This article is more than 1 year old
El Reg deep dive: Everything you need to know about UK.gov's pr0n block
Some foreplay: Dark web, smut monopolies and moral outrage
Choosing the right protection
The stick for sites failing to age gate access to smut – defined in UK law (Digital Economy Act 2017) as content that "it is reasonable to assume from its nature was produced solely or principally for the purposes of sexual arousal" – is a large one.
As regulator, the British Board of Film Classification can order internet service providers to block sites, call on providers like Visa to cut off payments or hand out fines of up to £250,000 (or 5 per cent of qualifying turnover, whichever is greater).
Although the exact process has yet to be defined, existing age-verification tools – used for online gambling, for instance – involve handing over a credit card number (although this is problematic for adults who don't want or can't get them) or scanning a document like a passport for approval by the biz or a third party.
Unsurprisingly, the focus has been on data security. Experts have cautioned against creating databases full of porn-watchers' details, especially one that might track their sexual proclivities, which would essentially be a giant red flag to hackers.
Mainstream porn giant MindGeek, owner of many popular sites like YouPorn and RedTube, has come under fire for its poor security rep, which means its own AV tool, AgeID, is being treated with extreme caution.
However, James Clark, spokesman for AgeID, said that while its tool uses cookies "for technical reasons, such as load balancing", they "do not store any personal information or track a user… [or] which sites they visit".
The same promises are being made by other providers. Michael Bolcerek of political tech flinger Aristotle said that for the adult market, his biz had "made a decision long ago" to delete any copy of the data used – which can be financial, government ID or biometric comparison – once the info has been verified. "Basically, there is nothing to track or hack," he said.
Similarly, app developer Yoti said it only retains the scans of the documents for a week while it verifies them, and then each piece of information – date of birth, name, address and so on – is individually encrypted with different 256-bit keys and stored separately. For age verification, the user sends confirmation that they are over 18, rather than their date of birth.
But for all the firms touting their security credentials, there are always bad apples, and many have warned that the new rules will encourage people to engage in less-than-safe online behaviour. That might be failing to check the legitimacy of an AV system because they don't want to admit they're watching porn, or that it will expose people to fraudsters of firms with dodgy Ts&Cs.
"There's a real concern about user privacy and consent," said Pandora/Blake, pornographer and a leading campaigner against the plan. "With terms that come with a nice carrot, people might just click on agree – they're not going to read it – especially if they're having a wank. So is that really consent?"
For Blake, there needs to be a "robust, mandatory privacy standard that's customised for this space" – but this has been sorely lacking. And without it, pornographers have been cautious about taking the plunge with any of the providers.
It was hoped that this week's publication of a Publicly Available Specification (PAS) for AV tools would help; press were told the document's clarity on the matter would allay concerns about anonymity and data protection.
But not only does the document lack explicit or more detailed instructions on privacy standards, it also landed with a hefty price tag of £90+VAT – not quite the way to generate goodwill or help small businesses comply.
Neil Brown, lawyer at decoded:Legal, who stumped up the cost and unpicked the main points on Twitter, said he "wasn't sure what it brings to the table". He did, though, praise its emphasis that AV should involve no more than answering yes or no to a defined question about age.
Just when you thought things were coming to a head...
Elsewhere, the lack of clarity around the BBFC's plans for enforcement was a major cause of concern and ultimately the reason the government had to put the plan on ice.
Although the delay wasn't a surprise – the regulator was only officially approved last month – it has been welcomed by pornographers who have gained a little breathing space and observers who were worried that rushed-through plans might have adverse effects.
"I'm quite glad we've seen the rollout pushed back, because what was worrying me was the lack of detail and on public standards and how they fit in with data protection regulations and extra security criteria," said Victoria Nash, an Oxford academic who in 2015 led a government-commissioned report (PDF) on how children view porn online.
Among the laundry list of queries and quibbles are where the regulator will start. The BBFC told The Register it would take a "proportionate approach" and focus on services known to be visited by children to "maximise impact".
But smaller providers worried about compliance want further reassurances, while the Open Rights Group has warned that it will be pushed to block an increasing numbers of sites.
However, Brown struck a more positive note about the BBFC, saying that his experience working with it on parental controls and mobile networks had been positive. "I found them thoughtful and pragmatic," he said, adding that their quarterly reports on cases of purported under or over-blocking were "a welcome degree of transparency".
Brown said he hoped the guidance would offer extra detail for other parties that can be told to take action, like the ISPs. He pointed out that only big providers are required to take action for court-ordered copyright and trademark blocks, but the regulator hasn't confirmed small ISPs will be out of scope.
If they are caught by the law, it's likely some won't have the resources needed to automate blocking on a large scale; Adrian Kennard, boss of UK ISP Andrews & Arnold, previously told El Reg that even blocking on a DNS level would be "an administrative pain in the neck" for his firm.
Biting the hand that feeds IT
