UK.gov admits porn age checks could harm small ISPs and encourage risky online behaviour
It’s happening, but here are the problems it could cause
Enforcing age verification checks for online porn sites could be detrimental to smaller ISPs and significantly increase online fraud, the government has admitted.
The measures, which are due to come into force in May, will require UK residents to prove they are 18 or over in order to get access to porn sites.
The plans have proved particularly unpopular, with a consultation finding that 54 per cent of respondents did not support the introduction of a law to require age verification.
However, the government has forged ahead, with the aim of stopping kids accessing porn on the grounds that such content could "distress them or harm their development".
The rules will be enforced by the British Board of Film Classification, in its new role as porn overlord age-verification regulator, which will also allow it to require ISPs to block sites that don't comply.
Ahead of implementing any policy, the government has to publish an impact assessment that sets out the risks and costs of the intervention.
And the one for age verification (PDF) – slipped out over the Christmas break – is a doozy, reeling off a list covering concerns about privacy, online fraud and reputational damage to the government.
The document also set out the costs of the new measures, which includes a cost to the public purse of between £1m and £7.9m for the creation of the regulator.
Brit film board proposed as overlord of online pr0nz age checksREAD MORE
Meanwhile, the estimated cost to large ISPs of blocking sites – on the assumption that this would be for between 1 and 50 sites a year on a DNS level – is in the range of £100,000 to £500,000, which they said would cover a system update to include the BBFC's chosen porn sites.
These providers told government it was likely they would be able to absorb ongoing operational costs, probably because many already have blocking systems.
But this isn't true for all providers, as Neil Brown, tech lawyer at decoded:Legal, pointed out: "If every ISP needs to block non-compliant sites, that will impact smaller ISPs, especially if they don't already have a blocking system in place."
The government acknowledges this risk in the impact assessment, saying that the requirement "could have a negative impact on smaller ISPs with a much smaller workforce and we will need to carefully consider the impact on them".
Adrian Kennard, boss of UK ISP Andrews & Arnold, told The Reg that it would be possible to block sites, but that it would require more capacity and development.
"As a small ISP we don't currently have any blocking or filtering of anything," he said. "Even if it's blocking on a DNS level, that's still an administrative pain in the neck."
Blocking a large number of sites, though, would need some level of automation, which – as well as requiring extra development – could also end up filtering out perfectly safe and legal sites. (Not to mention that the lack of blocking and filtering is often one of the reasons people choose smaller providers.)
Another issue facing ISPs is a lack of information: the government and BBFC have yet to fully define what "blocking" will entail – for instance if doing so at a DNS level will suffice – or whether it will always apply to small companies.
They are also yet to set out an appeals process ISPs can use if they believe they’ve been asked to do something that isn't proportionate.
The spectre of the dark web
Even if the blocking is put in place, and works, people who want to will still find a workaround – this is something that goes on just as much in the offline world (hello, underage drinking) as in the online one.
As the government itself said: "Adults (and some children) may be pushed towards using ToR and related systems to avoid AV where they could be exposed to illegal and extreme material that they otherwise would never have come into contact with."
Myles Jackman, obscenity lawyer and legal director of the Open Rights Group, said: "It seems perverse that, in an environment where the government is promulgating anti-extremism and saying terrorists must be stopped from using ToR, it has to openly acknowledge that this policy will increase its use."
The government's statement has also irked observers who feel it is unhelpful for the government to misrepresent ToR as damaging in and of itself, pointing out that random clicking on the normal web can lead you to a variety of dodgy content, too.
I’ve used Tor for years, and host a “hidden service”, and I don’t get this:— Neil Brown (@neil_neilzone) January 3, 2018
- if you are using Tor to access the web, content is unchanged (if anything, harder to access, due to sites/CDNs blocking Tor)
- if you are accessing hidden services, you don’t just stumble across them
Rise of the AV crims
There's also a risk for those people who are at the other end of the tech-savvy spectrum, as the document acknowledges that the new rules could leave people more exposed to nefarious actors.
"The potential for online fraud could raise significantly, as criminals adapt approaches in order to make use of false AV systems/spoof websites and access user data," the document said.
This ties in with concerns that the rules will encourage people to engage in less-than-safe online activity.
For instance, they might be less keen to check the legitimacy of a AV system if someone will know why they're using it, or they might not question a small charge to save face.
Opponents have also warned that it goes against efforts to educate people against handing over their card details online by forcing them to do just that, or possibly push kids who want to access to porn to slip off with their parents' cards.
…not to mention: encourage near-criminal behaviour by capable 16-year-olds, nicking their parents' credit cards and thinking that's normal.— Alec Muffett (@AlecMuffett) January 4, 2018
The security measures of the age verification providers has also been questioned – especially as the frontrunner at the moment, AgeID, is produced by mega-porn-corp MindGeek, whose companies don't have a great reputation for security.
"It would be ironic if a mass exposure of people's porn proclivities... is what teaches the public about the importance of online privacy and security," said Jackman.
Faced with all of this, perhaps it's not surprising that the government also lists as a potential risk that people simply stop using online porn at all.
But, hey, perhaps that's what the government wants...®
Sponsored: Becoming a Pragmatic Security Leader