LONDON – Whatever the merits of requiring adult websites to verify the age of visitors, the question about how to meet the condition is more difficult and fraught with pitfalls than its proponents realize — or are willing to acknowledge publicly, at least.
Looking at the age-verification requirement contained in the UK’s Digital Economy bill, there’s a good deal of detail about things like the procedure by which Parliament will designate an “age-verification regulator” and no shortage of verbiage about that regulator’s power under the law, but almost nothing about how the required age verification is going to work.
Regardless of how the UK government envisions online age verification working, it’s difficult to see how requiring a user’s age is possible without also confirming his or her identity. In other words, any system designed to ensure someone attempting to access porn is an adult also will need to determine which adult is trying to access the site.
And this is where things get very tricky from a data-security perspective.
“It’s almost impossible to do age verification without confirming your identity,” observed Adrian Kennard of the U.K. ISP Andrews & Arnold, which has been consistent in expressing concern about consumer privacy in light of measures like the Digital Economy bill. “This will be a gourmet feast for hackers.”
In an interview with New Scientist (site registration required), Kennard said it’s easily foreseeable hackers will set up fake adult site front ends to collect sensitive personal information from web users, taking advantage of the fact entering such data into adult sites will become a familiar and comfortable act for consumers once they’re required to do so to access any of their favorite porn sites.
Presumably, the U.K. government won’t want the adult sites themselves to collect and store personal information, leaving it up to either some form of new government age-verification clearinghouse or placing the responsibility on British ISPs to build and maintain the database in question. Either approach is loaded with potential security pitfalls, not because of who will store the data but due the nature of the data itself.
As the New Scientist article notes, one has only to look as far as the Ashley Madison data breach to know how desirable the combination of identity, sexual proclivities and contact information can be to hackers.
“However it’s done, collating such information with your sexual preferences isn’t a great idea,” writes Sally Adee, “as the hack of infidelity dating site Ashley Madison — and attendant blackmails and suicides — showed in 2015.”
On top of security concerns, whether a workable age-verification system can be created in the first place is an open and vexing question, even for many supporters of the concept.
In 2012, when the mobile social networking app Skout discovered three adults had wormed their way into the app masquerading as teenagers and later used the app to connect with and sexually assault children, the app makers set up a task force to craft a solution to the online age-verification process. To put it lightly, the task force came up just a bit short of that lofty goal.
“I began to learn that age-verification technologies would not address any of the major safety issues we identified,” Danah Boyd, co-director of the Skout task force, told The New York Times.
Other experts said Boyd’s conclusion shouldn’t come as a surprise, given the enormity of the task of confirming the age and identity of any online user in real time.
Hemanshu Nigam, former chief security officer for Myspace and head of the online security consultancy SSP Blue, did not mince words in his comments to the Times.
“Companies do age verification because they know they’re supposed to, but everybody knows it doesn’t really work,” Nigam said. “The truth is, there is no silver bullet.”
The lack of a silver bullet isn’t about to stop governments around the globe from trying to slay the age-verification werewolf, so to speak, but it’s also not the only problem with the U.K.’s scheme under the Digital Economy bill. There’s also the fact such geography-specific blocks are not terribly difficult to defeat using other online technologies available to consumers.
“You can legally bypass all of this by using a virtual private network,” Kennard noted. “And it’s easy. So, what’s the point?”