Website blocking will open up age verification to credit card fraud

Currently the BBFC are pinning their hopes on being able to specify some kind of privacy and safety standard through their ability to regulate “arrangements” that deliver age verified material. Sites must deliver pornographic material:

in a way that secures that, at any given time, the material is not normally accessible by persons under the age of 18

The regulator can issue then guidance for:

types of arrangements for making pornographic material available that the regulator will treat as complying

The claim is that this mechanism allows the guidance to specify what kind of AV is private and secure.

However, if the BBFC are told to block “non-compliant” websites, in practice they will have to accept any system that websites use that verifies age. To do otherwise would be highly unfair: why should a site with legal material, that uses their own AV system, end up blocked by the BBFC?

This will especially apply to systems that require registration / credit card tests. There are plenty of paysites already of course. These are not privacy friendly, as they strongly identify the user to the website – and they have to do this to minimise fraudulent payment card transactions. That’s alright as a matter of choice of course, but dangerous when it is done purely as a means of age verification.

If asking for credit card details becomes common or permissible, and a credible ask in the minds of UK citizens, then the government will have created a gold mine for criminals to operate scam porn sites targeted at the UK, inviting people to supply their credit cards to scam sites for “Age Verification”. In fact you could see this being extended to all manner of sites that a criminal could claim were “blocked until you prove you’re over 18”.

Once credit card details are harvested, in return for some minimal/copyright infringing porn access at a scam porn site, then criminals can of course resell them for fraud. Another easy to understand example of a criminal abusing this system is that you could see criminals typo-squatting on relevant domain names such as youporm.com and asking for a credit card to gain access. Anything that normalises the entry of credit card details into pages where the user isn’t making a payment will increase the fraudulent use of such cards. And if a website is validating credit cards to prove age, but not verifying them, then the internationally agreed standards to protect credit card data are unlikely to apply to them.

During the committee stage of the Digital Economy Bill, we argued that the AV regulator should be highly specific about the privacy and anonymity protections, alongside the cyber security consequences. We argued for a single system with perhaps multiple providers, that would be verifiable and trusted. The government on the other hand believes that market-led solutions should be allowed to proliferate. This makes it hard for users to know which are safe or genuine.

If website blocking becomes part of the enforcement armoury, then websites that employ unsafe but effective, or novel and unknown, AV systems will be able to argue that they should not be blocked. The BBFC is likely to have to err on the side of caution – it would be an extreme step to block an age-verifying website just because it hadn’t employed an “approved” system.

The amount of website blocking that takes place will add to the scamming problem and open up new opportunities for innovative criminals. The BBFC seems to be set to have an ‘administrative’ power to order ISPs to block. If this is the case, the policy would appear to be designed to block many websites, rather than a small number. The more blocking of sites that users encounter, the more they will get used to the idea that age verification is in use for pornography or anything that could possibly be perceived as age-restricted, and therefore trust the systems they are presented with. If this system is not always the same, but varies wildly, then there are plenty of opportunities for scams and criminal compromise of poorly-run Age Verification systems.

Security and privacy problems can be minimised, but are very, very hard to avoid if the government goes down the website blocking route. What MPs need to know right now is that they are moving too fast to predict the scale of the problems they are opening up.