The Open Rights Group comments on the government censorship plans:
Online Harms: Blocking websites doesn't work -- use a rights-based approach instead
Blocking websites isn't working. It's not keeping children safe and it's stopping vulnerable people from accessing information they need. It's not the right approach to take on Online Harms.
This is the finding from our
recent research into website blocking by mobile and broadband Internet providers. And yet, as part of its Internet regulation agenda, the UK Government wants to roll out even more blocking.
The Government's Online Harms White Paper is focused on making online companies fulfil a "duty of care" to protect users from "harmful content" -- two terms that remain troublingly ill-defined.
The paper proposes giving a regulator various punitive measures to use against companies that fail to fulfil this duty, including powers to block websites.
If this scheme comes into effect, it could lead to widespread automated blocking of legal content for people in the UK.
Mobile and broadband Internet providers have been blocking websites with parental control filters for five years. But through our
Blocked project -- which detects incorrect website blocking -- we know that systems are still blocking far too many sites and far too many types of sites by mistake.
Thanks to website blocking, vulnerable people and under-18s are losing access to crucial information and support from websites including counselling, charity, school, and sexual health websites. Small businesses are losing customers. And website
owners often don't know this is happening.
We've seen with parental control filters that blocking websites doesn't have the intended outcomes. It restricts access to legal, useful, and sometimes crucial information. It also does nothing to prevent people who are
determined to get access to material on blocked websites, who often use VPNs to get around the filters. Other solutions like filters applied by a parent to a child's account on a device are more appropriate.
Unfortunately, instead of noting these problems inherent to website blocking by Internet providers and rolling back, the Government is pressing ahead with website blocking in other areas.
Blocking by Internet providers may not work for long. We are seeing a technical shift towards encrypted website address requests that will make this kind of website blocking by Internet providers much more difficult.
When I type a human-friendly web address such as openrightsgroup.org into a web browser and hit enter, my computer asks a Domain Name System (DNS) for that website's computer-friendly IP address - which will look something like 18.104.22.168
. My web browser can then use that computer-friendly address to load the website.
At the moment, most DNS requests are unencrypted. This allows mobile and broadband Internet providers to see which website I want to visit. If a website is on a blocklist, the system won't return the actual IP address to my computer. Instead, it
will tell me that that site is blocked, or will tell my computer that the site doesn't exist. That stops me visiting the website and makes the block effective.
Increasingly, though, DNS requests are being encrypted. This provides much greater security for ordinary Internet users. It also makes website blocking by Internet providers incredibly difficult. Encrypted DNS is becoming widely available through
Google's Android devices, on Mozilla's Firefox web browser and through Cloudflare's mobile application for Android and iOS. Other encrypted DNS services are also available.
Blocking websites may be the Government's preferred tool to deal with social problems on the Internet but it doesn't work, both in policy terms and increasingly at a technical level as well.
The Government must accept that website blocking by mobile and broadband Internet providers is not the answer. They should concentrate instead on a rights-based approach to Internet regulation and on educational and social approaches that address
the roots of complex societal issues.
Offsite Article: CyberLegal response to the Online Harms Consultation
The Digital Policy Alliance (DPA) is a private lobby group connecting digital industries with Parliament. Its industry members include both Age Verification (AV) providers, eg OCL, and adult entertainment, eg Portland TV.
Just before the Government announcement that the commencement of adult verification requirements for porn websites would be delayed, the DPA wrote a letter explaining that the industry was not yet ready to implement AV, and had asked for a 3
The letter is unpublished but fragments of it have been reported in news reports about AV.
The Telegraph reported:
The Digital Policy Alliance called for the scheme to be delayed or risk nefarious companies using this opportunity to harvest and manipulate user data.
The strongly-worded document complains that the timing is very tight, a fact that has put some AVPs [age verification providers] and adult entertainment providers in a very difficult situation.
It warns that unless the scheme is delayed there will be less protection for public data, as it appears that there is an intention for uncertified providers to use this opportunity to harvest and manipulate user data.
