The UK Porn Block is an upcoming regulation developed to restrict access to explicit content by having adult websites implement age checking systems. Part of the Digital Economy Act 2017, the regulation is aimed at preventing children from viewing inappropriate images and videos online. The block has been met with scepticism as it is assumed that the regulation will simply push people towards the use of virtual private networks (VPNs) to continue using the websites with no interference.
Consequently, providers will also be creating a database with users' personal data, a database which will surely attract criminals. The upside is, without yet being enforced, the block has sparked widespread social dialogue, and many child safety experts would agree that if it helps to ignite conversations between parents and their children, it is likely to have a positive impact on society at large.
- Young people 'will use VPNs' to beat porn block, gambling age ban
- The legal ins and outs of the UK Porn Block
- How the UK Porn Block could give one company an unfair advantage
AgeID
In response to the Porn Block, MindGeek – the parent company of PornHub and YouPorn - has created an age verification system called AgeID.
The system requires users to register with an account and, once the account is verified via email, the user is redirected to a third-party provider which verifies the origin of the ID. The user can select several ways to confirm his or her age, including verifying through mobile text message, credit card, a passport or a driving license. The provider then sends a pass/fail response to AgeID, and in doing so separates the data sets. This intentional separation prevents AgeID from accessing and, most importantly, storing personal data.
MindGeek states that users will not need to verify multiple times and there only will be a simple sign-in form for future access. This verification system will allow users to seamlessly access the websites that use AgeID (not only the MindGeek ones) across multiple devices without having to verify their age again. The AgeID system is encrypted with a stronger “salted, one-way hash”. This choice creates stronger security: it will slow down attackers in case of a breach, as a salted hash will show different encryptions for every password, even if different users have the same one.
This authentication method and the necessity to verify the age of users has raised a series of well-founded concerns.
Privacy concerns
First of all, the necessity to check age means that a database storing personal data to allow for single-time verification will inadvertently be created. These websites have 92 million visitors every day, and the UK is the second biggest traffic driver to them (after the US). Adult websites’ traffic in the UK is only surpassed by entertainment (hello, Netflix and YouTube) and search engines. From July, however, most of the users will generate huge amounts of personal data that will be stored with third-party providers. Providers that could be hacked and data that could end up in the wrong hands.
What makes it worse is the personal data will, albeit indirectly, be linked to an account, and thus to the search and view histories on these websites. This is a much easier way for criminals to get their hands on big amounts of sensitive personal data. Such information would be very sought after on the black market for criminals to use in extortion and spear phishing scams, identity theft and remote access. Users need to brace for waves of scams targeting people with their most private information.
Security concerns
It is imperative that third-party providers have strong cybersecurity. In the first months of launch, they will become a prime target for criminals and thus need strong firewalls to keep attackers at bay. Providers absolutely need to ensure that they can both safely store the information and that their encryption is complex enough to keep the personal information protected.
The introduction of this block as a first in the UK poses a behavioural challenge. Humans are creatures of habit, and this might be one that they will not want to change. Some users will likely not want to register and give away their personal details, nor will they want to go through the awkward in-person purchase of a Portes Pass, the only alternative to the online age verification system, at their local store. People will thus turn to VPNs, that replace their IP address, and ToR, a software that provides anonymous online access, to use these websites the same way they are used to which allow them to use the software without a login.
Effectiveness of the UK porn block
It is unclear how effective this block will be since verification is only needed once. Children could potentially stumble upon explicit content, much as they do now, if parents forget to log out. Although the AgeID system can be avoided by purchasing a Portes Pass (dubbed the “porn pass”), which does not require uploading any personal data, it is not yet clear which will be the most popular among users. It seems much simpler for them to undergo a single verification, which is the more anonymous option, rather than having to go to the corner shop and go through the unpleasant situation of purchasing the pass in person.
Research shows that consumers tend to be concerned about their privacy and data in theory but do little to protect it. So it would be no surprise if the AgeID system, with its perceived anonymity, would be a preference over the pass. The bottom line is, if you do choose to create an account, make sure you have a unique and complex password to protect it.
Despite all the concerns explored above, the underlying reason for this block is to ensure that minors do not accidentally stumble upon adult content. It is important to ensure that explicit images do not end up on websites where they do not belong. Moreover, the block is a good conversation starter, as it is important for parents to address the topics of both adult content and consent with their children and if the block succeeds at doing this, it will have a long-term positive impact on society.
Jake Moore, Security Specialist at ESET
