Internet Porn Censorship

VPNCompare is reporting that internet users in Britain are responding to the upcoming porn censorship regime by investigating the option to get a VPN so as to workaround most age verification requirements without handing over dangerous identity details.

VPNCompare says that the number of UK visitors to its website has increased by 55% since the start date of the censorship scheme was announced. The website also sated that Google searches for VPNs had trippled. Website editor, Christopher Seward told the Independent:

We saw a 55 per cent increase in UK visitors alone compared to the same period the previous day. As the start date for the new regime draws closer, we can expect this number to rise even further and the number of VPN users in the UK is likely to go through the roof.

The UK Government has completely failed to consider the fact that VPNs can be easily used to get around blocks such as these.

Whilst the immediate assumption is that porn viewers will reach for a VPN to avoid handing over dangerous identity information, there may be another reason to take out a VPN, a lack of choice of appropriate options for age validation.

3 companies run the 6 biggest adult websites. Mindgeek owns Pornhub, RedTube and Youporn. Then there is Xhamster and finally Xvideos and xnxx are connected.

Now Mindgeek has announced that it will partner with Portes Card for age verification, which has options for identity verification, giving a age verified mobile phone number, or else buying  a voucher in a shop and showing age ID to the shop keeper (which is hopefully not copied or recorded).

Meanwhile Xhamster has announced that it is partnering with 1Account which accepts a verified mobile phone, credit card, debit card, or UK drivers licence. It does not seem to have an option for anonymous verification beyond a phone being age verified without having to show ID.

Perhaps most interestingly is that both of these age verifiers are smart phone based apps. Perhaps the only option for people without a phone is to get a VPN. I also spotted that most age verification providers that I have looked at seem to be only interested in UK cards, drivers licences or passports. I'd have thought there may be legal issues in not accepting EU equivalents. But foreigners may also be in the situation of not being able to age verify and so need a VPN.

And of course the very fact that is no age verification option common to the major porn website then it may just turn out to be an awful lot simpler just to get a VPN.

The Interrogator :

Is it safe?

The BBFC (on its Age Verification website)...err...no!...:

An assessment and accreditation under the AVC is not a guarantee that the age-verification provider and its solution (including its third party companies) comply with the relevant legislation and standards, or that all data is safe from malicious or criminal interference.

Accordingly the BBFC shall not be responsible for any losses, damages, liabilities or claims of whatever nature, direct or indirect, suffered by any age-verification provider, pornography services or consumers/ users of age-verification provider's services or pornography services or any other person as a result of their reliance on the fact that an age-verification provider has been assessed under the scheme and has obtained an Age-verification Certificate or otherwise in connection with the scheme.

Zippyshare is a long running data locker and file sharing platform that is well known particularly for the distribution of porn.

Last month UK users noted that they have been blocked from accessing the website and that it can now only be accessed via a VPN.

Zippyshare themselves has made no comment about the block, but TorrentFreak have investigated the censorship and have determined that the block is self imposed and is not down to action by UK courts or ISPs.

Alan wonders if this is a premature reaction to the Great British Firewall, noting it's quite a popular platform for free porn.

Of course it poses the interesting question that if websites generally decide to address the issue of UK porn censorship by self imposed blocks, then keen users will simply have to get themselves VPNs. Being willing to sign up for age verification simply won't work. Perhaps VPNs will be next to mandatory for British porn users, and age verification will become an unused technology.

The Government has been very secretive about its progress towards the starting of internet censorship for porn in the UK. Meanwhile the appointed internet porn censor, the BBFC, has withdrawn into its shell to hide from the flak. It has uttered hardly a helpful word on the subject in the last six months, just at a time when newspapers have been printing uniformed news items based on old guesstimates of when the scheme will start.

The last target date was specified months ago when DCMS minister Margot James suggested that it was intended to get the scheme going around Easter of 2019. This date was not achieved but the newspapers seem to have jumped to the conclusion that the scheme would start on 1st April 2019. The only official response to this false news is that the DCMS will now be announcing the start date shortly.

So what has been going on?

Well it seems that maybe the government realised that asking porn websites and age verification services to demand that porn users identify themselves without any real legal protection on how that data can be used is perhaps not the wisest thing to do. Jim Killock of Open Rights Group explains that the delays are due to serious concerns about privacy and data collection:

When they consulted about the shape of age verification last summer they were surprised to find that nearly everyone who wrote back to them in that consultation said this was a privacy disaster and they need to make sure people's data doesn't get leaked out.

Because if it does it could be that people are outed, have their relationships break down, their careers could be damaged, even for looking at legal material.

The delays have been very much to do with the fact that privacy has been considered at the last minute and they're having to try to find some way to make these services a bit safer. It's introduced a policy to certify some of the products as better for privacy (than others) but it's not compulsory and anybody who chooses one of those products might find they (the companies behind the sites) opt out of the privacy scheme at some point in the future.