Rowland Manthorpe from Sky News contributed a few interesting snippets too. He noted that the AVPs were unsurprisingly not pleased by the government delay:
Serge Acker, chief executive of OCL, which provides privacy-protecting porn passes for purchase at newsagents, told Sky News: As a business, we have been gearing up to get our solution ready for July 15th and we, alongside many other businesses,
could potentially now be being endangered if the government continues with its attitude towards these delays.
Not only does it make the government look foolish, but it's starting to make companies like ours look it too, as we all wait expectantly for plans that are only being kicked further down the road.
There are still issues with how the AV providers can make money
And interestingly Manthorpe revealed in the accompanying video news report that the AV providers were also distinctly unimpressed by the BBFC stipulating that certified AV providers must not use Identity Data provided by porn users for any other
purpose than verifying age. The sensible idea being that the data should not be made available for the the likes of targeted advertising. And one particular example of prohibited data re-use has caused particular problems, namely that ID data
should not be used to sign people up for digital wallets.
Now AV providers have got to be able to generate their revenue somehow. Some have proposed selling AV cards in newsagents for about £10, but others had been planning on using AV to generate a customer base for their digital wallet schemes.
So it seems that there are still quite a few fundamental issues that have not yet been resolved in how the AV providers get their cut.
Some AV providers would rather not sign up to BBFC accreditation
Maybe these issues with BBFC AV accreditation requirements are behind a move to use an alternative standard. An AV provider called VeriMe has announced that it has the first AV company to receive a PAS1296 certification.
The PAS1296 was developed between the British Standards Institution and the Age Check Certification Scheme (ACCS). It stands for Public Accessible Specification and is designed to define good practice standards for a product, service or process.
The standard was also championed by the Digital Policy Alliance.
Rudd Apsey, the director of VeriMe said:
The PAS1296 certification augments the voluntary standards outlined by the BBFC, which don't address how third-party websites handle consumer data, Apsey added. We believe it fills those gaps and is confirmation that VeriMe is indeed leading the
world in the development and implementation of age verification technology and setting best practice standards for the industry.
We are incredibly proud to be the first company to receive the standard and want consumers and service providers to know that come the July 15 roll out date, they can trust VeriMe's systems to provide the most robust solution for age
This is not a very convincing argument as PAS1296 is not available for customers to read, (unless they pay about 120 quid for the privilege). At least the BBFC standard can be read by anyone for free, and they can then make up their own minds as
to whether their porn browsing history and ID data is safe.
However it does seem that some companies at least are planning to give the BBFC accreditation scheme a miss.
The BBFC standard fails to provide safety for porn users data anyway.
The AV company 18+ takes issue with the BBFC accreditation standard, noting that it allows AV providers to dangerously log people's porn browsing history:
Here's the problem with the design of most age verification systems: when a UK user visits an adult website, most solutions will present the user with an inline frame displaying the age verifier's website or the user will be redirected to the
age verifier's website. Once on the age verifier's website, the user will enter his or her credentials. In most cases, the user must create an account with the age verifier, and on subsequent visits to the adult website, the user will enter his
account details on the age verifier's website (i.e., username and password). At this point in the process, the age verifier will validate the user and, if the age verifier has a record the user being at least age 18, will redirect the user back
to the adult website. The age verification system will transmit to the adult website whether the user is at least age 18 but will not transmit the identity of the user.
The flaw with this design from a user privacy perspective is obvious: the age verification website will know the websites the user visits. In fact, the age verification provider obtains quite a nice log of the digital habits of each user. To be
fair, most age verifiers claim they will delete this data. However, a truly privacy first design would ensure the data never gets generated in the first place because logs can inadvertently be kept, hacked, leaked, or policies might change in
the future. We viewed this risk to be unacceptable, so we set about building a better system.
