Everything We Know About Plans to Add Age Verification to Online Porn in the UK

By Tom Pritchard on at

At some point later this year, the government will finally make good on its promise to add robust age verification checks to online porn. The law had initially been scheduled to come into effect this month (April), but ended up being postponed because nobody had worked out all the details yet. But plans have been rolling on, with the appointed regulator BBFC having just finished off the consultation about certain areas of the initial draft regulations (available to download here).

The thing is, the government hasn't been all that forthcoming with the details of what will happen and when – mainly because it didn't seem to know. Fortunately I was able to attend a briefing a couple of months ago where the topic was actually explained by people who knew what they were talking about. It turned out to be incredibly useful, and refreshing, to hear a controversial topic being discussed by someone who isn't a complete moron *cough* Amber Rudd *cough*. Now I'm relaying that information back to you. Partly because it's my job, but also because it's important.

Where Did This Come From?

This has actually been in the making for quite a long time. Every since the Conservative party (sort of) came to power in 2010, there have been murmurs of plans to do something about the easy access to porn online – with the goal publicly stated as protecting children from that content. That eventually accumulated in ISP filters that blocked a variety of content by default, including porn, gambling, social media, and other bad or naughty things. Those could be turned off, but it was decided that this wasn't enough and plans were set in motion to add robust age verification systems to porn websites.

That eventually passed through parliament as Part 3 of the updated Digital Economy Act (2017), with the outline of Section 14 (1) of the Act stating:

(1) A person contravenes this subsection if the person makes pornographic material available on the internet to persons in the United Kingdom on a commercial basis other than in a way that secures that, at any given time, the material is not normally accessible by persons under the age of 18.

That means it's a legal requirement that all sites showing pornographic material block access to everyone in the UK, unless they can bypass some sort of robust age verification that proves they are aged 18 or over. The rules haven't actually been implemented yet because the regulations and rollout plans haven't been finalised yet, but it will.

It's Currently Scheduled to Happen by the End of the Year

The original plan was to have the age verification systems online by the start of May this year, but that was delayed because the government and BBFC (which is tasked with regulating the whole thing) hadn't come up with an appropriate plan to implement it. Currently the new rules are set to come into effect before the end of the year, but there no specific dates have been announced at the time of writing. According to the BBFC, that date is ultimately up to the government, so we just have to sit around and wait.

There's always the chance that the launch will be delayed again – after all, if it happened once it can happen again – but for now 2018 looks like the year porn websites will get robust gateways to keep out the under 18s.

It's Only for People Browsing Within the UK

Information that's obvious to anyone with a basic understanding of how the law works, the age verification system will only affect people who are trying to access online pornography from within the UK. So if you go to Ireland or France for the day, you'll be able to access all the porn you like, unimpeded. From the looks of the current draft regulations, there's no distinction between between people who live here and those who are visiting, so anyone planning a British holiday should bear it in mind.

It's Not Designed to Make Porn Harder to Access

The age verification system will inevitably make watching porn more difficult, simply because people will have to get past a gateway. But according to the government it's not actually designed to keep people away from porn. Apparently we Brits consume a lot of porn, and where there is porn, there is money. Money is good for the economy, so the government naturally wants to keep that going. Politicians have made it clear that the legislation is designed to keep porn away from children, but the more specific goals are to prevent kids from accidentally coming across porn when they're not ready for it.

More specifically it's designed to try and bring the digital world in line with the real world. The government and BBFC have been quick to point out that there are established measures in place to prevent under 18s from purchasing age-restricted goods - including porn.

It may seem like a shock to hear the government say something intelligent and meaningful where technology is concerned, but it's well aware that there will be plenty of ways around the verification systems – using geo-spoofing VPNs and proxies being the most obvious method. While it's promised to try and close any loopholes, with the briefing I was in specifically mentioning Netflix's anti-proxy systems as an example of that, the initial goal is to reduce the "stumble-upon" numbers by 80 per cent. By current estimates having the top 50 porn sites (based on Alexa rankings) install age verification will solve that, and they're the sites the BBFC will be prioritising.

