appointed, but also published guidance about what will be considered compliant. Until then, most age verification providers are holding back until they can ensure their products comply with the guidance.

That makes it tricky to assess the security of age verification solutions. In fact it will be almost impossible for many site owners to make the required changes by April if the compliance guidelines aren’t available until January. Most porn sites are run by one or two people and don’t have a separate IT department; many of them rely on the same IT freelancers to manage the technical side of things. There isn’t enough time for site owners to assess the available options and make informed decisions.

Still, there are some product names floating around, although you’ve had to be sitting in the right meetings to hear them. Most systems offer a user journey that looks something like this:

I visit a porn site, and I’m asked how I want to verify my age. I select the age verification method which I prefer - perhaps one I’ve used before. The porn site sends me off to interact with $AgeChecker. The first time I use $AgeChecker, it asks me to provide some details they can use to verify my age - perhaps a credit card, phone number, Facebook account or photo ID. Once $AgeChecker has verified I am over 18, it gives me an “over 18” token. $AgeChecker sends a “yes, over 18” back to the porn website. I’m age verified and able to look at porn. Each subsequent time I use $AgeChecker, I don’t need to re-submit my ID, I just show them my token.

Step 4 is the tricky part. There are a number of different solutions being developed. Here are some of the methods being talked about:

Yoti - install an app on your phone, take a selfie, and upload it to Yoti along with your photo ID. They do face recognition and confirm that the selfie is you.

Veridu - provide access to your entire Facebook account history, they do a machine learning analysis of it and guess whether you’re over 18 based on things like how old your friends are, whether you go to 36th or 16th birthday parties, and other criteria.

VeriMe - your mobile phone provider knows you’re over 18 if you’ve submitted ID to turn off the default adult content filter. You give VeriMe your mobile number and they ask your phone provider whether you’re over 18 or not.

Experion - the credit check database knows whether you are over 18 or not.

Credit cards - your bank knows whether you are over 18 or not.

AVSecure - you take your ID to a shop and get the shop assistant to give you an “over18” token which you can then use online.

The privacy and security implications of these various methods have been ably covered by Alec Muffett in his piece from a year ago. It’s well worth a read, but the chief takeaways are:

It’s a really bad idea to habituate the British populace into bad security patterns, such as giving random websites permission to see your social media details, phone number and credit card details.

Age verification will lead to ripe pickings for identity fraudsters to collect credit card details on fake websites.

This sort of data exchange is disproportionate to the task at hand, and won’t stop under 18s from looking at porn anyway: “You cannot solve social problems with software” (Ranum’s Law).

What most of the available technologies have done is created a system that stops the porn site itself from seeing the user’s ID. When you hear them talking about how much they respect privacy, that's usually what they mean. They do this by making a third party - the age verification provider - the intermediary of the transaction.

Age verification providers will see what porn websites we visit (because they’ll see the site’s request for our age verification status), and they’ll also see our personal ID. If any of this data is retained, the potential for accidental leaks or data breaches, or malicious misuse of the data for advertising or profiteering, is enormous.

Under the Digital Economy Act, the new age verification regulator will have power to regulate commercial porn websites - but not age verification providers. By passing this law the Government have created a market for age verification technology which is completely unregulated. With no privacy safeguards enshrined in the law, the Government is expecting the market to magically protect user privacy. But that’s not how the market works.

Free markets tend to throw up monopolies: the more money you have, the easier it is to make money. Search engines have Google, social media has Facebook, and porn has MindGeek.

This company goes out of its way not to advertise itself, but they reportedly own approximately 90% of the free adult “tube” sites on the internet such as PornHub, YouPorn and RedTube. They've bought porn brands such as Brazzers and Digital Playground, and thereby established their monopoly both on production, and on distribution. Now, age verification will allow them to also become the gatekeepers of porn.

Regulatory capture

“MindGeek’s dominance should serve as a cautionary tale of the dangers of consolidating production and distribution in a single monopolistic owner.” (Slate)

MindGeek aren’t based in the UK - their head office is officially located in Luxembourg, although a lot of management decisions seem to be made in their Montreal office. This is, perhaps, one of the reasons that the Digital Economy Act is so careful to include all websites accessible within the UK, not just those based here. The tube sites make money by allowing users to upload pirated (stolen) content made by producers like myself, and then monetising it via advertising; the resulting content is free to the end user. MindGeek is the biggest porn company in the world, and the means by which a lot of under 18s access porn. They'll be under the microscope, and aren’t going to have a choice but to comply with age verification.

Instead of just complying, they’ve taken it one step further and have developed their own solution: AgeID.

This isn’t news. I first wrote about AgeID in September 2016. I was told by one of their directors at the age verification technology demo organised by the Adult Provider Network in 2016 that they anticipate that 20 to 25 million adults in the UK will use Age ID “within the first month”. That’s 39% of the UK population.