Almost all age verification solutions set to roll out in July 2019 do not provide two-way anonymity for both the age verifier and the adult website, meaning, there remains some log of?204?or potential to log -- which adult websites a UK based
In fact one AV provider revealed that up until recently the government demanded that AV providers keep a log of people's porn browsing history and it was a bit of a late concession to practicality that companies were able to opt out if they
Note that the logging capability is kindly hidden by the BBFC by passing it off as being used for only as long as is necessary for fraud prevention. Of course that is just smoke and mirrors, fraud, presumably meaning that passcodes could be given
or sold to others, could happen anytime that an age verification scheme is in use, and the time restriction specified by the BBFC may as well be forever.
Jeremy Wright, the Secretary of State for Digital, Culture, Media and Sport addressed parliament to explain that the start data for Age Verification scheme for porn has been delayed by about 6 months. The reason is that the Government failed to
inform the EU about laws that effect free trade (eg those that that allow EU websites to be blocked in the UK). Although the main Digital Economy Act was submitted to the EU, extra bolt on laws added since, have not been submitted. Wright
In autumn last year, we laid three instruments before the House for approval. One of them204the guidance on age verification arrangements204sets out standards that companies need to comply with. That should have been notified to the European
Commission, in line with the technical standards and regulations directive, and it was not. Upon learning of that administrative oversight, I instructed my Department to notify this guidance to the EU and re-lay the guidance in Parliament as
soon as possible. However, I expect that that will result in a delay in the region of six months.
Perhaps it would help if I explained why I think that six months is roughly the appropriate time. Let me set out what has to happen now: we need to go back to the European Commission, and the rules under the relevant directive say that there
must be a three-month standstill period after we have properly notified the regulations to the Commission. If it wishes to look into this in more detail204I hope that it will not204there could be a further month of standstill before we can take
matters further, so that is four months. We will then need to re-lay the regulations before the House. As she knows, under the negative procedure, which is what these will be subject to, there is a period during which they can be prayed against,
which accounts for roughly another 40 days. If we add all that together, we come to roughly six months.
Wright apologised profusely to supporters of the scheme:
I recognise that many Members of the House and many people beyond it have campaigned passionately for age verification to come into force as soon as possible to ensure that children are protected from pornographic material they should not see. I
apologise to them all for the fact that a mistake has been made that means these measures will not be brought into force as soon as they and I would like.
However the law has not been received well by porn users. Parliament has generally shown no interest in the privacy and safety of porn users. In fact much of the delay has been down belatedly realising that the scheme might not get off the ground
at all unless they at least pay a little lip service to the safety of porn users.
Even now Wright decided to dismiss people's privacy fears and concerns as if they were all just deplorables bent on opposing child safety. He said:
However, there are also those who do not want these measures to be brought in at all, so let me make it clear that my statement is an apology for delay, not a change of policy or a lessening of this Government's determination to bring these
changes about. Age verification for online pornography needs to happen. I believe that it is the clear will of the House and those we represent that it should happen, and that it is in the clear interests of our children that it must.
Wright compounded his point by simply not acknowledging that if, given a choice people, would prefer not to hand over their ID. Voluntarily complying websites would have to take a major hit from customers who would prefer to seek out the safety
of non-complying sites. Wright said:
I see no reason why, in most cases, they [websites] cannot begin to comply voluntarily. They had expected to be compelled to do this from 15 July, so they should be in a position to comply. There seems to be no reason why they should not.
In passing Wright also mentioned how the government is trying to counter encrypted DNS which reduces. the capabilities of ISPs to block websites. Instead the Government will try and press the browser companies into doing their censorship
dirty work for them instead:
It is important to understand changes in technology and the additional challenges they throw up, and she is right to say that the so-called D over H changes will present additional challenges. We are working through those now and speaking to the
browsers, which is where we must focus our attention. As the hon. Lady rightly says, the use of these protocols will make it more difficult, if not impossible, for ISPs to do what we ask, but it is possible for browsers to do that. We are
therefore talking to browsers about how that might practically be done, and the Minister and I will continue those conversations to ensure that these provisions can continue to be effective.