The government is well aware that age verification won't be an "overnight solution" to prevent children accessing porn, but if they can prevent the majority of kids from accessing it accidentally then they consider the whole thing a success. As for the systems that will be in place, the goal is to make it as quick and efficient as possible so that people don't resort to alternative measure to get by - like using VPNs. As for how the systems will prevent you from having to verify each time you visit a new page, well, that hasn't been figured out yet. Not that we know of anyway. There may be a cookie in your browser that says "OVER 18" in big shiny letters, or it could be something completely different. The only thing we can do is wait for the BBFC to finalise the regulations, and see what age verification systems pop up in the weeks that follow.

Finally, there are already plans in motion to implement age verification on other things, specifically retail websites that need to make sure people under 18 can't order things like knives or acid online.

It's Only Relevant to Commercial Porn

This is a minor distinction in the grand scheme of things, since everyone knows porn can be a very lucrative industry if you do things the right way. But the BBFC has made it clear that the regulations only affect commercial porn sites, which are defined as those earning money from the content. It doesn't matter how they earn that money, be it ads, subscriptions, donations, whatever, they'll have to fall in line. Even if they don't make a profit, having monetisation in place means it'll affect them. The only way to get away with it is to show that you have zero monetisation, which isn't going to be very large group.

Social media is a tricky situation, as are other hosting services that freely let people host their own content. Sites like Twitter, Tumblr, Reddit, and so on have to follow the same laws, but the situation is very tricky especially since a lot of that information is available to people between the ages of 13 and 18. David Cooke, director of MindGeek, has spoken out about this, singling out Twitter and insisting that the company should have to comply with the rules laid out in BBFC regulations and the Digital Economy Act. David Austin, CEO of the BBFC, had this to say:

“Social media is one of the categories of ancillary services providers. We would ask Twitter to close down an account that had hardcore pornography. But we don't have the power to compel it and we don't know how Twitter would respond.”

So basically the current response is ¯\_(ツ)_/¯.  Presumably the social media situation will be dealt with, but it's unclear when and how, so we'll just have to wait and see. The will also criminalise online pop-ups featuring "explicit" porn. It's not clear what classifies as "explicit" but presumably it'll at least involve any uncensored images of genitals or sex acts.

Any company or website that refuses to comply will be blocked by ISPs, and effectively means they won't be able to do any legitimate business in the UK. Big companies tend to like money, so the government believes its in their own best interest. There are also fines that will be implemented, with companies being forced to pay up to £250,000 for non-compliance. Similarly, the regulator may go after third party payment services to prevent offenders from profiting from their disobedience.

The fine and punishment is a set thing that applies to everyone, with the BBFC dealing with offenders on a case-by-case basis. Similarly, if sites fall in line and either implement blocks or remove all their porn, the BBFC will back off – meaning ISPs will be instructed to remove the blocks.

While some people may claim it's difficult to define what porn really is, the BBFC takes a fairly basic approach. The regulations state that the material being regulated is that "produced solely or principally for the purposes of sexual arousal". So the BBFC isn't going to go after a website showing of naked statues in art galleries, or anything else along those lines. It's also been made very clear that hosting non-pornographic content isn't a loophole however, so any site that has content matching this definition is going to have to fall in line or suffer the consequences.

Privacy is Key, and Everything Has to be GDPR Compliant

There have been a lot of concerns about privacy, which is perfectly fair when you consider the fact that the government has been incredibly reluctant to explain the whole age verification process. More specifically there were a lot of concerns that MindGeek, the company that owns PornHub and numerous other porn sites, would try and leverage its position to give its AgeID verification system an advantage over the competition. Some of those concerns were seemingly confirmed a few months ago when someone discovered a section AgeID's privacy policy that seemed to allow the collection of user data "to develop and display content and advertising tailored to your interests on our Website and other sites". It also stated "We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services."

