Tech

Britain’s Age Verification Law Creates a Trail of Your Porn Habits

If you’re no prude, then you may have nothing to hide when Britain’s recently passed Digital Economy Act comes into full effect next year. But for those who reserve their sexual preferences and erotic experimentation for behind closed doors, now is the time to pay attention to your digital privacy.

The Digital Economy Act, which received Royal Assent in April, is advertised as being predominately focused on protecting children from accessing pornography online, but has received much criticism from privacy advocates. That’s because In order to stop children from watching pornography, the government is introducing an age verification requirement—technology that proves to a pornography website that the visitor is 18 or older. This technology is due to be implemented by 2018.

Videos by VICE

While that seems fairly straightforward—even reasonable—verifying a user’s age on the internet is a process that requires the transference of intimate personal data, causing privacy advocates to warn of a creation of a database that will essentially store information on how a user likes to ‘get off’. This is not like the trust-based age verification seen on e-cigarette websites or M-rated games on Steam. Online porn in the UK will be regulated, using an age verification system that produces data around sexuality that leaves a digital footprint of your sex life.

There are multiple ways age verification technologies can check a user’s age or confirm their identity, and porn sites operating in the UK will soon be forced to decide on an age verifying tool that works for them, or else close their business to UK customers. So what are the options?

“Think about the jeopardy that causes,”

“It was a horrifying shit show,” Alec Muffett, who sits on the board of directors for the privacy not-for-profit Open Rights Group, told Motherboard over the phone.

Muffett was referencing a small consultation that was held in 2016 for companies to present potential age verification solutions for porn sites.”This is all stick in order to regulate porn and nobody is thinking about the ramifications of the stick,” he said.

One of the solutions looks like this: log into a porn site using your credit score rating. The business providing this already knows that you’re at least 18 because it’s also in charge of telling the insurance and credit card companies all of your financial information.

“Think about the jeopardy that causes,” said Muffett.

A credit rating company knowing what porn sites you visit—on top of how you spend—does not sound like a good option.

While credit card companies are accustomed to dealing with highly sensitive information and most adhere to the Payment Card Industry Data Security Standards (PCI-DSS), which outlines what will and will not be done with your data, there are no such standards for age verification when it comes to watching porn online yet.

“Nothing in this scenario takes into account that this person is into latex, queer or kink, and what you’re doing is age verifying them for that via a speciality website,” said Muffett. “You’re building a databases of really sensitive information and there’s nothing in the specifications about information protection control.”

The lack of attention paid to data storage makes an age verification solution put forward by PornHub owner MindGeek even more worrying—it uses something called AgeID to complete the age verification checks through a third-party provider.

MindGeek claims that its age verification solution will serve approximately 25 million people in the UK within the first month of its deployment. A user will sign up to AgeID with their email address and can prove their age in multiple ways, such as ones mentioned previously. If age approved, the user receives a web cookie for their device that gets them seamless access to porn as long as the site they are visiting is also registered with AgeID.

Read more: We Talked to the Hacker Who Took Down a Fifth of the Dark Web

But this cookie also leaves a digital trail of what sites and individual pages a user visits, giving MindGeek the ability to track and link all this information together in what will be a goldmine for targeted advertising and marketplace advantage.

Motherboard has asked MindGeek what controls are in place to stop hackers from correlating the data, and what security standards are in place to mitigate an attack on AgeID, but has yet to receive a response. In response to an earlier question regarding privacy, MindGeek told Motherboard, “AgeID has been designed with customers privacy in mind, it does not store nor even see any sensitive information.”

“What price would a British tabloid newspaper pay for a list of what porn sites some random football team likes to access,” said Muffett. “That sort of titillating bullshit will carry a high price and somebody will hack into this, especially when there’s a diversity of different age verification websites possible—one of them is going to have shitty security.”

We need only to look back at the 2015 hack of dating site Ashley Madison, where data identifying users was leaked online, to understand the potential ramifications of a data honeypot. A series of resignations, breakups and suicides followed.

“So if somebody gets outed, loses their job, or alternatively, is so ashamed by the fact that they’ve been outed, commit suicide, where is the liability act?” says Muffet.

Still, a push to regulate pornography is not completely without merit, as a 2016 survey by Middlesex University found that over half of 11 to 16-year-olds had seen explicit material online, 33 percent of them via a smartphone. Internet safety advocates believe that issues related to age restricted content are not taken seriously by publishers of the material and a responsibility to control that access must therefore be enforced by regulation, in this case, a software solution verifying age.

“One of the most important things that this Act does is establish new normative standards,” said John Carr, secretary of the UK Children’s Charities Coalition on Internet Safety. “What it’s saying to pornography publishers is we do not accept that it is right for you to publish this material in a way that makes it accessible and easily available to really young children.”

Carr notes similar measures that were taken with the 2005 Gambling Act, a law that required gambling sites to implement age verification in a move that Carr says reflected the way a child should not able to place a bet online if they are not old enough to do so in the offline world.

Pornography, however, is a slightly more complicated issue—one that’s not typically based around the exchange of money and that encompasses the curious coming of age nature of sex.

Many, like Muffett, believe that age verification will not work and that legislation would be better geared toward tackling consent, rather than restricting access, which puts everyone at risk in revealing their own sexual preferences.

Subscribe to Science Solved It, Motherboard’s new show about the greatest mysteries that were solved by science.