“Privacy is one of the most important things to get right in relation to this regime.”
David Austen, Chief Executive, BBFC (The Age Verification Regulator)
To verify your age you would have to register in some way with a service that can verify you are over 18. And obviously to do that you will have to provide probably several bits of identifying personal information. That information can then (at least without strong protection) be linked to your porn viewing habits.
The only current protections for privacy are in the government guidance to the regulator which says:
“The process of verifying age for adults should be concerned only with the need to establish that the user is aged 18 or above. The privacy of adult users of pornographic sites should be maintained and the potential for fraud or misuse of personal data should be safeguarded.”
It only takes a moments thought to realise that collection of information about people’s porn viewing habits is going to be very sensitive information. And exposure of that information could be very damaging to someones reputation, relationships and some cases their job.
“For many people – teachers, priests, doctors, to name a few – having your name on a list of adult consumers has real implications.” Vice President of XHamster, Alex Hawkins.
As was seen with the Ashley Madison data leak data, that is particularly sensitive will always be a high target for hackers and those who would seek material for blackmail. And without strong privacy protections that will always be a risk
During the passage of the bill the government seemed quite unresponsive to these concerns:
Alistair Carmichael MP – “Will the data therefore be held in an anonymised form that will not allow the people who have provided them to be identified, should the data be stolen? The best security in the world can still be breached?”
Matt Hancock (Responsible Minister) – “It will be a requirement that the data are held in such a way that they are secure and not made available. It is a common principle across swathes of life that data must be held safely. The Data Protection Act is in place to make sure that that happens.” [Note: nothing said here about data being anonymised]
As discussed separately below, the Data Protection Act has some serious limitations in providing protections in this area.
When the bill was passing through the House of Lords, Lord Paddick proposed an amendment which, in his words would “ensure that the details of those applying to have their age verified in order to access adult material on the internet remain anonymous.”
In the discussion on those amendments he said that:
“In my discussions with the British Board of Film Classification, it has said that it has no particular interest or expertise in the area of data protection in relation to keeping confidential the details of those seeking age verification. We will end up with an age verification regulator that forces users of adult material on the internet to use an age verification solution but has no responsibility for approving such solutions.”
Unfortunately the minister (Lord Ashton), whilst saying “we, too, have absolute desire for anonymity in these matters.” didn’t back the amendment instead relying on guidance to the regulator and saying that “The privacy of adult users of pornographic sites must be maintained. We do not want the regulator to duplicate the role of the Information Commissioner’s Office,”
Data Protection laws unsuitable
Closely related to the above is how much protection Data Protection laws can provide.
When discussing the amendment referred to above, Lord Paddick responded to the Minister:
“The Minister said that the Information Commissioner’s Office is responsible for data protection, but the Information Commissioner’s Office is designed to ensure that people who voluntarily put their personal information into the internet are protected—and this is not a voluntary process. This is making it compulsory for anybody who wants to access adult material to give their personal data, which they would not otherwise have to do. We therefore think that the protections should be greater than those provided by the Information Commissioner’s Office.
As the Minister himself said, privacy is more important when it comes to accessing pornography than it is when accessing, for example, gambling sites. We are not reassured. Th draft guidance that the Government have issued is only guidance that a regulator should have regard to; it does not have teeth at all. We therefore find both the draft guidance and the explanation given by the Minister inadequate for protecting the identities of those who seek age verification.”
In short, as Pandora Blake puts it, “the Bill contains no safeguards against AV providers compiling databases of our porn browing histories which will be deeply vulnerable to leaks, hacks and data breaches.”
If current data protection laws are to be relied on then people need to have confidence that the Information Commissioner will be able to take enforcement action against those companies if necessary. As was recently seen with Cambridge Analytica the ability if necessary to seize computers and documents can be an important part of that. If age verification companies are based abroad, or have their servers in other countries enforcement will be much harder. Currently enforcement is easier where they are based in the EU but that may not be the case after Brexit. Ensuring that companies are based in the UK would be a major step to ensuring enforcement action can be taken if needed.
Will it work?
The ultimate point, as with any legislation, is will it actually work. It’s important not to let perfection become the enemy of the good but where people’s legitimate (and legal) expression is being curtailed there needs to be an element or proportionality.
First there is the scale of pornography on the internet. The BBFC themselves refer to 1.5 million new pornographic URLs coming on stream each year. It’s clearly impossible for any regulator to check that all these are compliant with legislation. The BBFC said in evidence to the Bill committee that they would target the most popular sites.
“It may make it harder for children to stumble across pornography, especially in the younger age range, but it will do nothing to stop determined teenagers,” and
“while I don’t have a problem with asking these companies to act responsibly, I don’t see it as a solution to stopping minors seeing pornography.”
Most broadband suppliers and mobile network operators offer some sort of internet filter to block ‘harmful’ sites with many now enabling that by default. Whilst this is not without some controversy around sites being incorrectly blocked (see ORG’s campaign on this https://www.openrightsgroup.org/campaigns/web-blocking-hub/) it should in theory substantially reduce under 18s access to pornographic websites.
Alternate routes to accessing pornographic material
Government research such as the DCMS expert panel has identfied that under 18s view pornography by a variety of means other than accessing websites. These includes sites such as twitter who would not be covered by the Digital Economy Act and sharing material through instant messaging.
In evidence to the Bill committee Girlguiding said that based on a survey of their members
20% of girls aged 13 to 21 have had unwanted pornographic imagery or film sent to them,
60% of girls aged 11 to 21 see boys their age viewing pornography on mobile phone devises or tablets.
Neither of these would be covered by the Act.
(Note: some of the girls in those age groups are above an age that would be covered by this legislation and there is already legislation in place to cover the sharing of pornographic images with people under 18 and sending unwanted pornographic images to someone of any age)
For those with sufficient technical knowledge it is comparatively simple to install technology such as a VPN or using the ToR network to get around any country based restrictions. In short those would make it look as though someone was accessing a site from a different country. The government’s own (draft) impact assessment recognised that:
“Adults (and some children) may be pushed towards using ToR and related systems to avoid AV where they could be exposed to illegal and extreme material that they otherwise would never have come into contact with.”
The government’s own (draft) impact assessment recognised that:
“The potential for online fraud could raise significantly, as criminals adapt approaches in order to make use of false AV systems / spoof websites and access user data;”
Effect on independent porn producers
The cost and administrative overheads for smaller, and more niche, porn providers could be affected and become unviable. Pandora Blake who won a court case to keep their website open wrote about this aspect for the Guardian during the Bills passage.
Giving excessive power to major porn companies
Several large pornography companies have already shown interest in operating their own Age Verification solutions. Prominent among those is MindGeek who run several of the largest porn sites (such as PornHub, RedTube and YouPorn) and are promoting their AgeId service. There are clear dangers with dominant porn providers offering Age Verification solutions in that those could easily be used to manipulate and control the market giving them an even more significant monopoly provision. Mindgeek have been involved in a number of significant data and privacy breaches in recent years.
Pandora Blake has written at more substantial length about this aspect.
Better sex education may be a more effective way of dealing with any problems
This was a point that came up time and again in the Bill’s passage. Whilst it wasn’t taken on board in the act new guidance on sex eduction. The government has recently consulted on changes to this so it may be a case of watching this space.