The first bit of good news is that AgeID's privacy policy has been updated since then, and the offending sections are no longer there. The other news is that MindGeek, and all other companies with competing verification systems, can't collect data for their own benefit. The government had already expressed concerns that some companies may see age verification as an opportunity, but the rules make it clear that this isn't allowed – particularly since all data collection has to comply with the EU's General Data Protection Regulation. The GDPR takes effect on 25th May, long before age verification will be required, and there are already plans to replicate the rules so everything still applies after Brexit.

The GDPR is quite strict about what is and isn't acceptable, and the punishments for breaches can be as high as 4% of a company's annual turnover, so it's in their best interests to keep everything secure. But nothing is unhackable, so the point is to store as little information as possible because keeping too much is far too much hassle. Similarly the verification systems are not allowed to utilise government databases and move information and store it in a second database that may be less secure or more at risk than the one the government looks after. Again, it's too much hassle. That said it doesn't mean government-powered identification won't be in play. The BBFC drafts specifically mention passports and driving licences, but overall makes no mention of what implementation might involve.

It's Unlikely to Put Your Browsing Habits at Risk of Exposure

One of the major concerns people have had with the idea of age verification is that it could theoretically be used to track your browsing history, and keep a record of your porn-watching habits. The government has made it very clear, however, that it doesn't want another Ashley Madison-style disaster. That means no logging of your viewing history is allowed.

While different age verification systems will ask for personal information to sign up (like name, address, etc.), the verification pages themselves only deal with a single piece of information: whether a person is over 18. While we still don't know exactly what systems will be approved by the BBFC, or how they will actually verify the user is over 18, the idea is that the system itself will only be answering a yes or no question. If it's yes, then you'll be granted access to whatever site you want to browse. There won't be a record of what you tried to access, nor will the sites see any information about who you are. Unless, of course, you are willing give them that information by subscribing or creating an account.

That means if an age verification system is hacked, the damage will be minimal. Yes, there will be a log of whatever data you handed over when you signed up, provided hackers can bypass the security and encryption, but it's not going to be information that you wouldn't hand over anywhere else. Plus, if the verification extends to other areas, like retail, then there isn't even a guarantee that you're even in the database so you can watch porn. Your secret fetishes are safe.

Verification Systems Are Freely Available to All

For a while the word about age verification was that any company hoping to implement their system on porn sites would have to give it away to small and independent porn sites, but larger ones may have to pay a fee. Apparently that's no longer the case, and regardless of who is implementing what system, everything will have to be given away free of charge. Or rather, it will be as long as it's to implement the blocks within the UK. The principle being that everyone is equal when it comes to implementing this law.

There had been a lot of fears that MindGeek would use its position to try and increase its position within the porn industry, seeing as how it has its own age verification system that it could have charged its competitors a premium to use. But that's not an issue anymore. Certainly not within the UK. If this sort of thing spreads elsewhere (and the government seems to think that it might) then it'll likely be up to local legislators to ensure there's free competition.

There Are Going to be Multiple Verification Systems in Play

MindGeek won't be the only company with an age verification system in place, however, so it's not like competitors will have no choice but to utilise their rival's system. The briefing I attended where everything was explained to  me was also hosted by Yoti, the company behind the facial recognition systems that are due to be trialled in British supermarkets. Yoti confirmed its plans to implement its existing age verification system for sites when the laws come into effect - the same system that's being used to verify age in non-porn-related situations.

That's an important point to make, since it seems like there are going to be a lot of different ways to verify your age. The BBFC's drafts don't outline pre-approved verification solutions, but it does set out the criteria each system will be assessed by. The gist of it is that the system has to be robust, must rely on information that another person wouldn't have (excluding instances of theft or fraud), should prevent bots and algorithms from gaining access, and ensure that a person either verifies their age for each visit or that their access is "restricted by controls, manual or electronic" – such as passwords, PIN numbers, and more.

That means sites can't get away with using a tick-box system or a general disclaimer (as many have now), solutions that use payment methods available to under 18s (like debit cards), or utilising publicly available information like names, addresses, or data of birth. The BBFC also recognises that technology advances all the time, promising a principle-based approach when assessing verification systems an updating the regulations where necessary

One of the methods showed off was something akin to two-factor authentication, using a person's phone number. If you've ever tried to access adult content on a mobile (with the likes of porn, gambling, and other similar things falling under this category), you'll know that there's a block in place until you ask them to get rid of it. If you're on a contract they have your details already, so nobody has information they wouldn't normally have. It's not clear how it will work for Pay As You Go, but networks do generally remove the adult block if you can prove you're over 18.