The BBFC's Age-verification Certificate Standard ("the Standard") for providers of age verification services, published in April 2019, fails to meet adequate standards of cyber security and data protection and is of little use for
consumers reliant on these providers to access adult content online.
This document analyses the Standard and certification scheme and makes recommendations for improvement and remediation. It sub-divides generally into two types of concern: operational issues (the need for a statutory basis, problems caused by the
short implementation time and the lack of value the scheme provides to consumers), and substantive issues (seven problems with the content as presently drafted).
The fact that the scheme is voluntary leaves the BBFC powerless to fine or otherwise discipline providers that fail to protect people's data, and makes it tricky for consumers to distinguish between trustworthy and untrustworthy providers. In our
view, the government must legislate without delay to place a statutory requirement on the BBFC to implement a mandatory certification scheme and to grant the BBFC powers to require reports and penalise non-compliant providers.
The Standard's existence shows that the BBFC considers robust protection of age verification data to be of critical importance. However, in both substance and operation the Standard fails to deliver this protection. The scheme allows commercial
age verification providers to write their own privacy and security frameworks, reducing the BBFC's role to checking whether commercial entities follow their own rules rather than requiring them to work to a mandated set of common standards. The
result is uncertainty for Internet users, who are inconsistently protected and have no way to tell which companies they can trust.
Even within its voluntary approach, the BBFC gives providers little guidance to providers as to what their privacy and security frameworks should contain. Guidance on security, encryption, pseudonymisation, and data retention is vague and
imprecise, and often refers to generic "industry standards" without explanation. The supplementary Programme Guide, to which the Standard refers readers, remains unpublished, critically undermining the scheme's transparency and
Grant the BBFC statutory powers:
The BBFC Standard should be substantively revised to set out comprehensive and concrete standards for handling highly sensitive age verification data.
The government should legislate to grant the BBFC statutory power to mandate compliance.
The government should enable the BBFC to require remedial action or apply financial penalties for non-compliance.
The BBFC should be given statutory powers to require annual compliance reports from providers and fine those who sign up to the certification scheme but later violate its requirements.
The Information Commissioner should oversee the BBFC's age verification certification scheme
Delay implementation and enforcement:
Delay implementation and enforcement of age verification until both (a) a statutory standard of data privacy and security is in place, and (b) that standard has been implemented by providers.
Improve the scheme content:
Even if the BBFC certification scheme remains voluntary, the Standard should at least contain a definitive set of precisely delineated objectives that age verification providers must meet in order to say that they process identity data securely.
Improve communication with the public:
Where a provider's certification is revoked, the BBFC should issue press releases and ensure consumers are individually notified at login.
The results of all penetration tests should be provided to the BBFC, which must publish details of the framework it uses to evaluate test results, and publish annual trends in results.
Strengthen data protection requirements:
Data minimisation should be an enforceable statutory requirement for all registered age verification providers.
The Standard should outline specific and very limited circumstances under which it's acceptable to retain logs for fraud prevention purposes. It should also specify a hard limit on the length of time logs may be kept.
The Standard should set out a clear, strict and enforceable set of policies to describe exactly how providers should "pseudonymise" or "deidentify" data.
Providers that no longer meet the Standard should be required to provide the BBFC with evidence that they have destroyed all the user data they collected while supposedly compliant.
The BBFC should prepare a standardised data protection risk assessment framework against which all age verification providers will test their systems. Providers should limit bespoke risk assessments to their specific technological implementation.
Strengthen security, testing, and encryption requirements:
Providers should be required to undertake regular internal and external vulnerability scanning and a penetration test at least every six months, followed by a supervised remediation programme to correct any discovered vulnerabilities.
Providers should be required to conduct penetration tests after any significant application or infrastructure change.
Providers should be required to use a comprehensive and specific testing standard. CBEST or GBEST could serve as guides for the BBFC to develop an industry-specific framework.
The BBFC should build on already-established strong security frameworks, such as the Center for Internet Security Cyber Controls and Resources, the NIST Cyber Security Framework, or Cyber Essentials Plus.