And there are huge commercial pressures to do this because as we know with Facebook and Google user data is extremely valuable, it tells you lots about what somebody likes or dislikes or might want or not want.

So those commercial pressures will kick in and they'll try to start to monetise that data and all of that data if it leaked out would be very damaging to people so it should simply never be collected.

So the government has been working on a voluntary kite mark scheme to approve age verifiers that can demonstrate to an auditor they will keep user data safe. This scheme seems to be in its early stages as the audit policy was first outlines to age verifiers on 13th March 2019. AvSecure reported on Twitter:

Friday saw several AV companies meet with the BBFC & the accreditation firm, who presented the framework & details of the proposed scheme.

Whilst the scheme itself seems very deep & comprehensive, there were several questions asked that we are all awaiting answers on.

The Register reports that AgeID has already commissioned a data security audit using the information security company, the NCC Group. Perhaps that company can therefore be rapidly approved by the official auditor, whose identity seems to being kept secret.

So the implementation schedule must presumably be that the age verifiers get audited over the next couple of months and then after that the government can give websites the official 3 months notice required to give websites time to implement the now accredited age verification schemes.

The commencement date will perhaps be about 5 or 6 months from now.

Update: Announcement this week

31st March 2019. See  article from thetimes.co.uk

The government is expected to announce a timetable on Wednesday for the long-awaited measure to force commercial providers of online porn to check users' ages.

The BBFC seems a little behind the curve in its role as porn censor. Its initial draft of its guidelines gave absolutely no concern for the safety and well being of porn users. The BBFC spoke of incredibly sensitive identity and browsing date being entrusted to adult websites and age verifiers, purely on the forlorn hope that these companies would follow 'best practice' voluntary guidelines to keep the data safe. The BBFC offered next to no guidelines that defined how age verification should work and what it really needs to do.

As time has moved on, it has obviously occurred to the BBFC or the government that this was simply not good enough, so we are now waiting on the implementation of some sort of kite marking scheme to try to provide at least a modicum of trust in age verifiers to keep this sensitive data safe.

But even in this period of rework, the BBFC hasn't been keeping interested parties informed of what's going on. The BBFC seem very reluctant to advise or inform anyone of anything. Perhaps the rework is being driven by the government and maybe the BBFC isn't in a position to be any more helpful.

Anyway it is interesting to note that in an article from stopageverification.org.uk , that the BBFC has been reported to being overstepping the remit of the age verification laws contained in the Digital Economy Act:

The BBFC posts this on the Age verifiers website :

All types of pornographic content are within the scope of the legislation. The legislation does not exclude audio or text from its definition of pornography. All providers of commercial online pornography to persons in the UK are required to comply with the age-verification requirement.

Except that's not what the legislation says :

Pornographic material is defined in s.15 of the act. This sets out nine categories of material. Material is defined in that section (15(2) as material means204 (a) a series of visual images shown as a moving picture, with or without sound; (b) a still image or series of still images, with or without sound; or (c) sound;

It clearly doesn't mention text.

The BBFC need to be clear in their role as Age Verifier. They can only apply the law as enacted by Parliament. If they seek to go beyond that they could be at risk of court action.

Despite the prevailing porn ban in Uganda, it can safely be said that pornographic materials and information has never been more consumed than now. The latest web rankings from Alexa show that Ugandans consume more pornographic materials and information than news and government information, among other relevant materials.

The US website Porn555.com is ranked as the 6th most popular website in Uganda, ahead of Daily Monitor, Twitter, BBC among others.

The country's internet censors claim to have blocked 30 of the main porn websites so perhaps that is the reason for porn555 to be the most popular rather then the more obvious PornHub, YouPorn, xHamster etc.

Sky News has learned that the government has delayed setting a date for when age verification rules will come into force due to concerns regarding the security and human rights issues posed by the rules. A DCMS representative said:

This is a world-leading step forward to protect our children from adult content which is currently far too easy to access online.

The government, and the BBFC as the regulator, have taken the time to get this right and we will announce a commencement date shortly.

Previously the government indicated that age verification would start from about Easter but the law states that 3 months notice must be given for the start date. Official notice has yet to be published so the earliest it could start is already June 2019.

The basic issue is that the Digital Economy Act underpinning age verification does not mandate that identity data and browsing provided of porn users should be protected by law. The law makers thought that GDPR would be sufficient for data protection, but in fact it only requires that user consent is required for use of that data. All it requires is for users to tick the consent box, probably without reading the deliberately verbose or vague terms and conditions provided. After getting the box ticked the age verifier can then do more or less what they want to do with the data.