AgeID won’t handle age verification itself; it will operate as an aggregator of other age verification solutions. From what I've heard, it'll probably work like this. You’ll visit a site like PornHub, and you’ll be asked something like: do you want to verify your age via your credit card, social media profile, credit record, photo ID or phone number? You’ll pick one, be bounced to a relevant age verification provider, show them your ID, and then be bounced back to MindGeek with a “Yes” or “No”. If yes, you’ll create an AgeID login consisting of a password and an email address. After that, any time you want to access a MindGeek website, you’ll be able to use the same login without needing to re-verify. And here’s the clever bit: they’ll be making the same system available - at a fee - to any other porn site who wants it.

It’s easy to see the advantages of this sort of federated solution. Most people prefer a streamlined browsing experience. Users might find they prefer to browse websites where they can use their AgeID login, without having to re-verify every time. MindGeek are banking on the fact that most users who look at porn paysites also look at porn tube sites, and they’re offering a cost effective, frictionless user experience across the adult web.

They’re also intending to compete on cost. They haven’t launched their pricing yet, but the latest I've heard is that they’re offering a sliding scale monthly licencing fee to porn site owners based on how many UK visitors they have. It sounds like they’re hoping to undercut most other age verification providers. For many small site owners, this discount could be a deal-breaker; the only way they can afford age checks and stay online.

The end result? The Government has written MindGeek a blank cheque. Once age verification is in effect, smaller sites like mine will effectively have to pay a "MindGeek tax" to our biggest competitor, who has established market dominance by pirating our content. If MindGeek had made the rules, this would be called extortion. Since the State has created this situation, however, there’s a better name for it: regulatory capture.

“Regulatory capture is a form of government failure that occurs when a regulatory agency, created to act in the public interest, instead advances the commercial or political concerns of special interest groups that dominate the industry or sector it is charged with regulating.”

Do you trust MindGeek to keep your porn use private?

The biggest porn company in the world, which collects huge amounts of browsing data to feed into its advertising algorithms, has top-notch web security, right? You’d be forgiven for thinking that MindGeek would be both motivated and capable of keeping the private porn preferences of its users private and safe. However, you’d be wrong.

PornHub recently suffered a year long malvertising attack. In 2012 a YouPorn data breach revealed the email addresses, usernames and passwords of a million porn viewers. The same year hackers romped through Digital Playground, leaking 73,000 user details and numbers, expiry dates and security codes for 40,000 credit cards; “the Digital Playground site was so riddled with security holes that it acted as a irresistible target“. Chat logs and login details for 800 000 Brazzers subscribers were leaked in 2016. MindGeek has suffered breach after breach after breach.

In security engineering, the definition of a “trusted system” is that the failure of the system to operate according to specification would lead to the compromise of your security goals. The counterpart of this is “trustworthiness” - how assured we can be that a system will operate according to spec. In MindGeek’s case, their repeated data breaches suggests that either their systems are failing to operate to specification, or that protecting user data is not one of their security goals.

AgeID will give MindGeek access to a unique new seam of profitable data: information about what porn sites AgeID users log into across the world wide web. MindGeek won't see your ID, but they will know your email address and password; data that they have repeatedly compromised in the past. AgeID therefore creates the very real risk of a database of the sexual preferences and porn browsing history of 25 million people, linked to their identifying credentials, being leaked or hacked.

High stakes

Sexual information is private for a reason. Many people have secrets to keep, and the consequences of privacy breach can be catastrophic. The data breach of extramarital affair dating site Ashley Madison is a sobering example. The site failed to keep user data secure, resulting in a breach that led to scandal for politicians and CEOs, blackmail, identity fraud, and two suicides.

Currently the UK Parliament and US Congress are both staggering after multiple revelations of sexual misconduct amongst their members. The investigation into First Secretary of State Damian Green has also revealed allegations that extreme pornography was found on a parliamentary computer in his office. It doesn’t take much imagination to see how tempting a target an international porn database would be for hackers, if there was a chance that the porn habits and emails of politicians might be on it.

It’s not only public figures who stand to suffer in the event of a large-scale porn data breach. The most marginalised members of society also have a lot to fear. The kind of sex we like to have, and fantasise about having, can have extraordinarily high stakes for those experiencing homophobia and transphobia. LGBTQ people who are not out to their families stand to lose their homes and their relationships; in the case of young or vulnerable people, this poses a very real risk to their survival. Being outed is also dangerous for members of the BDSM community - there are no laws protecting the rights of people into BDSM from discrimination, and in this country your private sexual practices can get you fired.

Speaking at ORGcon last week, Executive Director of the Open Rights Group Jim Killock said that “in the age of the Internet digital rights are human rights”. Jobs, homes and lives; the stakes of personal privacy are high.

Security protocols

The most confidential data is data that isn’t retained anywhere. But there’s nothing in the text of the Digital Economy Act to prevent age verification providers from retaining the identifying details we use to verify our age, or storing records of the websites we visit. We are simply being asked to take it on faith that they won’t.

An example of an insufficient security system is one with both bad protocols, and bad faith. In the case of age verification, an insecure system would be one where data was collected, and we were therefore forced to trust providers to keep it secure; but the providers weren’t trustworthy.

