The UK government has delayed the implementation of age verification requirements for porn site visitors from April to the end of 2018. The controversial regulation can be found at Part 3 of the Digital Economy Act 2017 and is designed to protect children from explicit content by requiring visitors to prove they are aged 18 or over. However, the UN High Commissioner for Human Rights finds the measure falls short of international standards and the Open Rights Group fears a data breach is “inevitable.”

How will it work?

The government is to let the industry decide on the precise method of authorisation. The online gambling industry is already required to carry out age verification and uses credit cards do so but other methods are available. Mindgeek, a giant in the porn site world which runs PornHub, have worked with technology company AgeID to create an age verification tool which uses official documents such as driving licences and passports.

This tool has been used in Germany since 2015. A spokesman for AgeID, James Clark said that it “both protects children from stumbling across adult content, and enables those of legal age to securely and privately access adult websites through a one-time verification process.” This process will enable users to access multiple sites without having to log in again.

Privacy

Critics question just how private a system of one-time verification can really be so. Jim Killock, director of the Open Rights Group, says that such a system would use cookies to trace users around the web; whilst convenient, this poses a risk to privacy. This method would require a cache of user data which would contain the personal information and porn viewing habits of verified users.

According to WIRED, PornHub had 64 million visitors per day in 2017, making it the world’s most-visited pornographic website, and the UK is its second biggest traffic driver. This data cache of UK visitors would be a honey pot for hackers, the likes of whom leaked the personal data belonging to users of the Ashley Madison infidelity site in July 2015. Ruby Life, the site’s owner, have recently offered customers $11 million in compensation for the breach.

The Office of the High Commissioner for Human Rights at the United Nations shares these concerns. In a letter sent to the UK Government, the High Commission’s Special Rapporteur for the freedom of opinion and expression, David Kaye, says “I am concerned that the age-verification provisions give the government access to information of viewing habits and citizen data. Moreover, the age-verification requirements may be subject to abuse, such as hacking, blackmail and other potential credit card fraud.”

Though the regulations “lack privacy obligations,” as the High Commissioner’s states, the Digital Economy Act is just one of several laws that govern the digital economy, some of which do impose stringent privacy obligations upon anyone who controls and processes data subject’s data. The European Union’s GDPR, which is set to take effect on the 25th May 2018 has the protection of privacy as one of its chief aims. That said, hackers are not cowed by data protection laws. A database which contains the porn habits of millions of users would be a “treasure trove,” says Myles Jackman, Legal Director of the Open Rights Group.

Censorship

In addition to privacy concerns, many see the regulation as a means of mass censorship. Once age verification is in place, compliance will be regulated by British Board of Film Classification who have the power to issue fines of up to £250,000 to sites who do not verify the age of its users. Jerry Barnett, the founder of campaign group Sex & Censorship, told WIRED that the regulations are “a first in a democracy…although this appears to be just about protecting children from porn, it isn’t. It will block any site that doesn’t comply with strict UK content rules.”

The UN’s Special Rapporteur agrees. He says, “while I am cognizant of the need to protect children against harmful content, I am concerned that the provisions under the [then] Bill are not an effective way for achieving this objective as they fall short of the standards of international human rights law.” Mr Kaye finds that the age-verification provisions do not comply with the “necessity” requirement under article 19(3) of the [International Covenant on Civil and Political Rights].”

The Governments’ wide definition of pornographic material underlies many of these concerns. Section 15 of the Digital Economy Act contains no less than 13 circumstances in which material would be defined in such a way as to come under the Act’s jurisdiction. The definitions range from any material that would be reasonable to assume from its nature would merit an R18 certificate, at s15 (1)(c), to material that is produced solely or principally for the purposes of sexual arousal, at s15(1)(e)(i).

The delay

The reason for the delay in implementation of Part 3 of the Digital Economy Act 2017 is unclear– it was announced surreptitiously at paragraph 28 of a 51 paragraph press release about UK 5G infrastructure investment– but it may be due to pressure from the technology community, digital rights campaigners, academics and the United Nations.

The Government’s own impact assessment may also have influenced the decision as it costed the system updates needed to block non-compliant sites at between £100,000- £500,000 for large internet service providers which may be proportionally larger for smaller providers. Moreover, it also cited the most extensive literature review conducted into the effects of pornography on under-18s which found that the evidence was inconclusive as to whether it was harmful or not. Given all of this, it is no surprise that the Government have decided to forestall the Act’s full implementation.