Realising that this voluntary system is hardly ideal, and that the world's largest internet porn company Mindgeek is likely to become the monopoly gatekeeper of the scheme, the government has moved on to considering some sort of voluntary kitemark scheme to try and convince porn users that an age verification company can be trusted with the data. The kitemark scheme would appoint an audit company to investigate the age verification implementations and to approve those that use good practises.

I would guess that this scheme is difficult to set up as it would be a major risk for audit companies to approve age verification systems based upon voluntary data protection rules. If an 'approved' company were later found to be selling, misusing data or even getting hacked, then the auditor could be sued for negligent advice, whilst the age verification company could get off scot-free.

We met to discuss BBFC's voluntary age verification privacy scheme, but BBFC did not attend. Open Rights Group met a number of age verification providers to discuss the privacy standards that they will be meeting when the scheme launches, slated for April. Up to 20 million UK adults are expected to sign up to these products.

We invited all the AV providers we know about, and most importantly, the BBFC, at the start of February. BBFC are about to launch a voluntary privacy standard which some of the providers will sign up to. Unfortunately, BBFC have not committed to any public consultation about the scheme, relying instead on a commercial provider to draft the contents with providers, but without wider feedback from privacy experts and people who are concerned about users.

We held the offices close to the BBFC's offices in order that it would be convenient for them to send someone that might be able to discuss this with us. We have been asking for meetings with BBFC about the privacy issues in the new code since October 2018: but have not received any reply or acknowledgement of our requests, until this morning, when BBFC said they would be unable to attend today's roundtable. This is very disappointing.

BBFC's failure to consult the public about this standard, or even to meet us to discuss our concerns, is alarming. We can understand that BBFC is cautious and does not wish to overstep its relationship with its new masters at DCMS. BBFC may be worried about ORG's attitude towards the scheme: and we certainly are critical. However, it is not responsible for a regulator to fail to talk to its potential critics.

We are very clear about our objectives. We are acting to do our best to ensure the risk to adult users of age verification technologies are minimised. We do not pose a threat to the scheme as a whole: listening to us can only result in making the pornographic age verification scheme more likely to succeed, and for instance, to avoid catastrophic failures.

Privacy concerns appear to have been recognised by BBFC and DCMS as a result of consultation responses from ORG supporters and others, which resulted in the voluntary privacy standard. These concerns have also been highlighted by Parliament, whose regulatory committee expressed surprise that the Digital Economy Act 2017 had contained no provision to deal with the privacy implications of pornographic age verification.

Today's meeting was held to discuss:

• What the scheme is likely to cover; and what it ideally should cover;

• Whether there is any prospect of making the scheme compulsory;

• What should be done about non-compliant services;

• What the governance of the scheme should be in the long tern, for instance whether it might be suitable to become an ICO backed code, or complement such as code

As we communicated to BBFC in December 2018, we have considerable worries about the lack of consultation over the standard they are writing, which appears to be truncated in order to meet the artificial deadline of April this year. This is what we explained to BBFC in our email:

• Security requires as many perspectives to be considered as possible.

• The best security standards eg PCI DSS are developed in the open and iterated

• The standards will be best if those with most to lose are involved in the design.
   

  • For PCI DSS, the banks and their customers have more to lose than the processors

  • For Age Verification, site users have more to lose than the processors, however only the processors seem likely to be involved in setting the standard

We look forward to BBFC agreeing to meet us to discuss the outcome of the roundtable we held about their scheme, and to discuss our concerns about the new voluntary privacy standard. Meanwhile, we will produce a note from the meeting, which we believe was useful. It covered the concerns above, and issues around timing, as well as strategies for getting government to adjust their view of the absence of compulsory standards, which many of the providers want. In this, BBFC are a critical actor. ORG also intends as a result of the meeting to start to produce a note explaining what an effective privacy scheme would cover, in terms of scope, risks to mitigate, governance and enforcement for participants.

Bangladesh internet censors have blocked almost 20,000 websites as part of an anti-pornography campaign, a minister has reported.

ISPs have blocked pornography and gambling websites in the past week under orders from the telecommunications censor. war, Mustafa Jabbar, the posts and telecommunications minister, told AFP:

I want to create a safe and secure internet for all Bangladeshis, including children. And this is my war against pornography. And this will be a continuous.

Popular social media apps such as TikTok and Bigo - which authorities believe are misused - have also been blocked

Update: And of course the government took the opportunity to ban a few other things too

26th February 2019. See article from dw.com

While most of the blocked sites are foreign, a few local websites and social media platforms have also been targeted by the government censorship. One of these websites, somewhereinblog.net, is the largest Bengali-language community blog platform in the world.

The post and telecommunications minister blamed the site for spreading atheism in Bangladesh.

A group of 33 Bangladeshi university teachers, journalists, bloggers, and activists have demanded that the government lift the ban on the blog platform immediately.