The UK government recently unveiled its long-expected plan to introduce age verification checks for citizens trying to access adult content. Unfortunately, the government’s guidance – or lack of guidance – on how websites should implement the checks is getting a lukewarm reception. Many critics are concerned about the side effects these checks may have for people’s online privacy and security.
It’s an oversight that F-Secure’s Tom Gaffney, who works with F-Secure’s operator partners to provide protection to millions of people around the world, says could increase internet users’ exposure to identity theft, malware infections, and other cyber crimes.
“Preventing kids from accessing certain types of online content, such as pornography, is in everyone’s interest. But people who share personal details with third-party age verification platforms need to know that attackers actively target this type of data, and will likely find these databases very enticing,” said Tom in a press release. “Plus, criminals will almost certainly try to trick users into disclosing personal information by creating fake websites that look like legitimate verification pages, which is another risk users need to be made aware of.”
Under the new regulations, British internet users will be required to prove their age before accessing adult websites. This could mean sharing information such as passport, driver’s license, or credit card details with third party age verification platforms. People can also purchase a “porn pass” at a local shop.
But at the same time, cyber crime has been on the upswing in the UK for several years. In 2016, the NCA’s Cyber Crime Assessment found that cyber crimes have become more common than traditional crime in the UK. And recent figures released by the Office of National Statistics confirm that cyber crime is more common than theft.
It’s the kind of climate that lends credibility to criticisms ranging from the effectiveness of the idea, to the failure to include security requirements for companies managing the checks, to privacy concerns about collecting sensitive user data.
2015’s Ashley Madison data breach highlights the potential risks better than anything else in recent history. The data stolen from the extramarital dating site had a devastating impact on some of its users. The incident was reportedly responsible for wrecked homes, blackmail, and even suicides.
Better ways to protect kids from adult content
F-Secure’s Fennel Aurora thinks the checks are trying to translate the practice of physical ID checks for use online. But it’s being done without considering how such checks backfire for many of the most vulnerable people in society.
“Clerks and people at movies don’t usually store data when they check someone’s physical ID, and what movie you go to see is far less prone to abuse than your online browsing habits. Collecting that same data and storing it in a centralized location makes it easy to steal, and easy for authoritarians and criminals alike to use for blackmail and chilling of dissent. This approach is creating a significant threat to users’ privacy, security, physical safety, and even basic human rights,” says Fennel.
One company on board with the legislation, Mindgeek, has developed its own age verification system called AgeID to comply with the new laws. Mindgeek happens to be the owner of several major adult content sites including PornHub, YouPorn, and RedTube. It’s also been the target of at least five major data breaches and malware attacks over the past eight years.
Data breaches might be a fact of life. But that just means individuals need to be critical of what they disclose when. And regulations requiring disclosures without due consideration to the security implications aren’t doing individuals or families any favors.
“On top of having data stolen after it’s been collected, people are going to have to be on the lookout for fake age checks, ‘free’ tools that market themselves as simplifying the checks but are either privacy-invasive PUAs (Potentially Unwanted Applications) or straight-up malware used in internet scams. There will also be websites that just don’t comply with the regulations,” says Fennel. “I think we’ll also likely see many websites blocking visits UK IP addresses, like we saw US websites do when the GDPR came into effect.”
But for the time being, Fennel suggests people get back to basics in protecting their children’s security and privacy. His suggestions include:
1. Talk about what kind of content is appropriate to look at and why. And, especially for younger children, regularly check the content yourself. Technology and legislation is not a replacement for communication and parenting.
2. Take advantage of tools that filter unwanted and potentially harmful content. These can include browsing protection and internet security software, but also things like adblockers and privacy protection measures.
3. Use family rules to protect kids who are too young to understand how to protect themselves online. Try to setup computers and phones to make it difficult for kids to break the rules.