At a bare minimum, the Standard should specify a list of cryptographic protocols which are not adequate for certification.
AN MP in Spain is leading an initiative to force porn websites operating in the country to install strict age verification systems.
The recently elected 26-year-old Andrea Fernandez has called to end the culture of porn among young people. The limitation of pornographic contents online was included in the electoral programme of the the newly elected Prime Minister, Pedro
Sanchez (Social Democrats). The goal of the new government is to implement a new strict age verification system for these kind of websites.
Ireland's Justice Minister Charlie Flanagan confirmed that the Irish government will consider a similar system to the UK's so-called porn block law as part of new legislation on online safety. Flanagan said:
I would be very keen that we would engage widely to ensure that Ireland could benefit from what is international best practice here and that is why we are looking at what is happening in other jurisdictions.
The Irish communications minister Richard Bruton said there are also issues around privacy laws and this has to be carefully dealt with. H said:
It would be my view that government through the strategy that we have published, we have a cross-government committee who is looking at policy development to ensure online safety, and I think that forum is the forum where I believe we will
discuss what should be done in that area because I think there is a genuine public concern, it hasn't been the subject of the Law Reform Commission or other scrutiny of legislation in this area, but it was worthy of consideration, but it does
have its difficulties, as the UK indeed has recognised also.
The South African Law Reform Commission is debating widespread changes law pertaining to the protection of children. Much of the debate is about serious crimes of child abuse but there is a significant portion devoted to protecting children from
legal adult pornography. The commission writes:
SEXUAL OFFENCES: PORNOGRAPHY AND CHILDREN
On 16 March 2019 the Commission approved the publication of its discussion paper on sexual offences (pornography and children) for comment.
Five main topics are discussed in this paper, namely:
Access to or exposure of a child to pornography;
Creation and distribution of child sexual abuse material;
Consensual self-child sexual abuse material (sexting);
Grooming of a child and other sexual contact crimes associated with or facilitated by pornography or child sexual abuse material; and
Investigation, procedure & sentencing.
The Commission invites comment on the discussion paper and the draft Bill which accompanies it. Comment may also be made on related issues of concern which have not been raised in the discussion paper. The closing date for comment is 30 July
The methodology discussed doesn't seem to match well to the real world. The authors seems to hold a lot of stock in the notion that every device can contain some sort of simple porn block app that can render a device unable to access porn and
hence be safe for children. The proposed law suggests penalties should unprotected devices get bought, sold, or used by children. Perhaps someone should invent such an app to help out South Africa.
Watching pornography on buses is to be banned, ministers have announced. Bus conductors and the police will be given powers to tackle those who watch sexual material on mobile phones and tablets.
Ministers are also drawing up plans for a national database of claimed harassment incidents. It will record incidents at work and in public places, and is likely to cover wolf-whistling and cat-calling as well as more serious incidents.
In addition, the Government is considering whether to launch a public health campaign warning of the effects of pornography -- modelled on smoking campaigns.
As of 15 July, people in the UK who try to access porn on the internet will be required to verify their age or identity online.
The new UK Online Pornography (Commercial Basis) Regulations 2018 law does not affect the Channel Islands but the States have not ruled out introducing their own regulations.
The UK Department for Censorship, Media and Sport said it was working closely with the Crown Dependencies to make the necessary arrangements for the extension of this legislation to the Channel Islands.
A spokeswoman for the States said they were monitoring the situation in the UK to inform our own policy development in this area.
Starting with a little background into the authorship of the document under review. AVSecure CMO Steve Winyard told XBIZ:
The accreditation plan appears to have very strict rules and was crafted with significant input from various governmental bodies, including the DCMS (Department for Culture, Media & Sport), NCC Group plc (an expert security and audit firm),
GCHQ (U.K. Intelligence and Security Agency), ICO (Information Commissioner's Office) and of course the BBFC.
