Advertisement

The UK’s porn license plan remains a mess

Badly conceived, badly thought-out. Just bad.

Cecilie_Arcurs via Getty Images

It's April in the UK, and you'd quite like to enjoy some online adult content. But before you can, you need to walk to your nearest retailer. You shuffle, hesitantly, toward the cashier, mindful of the other patrons, and mumble that you'd like to buy a porn license. As your gaze falls toward your shoes, the cashier responds, a little too loudly, if it's for Pornhub or somewhere else.

The situation could be reality in a matter of weeks if the UK's much-delayed and seemingly unworkable age verification plans actually happen. Despite the project beginning in 2017, the change will take plenty of users by surprise, including those people who regularly watch adult content. According to polling agency YouGov, more than two-thirds of Britons are unaware of the project.

Essentially, you'll need to (legally) prove that you are over 18 if you're based in the UK and want to access adult content online. That will require you to, at the least, pay to share your personal details and credit-card number with an online service. At most, you'll be required to purchase a physical token, like a phone card, from a brick-and-mortar retailer which can judge your age.

One company, OCL, told Wired that it will sell its version of an age-verification card for £5 for use on a single device or £9 for multiple ones. AgePass , another system, will charge £10 for an age-verification card and store your details on a private blockchain. Others will require you to offer up your driving license, credit-card number or passport online to verify your status.

That, however, could be a problem because handing personal data over to a third party is fraught with risks. Mindgeek , which is likely to run the de facto standard AV system with AgeID , has a patchy record of data security. Mindgeek sites, which include Pornhub, YouPorn, Digital Playground and Brazzers have, collectively, leaked personal data for almost two million people.

Not that a government-approved and run regulator hosting this information would necessarily be better. Elsewhere, lists of people's sexualities have previously been used to coerce, marginalize and kill folks in, and under, oppressive regimes. Data breaches are also harmful in other ways. In the aftermath of the Ashley Madison hack, some people died by suicide.

There are still several unknowns about how age verification will work because the government has dithered so much. Rather than create a dedicated regulator, officials handed responsibility for the project to the British Board of Film Classification. The BBFC is a non-governmental body founded in 1912 by the British film industry as a bulwark against government censorship.

The BBFC has promised to produce a list of third-party processors that will administer the AV system on its behalf. Unfortunately, at the time of publication, and with just days before the expected start date, the page is empty. To be fair to the BBFC, however, its hands are tied by the government, and it cannot begin doing its job until officials give their blessing.

We also don't know if users will be able to verify their age once (and for all), or if they'll need to do it once for every AV provider. That's the problem of creating these plans behind closed doors and without consultation from respected experts. Jim Killock of the Open Rights Group said it was troubling that such-wide ranging legislation was written "in the dark" and without proper regard for privacy protections. He went on to warn that "data leaks of sexual habits" could become a real problem in the very near future .

All of this effort may be for nothing because there are technical and practical holes that the law doesn't cover. Even the BBFC doesn't believe that age verification will prevent under 18s from accessing adult content. On its website, the body says "Age verification is not a silver bullet," adding that "determined teenagers will find ways to access pornography." The aim of the project, as far as it's concerned, is to try to mitigate the risks of "stumbling across" material.

Ironically, this law doesn't cover social media, which is likely to be a much easier way for minors to access adult content. If someone is Googling for porn, they will find it, but social media offers far more vectors for inadvertent exposure. Tumblr, Facebook and Twitter, among others, have pledged to stamp out this form of content, but self-policing at scale is hard. And it's likely that determined teenagers and determined adults will easily find ways around the legislation. Not to mention that, with the exception of tube sites, most commercial adult-content sites are already behind a paywall .

While the regulator hasn't made this explicitly clear, it's likely that adult-content websites will check to see if a UK IP address is visiting it. If so, it'll direct it to an age-verification page that the user will need to clear before accessing the site. This means that the system could be easily gamed by the use of any VPN service with servers outside the UK. So what'll millions upon millions of porn users do? Set up VPNs to escape the problem. And suddenly a massive chunk of online traffic goes underground, worsening the problems that already exist with this content and making authorities' lives harder.

PornHub even offers its own VPN for users, and the service's free tier lets you access adult content via a US server. When we asked the company about this, VP Corey Price said " VPNhub is a separate service and not related to AgeID ." You can decide for yourself if it's ethical for a company to be both poacher and gamekeeper. Nick Cowen , writing for Backlash, feels the firm is running its own "Bootlegger and Baptist Coalition."

And, of course, if the cards are available at several retailers, it's likely that some will be less stringent in their checking than others. Every teenager in Britain knows which stores they can buy beer from or knows an older teen who can pass for an adult , after all .

In the end, we 'll be left with a system that can't work, run by a company that doesn't want it to work, and that won't protect the very people it's intended to protect.