So by using this type of system the verification software can send a message to the network asking "is this person 18?" without actually knowing who they are. The network will say yes or no, and if it's yes you'll be sent an access code via text message. Since it's your phone, and anyone else would have had to pinch it, then this should, in theory, fall within BBFC regulations. Plus since two-factor systems like this are already in place it'll be something people are familiar with.

I'll reiterate, though, that this was an example and won't be the only system in place – if it gets implemented at all by the end of the year. It has its obvious limitations, so Yoti has been working on multiple different solutions to match whatever people might prefer.

The BBFC itself has encouraged companies to implement a number of systems to give people a choice, though this is more of a strongly-worded suggestion than an actual rule. So MindGeek may lock all its sites behind its first party tech, while others may use someone else. It's not clear why they'd do that, seeing as how forcing people to sign up to a brand new verification system is one of the easiest ways to make them get annoyed and go elsewhere. The BBFC outlines other good practices that are optional but strongly encouraged, like ease of use, clear information on data protection, collecting the minimum amount of data possible, and reduce potential for "improper use" - particularly by children. All of these will be down to the companies themselves, however, and whether they feel it's worth it.

Remaining Problems

The NSPCC has largely welcomed the plans to implement age gateways, noting that around 46 per cent of children who have seen porn originally saw it by accident and that there are many cases of children contacting them because they were disturbed by what they saw. Because of this, the organisation has also called for the government to implement changes to Relationships and Sex Education to include discussions about porn in schools. The purpose being to ensure that kids understand what they're seeing isn't real. Adults know that everything in porn is fake and doesn't feature realistic representations of sex and anatomy, and the NSPCC wants to make sure kids know that too – so if and when they do see porn they understand what they're seeing.

Another issue of concern is the fraud aspect. Earlier this year a government report claimed that the age gateways could lead to an increase in fraud, and seeing as how the regulations specifically say verification has to involve information that others wouldn't have access to barring instances of theft. Whether the verification is done by phone, credit card, or any other object that needs physical access, there are going to be cases of people trying to get round the barriers without using their own information.

Perhaps kids steal their dad's phone or credit card so they can get through to XXXGenericPornSite.com. Maybe identity thieves will sell off info to the paranoid types who don't believe they aren't being tracked and so on. It's not clear how many instances there will be, but it's something that may have to be tackled in the near future.

Similarly, that same report mentioned that forcing blocks onto smaller ISPs may be beyond what they can afford, which would be detrimental to their business. This was brought up at the briefing I attended, and a very jokey non-answer was given claiming that by not implementing blocks smaller ISPs may end up with more customers as a result. Hmmm. So that's still an issue that'll likely come up, though seeing as how the cost of age verification is minimal then there are very few reasons why sites wouldn't employ them.

The final concern is back to the whole Big Brother, policing morality situation. These plans have been in the works for a long time, and still the government didn't actually have a plan to implement them when the time came – hence the almost-indefinite delay. The plans also came from the Conservative party who aren't exactly known for their forward-thinking attitudes of late, and coupled with the fact the government largely remained silent on how everything was going to work it led many to assume this was a simple matter of trying to police morality under the guise of protecting children. That's certainly what I thought, and I know I'm not alone.

Having everything explained properly, by people who actually knew what they were talking about, was a massive help. On the surface I can recognise that the whole idea isn't as downright stupid as I initially believed. Provided, of course, that getting past the age gateways doesn't become an absurd chore. But as I mentioned when it was revealed the government had an AI that could detect pro-Islamic State content and stop it from hitting the web, where does it end? In this case, as it was with the anti-ISIS bot, the end goal is admirable, but you have to wonder whether there will be more grand ideas brewing in the government ministers who aren't such huge fans of free thinking. We need to stay vigilant and make sure our internet doesn't end up like China's.