But computer security expert Alec Muffett writes:
This is the document which is being proffered to protect the facts & details of _YOUR_ online #Porn viewing. Let's read it together!
What could possibly go wrong?
This document's approach to data protection is fundamentally flawed.
The (considerably) safer approach - one easier to certificate/validate/police - would be to say everything is forbidden except for upon for ; you would then allow vendors to
appeal for exceptions under review.
It makes a few passes at pretending that this is what it's doing, but with subjective holes (green) that you can drive a truck through:
What we have here is a rehash of quite a lot of reasonable physical/operational security, business continuity & personnel security management thinking -- with digital stuff almost entirely punted.
It's better than #PAS1296 , but it's still not fit for purpose.
VPNCompare is reporting that internet users in Britain are responding to the upcoming porn censorship regime by investigating the option to get a VPN so as to workaround most age verification requirements without handing over dangerous
VPNCompare says that the number of UK visitors to its website has increased by 55% since the start date of the censorship scheme was announced. The website also sated that Google searches for VPNs had trippled. Website editor, Christopher Seward
told the Independent:
We saw a 55 per cent increase in UK visitors alone compared to the same period the previous day. As the start date for the new regime draws closer, we can expect this number to rise even further and the number of VPN users in the UK is likely to
go through the roof.
The UK Government has completely failed to consider the fact that VPNs can be easily used to get around blocks such as these.
Whilst the immediate assumption is that porn viewers will reach for a VPN to avoid handing over dangerous identity information, there may be another reason to take out a VPN, a lack of choice of appropriate options for age validation.
3 companies run the 6 biggest adult websites. Mindgeek owns Pornhub, RedTube and Youporn. Then there is Xhamster and finally Xvideos and xnxx are connected.
Now Mindgeek has announced that it will partner with Portes Card for age verification, which has options for identity verification, giving a age verified mobile phone number, or else buying a voucher in a shop and showing age ID to the shop
keeper (which is hopefully not copied or recorded).
Meanwhile Xhamster has announced that it is partnering with 1Account which accepts a verified mobile phone, credit card, debit card, or UK drivers licence. It does not seem to have an option for anonymous verification beyond a phone being age
verified without having to show ID.
Perhaps most interestingly is that both of these age verifiers are smart phone based apps. Perhaps the only option for people without a phone is to get a VPN. I also spotted that most age verification providers that I have looked at seem to be
only interested in UK cards, drivers licences or passports. I'd have thought there may be legal issues in not accepting EU equivalents. But foreigners may also be in the situation of not being able to age verify and so need a VPN.
And of course the very fact that is no age verification option common to the major porn website then it may just turn out to be an awful lot simpler just to get a VPN.
The BBFC (on its Age Verification website)...err...no!...:
An assessment and accreditation under the AVC is not a guarantee that the age-verification provider and its solution (including its third party companies) comply with the relevant legislation and standards, or that all data is safe from
malicious or criminal interference.
Accordingly the BBFC shall not be responsible for any losses, damages, liabilities or claims of whatever nature, direct or indirect, suffered by any age-verification provider, pornography services or consumers/ users of age-verification
provider's services or pornography services or any other person as a result of their reliance on the fact that an age-verification provider has been assessed under the scheme and has obtained an Age-verification Certificate or otherwise in
connection with the scheme.
Zippyshare is a long running data locker and file sharing platform that is well known particularly for the distribution of porn.
Last month UK users noted that they have been blocked from accessing the website and that it can now only be accessed via a VPN.
Zippyshare themselves has made no comment about the block, but TorrentFreak have investigated the censorship and have determined that the block is self imposed and is not down to action by UK courts or ISPs.
Alan wonders if this is a premature reaction to the Great British Firewall, noting it's quite a popular platform for free porn.
Of course it poses the interesting question that if websites generally decide to address the issue of UK porn censorship by self imposed blocks, then keen users will simply have to get themselves VPNs. Being willing to sign up for age
verification simply won't work. Perhaps VPNs will be next to mandatory for British porn users, and age verification will become an unused technology.