Trust is necessary but not sufficient to create a secure system. Perhaps we might trust this age verification provider or that one; but for a truly secure age verification system, providers should be meeting security goals because of legal or logistical requirements - in other words, for reasons that are baked into the protocols. If the database doesn’t exist, it can’t be abused.

Age verification providers, including MindGeek, might say they aren’t collecting data, and that they don't intend to; but as long as they could, we are forced to take this on trust. If they can’t collect it because the law or the protocols prevent them from doing so, we don’t have to trust them. This is best practice.

There are a number of ways to build protocols that achieve this. Here are just a few:

Blinding : replace durable, transparent names (of e.g. users or websites) with short-lived, opaque identifiers.

Minimum data : the transaction does not require any more data to be transferred than is absolutely necessary.

Separation of authority : avoid aggregation; each authority only sees the minimum amount of data.

Least privilege : grant exactly the amount of privilege (permission to do something) required for the transaction, and no more. Every privilege granted opens more surface for attack.

From what I’ve been told, MindGeek’s AgeID system fails to employ any of these basic security protocols. User data is not blinded; AgeID can connect an age verification transaction to an email address and password. Website data does not seem to be blinded either; MindGeek could if they wanted access or retain the list of websites that a given user has accessed via AgeID, and we merely have to take it on trust when they say they won’t. As a content provider and an AV provider, MindGeek does not have separation of authority; the same company will own your PornHub, Digital Playground and Brazzers account details, which might well contain your credit card details and other information, and your AgeID account. We can only trust that this data won’t be aggregated, even though they have a clear profit motive to store data about what porn people look at. How trustworthy do they seem?

Data protection

The deadline for age verification enforcement to begin coincides with the introduction of GDPR (General Data Protection Regulation), a new EU legal framework which will apply in the UK from May 2018. Age verification technologies will need to be GDPR compliant. GDPR gives the individual the right:

to be informed about what data is collected and how it is used,

to access their personal data that has been retained,

to rectify inaccurate or incomplete data,

to data erasure under certain circumstances,

to object to the use of data especially for direct marketing purposes,

not to be subject to a decision when it is based on automated processing or profiling.

Data protection provides a certain baseline privacy standard.

However, Facebook is a good example of how easily an online company can persuade users to consent to use of their data. All MindGeek need to do is create enticing user experiences; perhaps asking something like, “Do you want us to provide you with personalised porn recommendations?” and they can process users’ browsing data while complying with GDPR. As the Open Rights Group explains, “Data protection law is simply not designed to govern situations where the user is forced to agree to the use of highly intrusive tools against themselves.”

PAS 1296

A “PAS” is a Publicly Available Specification, and PAS 1296 is the privacy standard for age verification which the Digital Policy Alliance have been working on for well over a year. Ironically, it’s not currently publicly available; it was meant to be published in spring 2017, but we’re still waiting. This makes it hard to assess its suitability.

However, the draft that was published in October last year was pretty weak on privacy. The Open Rights Group’s verdict was that it “says little about security requirements, data protection standards, or anything else we are concerned about,” describing it as “very generic” and lacking “meaningful enforcement”.

I’m told by members of the DPA that the new draft of the PAS 1296 is considerably more robust, and has taken feedback (including the Open Rights Group’s) into account. I’m looking forward to being able to read it and see for myself. But however strong a stance PAS 1296 takes on privacy, ultimately it is a voluntary specification. The age verification regulator has no authority to regulate age verification providers, only to regulate online commercial pornography providers. Without mandatory privacy protections, there will be little incentive for age verification providers to comply with the recommendations of the PAS.

Privacy safeguards

So far, most of the available age verification technologies offer little assurances regarding privacy and security. AVSecure seems like the most promising from a privacy perspective, and I’m in communication with its creators and looking forward to finding out more about it. There might be other anonymity-respecting solutions on the horizon; for instance Privacy Pass, an open source browser extension that offers anonymous authentication via blockchain, seems to have promise as a component for age verification, although that's work that has yet to be done. But even if some age verification providers excel on privacy, we shouldn’t have to take it on faith that they'll do so; and with MindGeek threatening to establish a monopoly on the age verification of everyone who looks at tube sites, the situation for adult publishers is bleak.

We need age verification to be based on technologies (such as blockchain) where data is blinded by default; and we need legislation requiring age verification providers to uphold privacy standards that protect the anonymity of web users. This could be based on the PAS, but in a form that is legally enforceable. Likewise, we need a mandatory web security standard which age verification software must comply with. This will only happen if the government has some jurisdiction to regulate age verification providers: and that will require a change in the law.

Read more:

UK Porn Is About to Change in a Way You're Not Going to Like - Vice

Pornhub owner may become the UK's gatekeeper of online porn - Engadget

20-25 Million UK Adults Risk Their Porn Habits Being Leaked Publicly - Myles Jackman

Porn According to MindGeek - Girl on the Net

UK pornographers fear age verification laws may harm business - Sky News

Soon you’ll have to enter personal details to watch porn and it could open you up to blackmail, legal expert claims - The Sun

---

If you've enjoyed reading this, you can join me on Patreon to ensure I can keep writing. Your support makes this possible.

Comments