The BBFC offers an optional age-verification certificate for age verifiers. We explain why 18+ chose not to seek a certificate.
The Digital Economy Act, 2017, requires adult websites to verify the age of UK based visitors after 15 July 2019. Most adult websites will rely on a third-party age verifier to perform this check. The UK regulator for the age verification rules, the BBFC, introduced a voluntary age-verification certificate (“AV Certificate”). Until May 2019, we thought we would ask for an AV Certificate for good measure, but then the BBFC came out with a surprising announcement that changed our plans.
18+ App provides anonymity and convenience by letting users prove their age once and then storing the “age credential” to avoid them having to reprove their age. The 18+ App enables the user to use his or her stored age credential to pass age gateways on adult websites.
Unfortunately, this solution likely constitutes a “wallet”, and the BBFC said it will not issue Age Certificates to wallet based solutions. The BBFC did not define the word “wallet” but stated “it was not considered appropriate to allow certified AV providers to offer other services to consumers, for example by way of marketing or by the creation of a digital wallet.” We disagree.
To the extent a “wallet” means storing an age credential in an app, a wallet offers the most convenient solution for users, and wallets can offer greater anonymity than any other age verification solution.
The 18+ App stands between the age verifier and the adult website. This means the adult website never has to call to the 18+ servers to validate an age credential. Most age verification solutions rely on the adult website redirecting the user to the age verifier’s website for age verification, a process that reveals the identity of the adult website being visited to the age verifier. In fact, most age verifiers obtain a perfect record of the adult websites a user visits. The user relies on the age verifier’s promise not to keep this record in order to ensure his or her anonymity.
18+ App works differently. When a user visits an adult website using an 18+ age gateway, the 18+ App requests from the adult website a unique string of characters. The App submits this random string of characters to be “stamped” with an age signature by the 18+ servers. This string of characters has no connection to the adult website. The 18+ servers never learn the identity of the adult website. The servers issue an age credential back to the 18+ App, which forwards the credential to the adult website for validation. The wallet therefore stands between the adult website and the age verifier, protecting the anonymity of the user.
The BBFC’s pronouncement against wallets or other services, however, means our solution could not receive an AV Certificate.
We understand the BBFC was concerned about age verification being used as a gateway for other business models. However, understanding the business model of an age verifier is important to gauge how the age verifier will protect you. In our case, 18+ provides a free and paid VPN service within the 18+ App (a freemium model). This model covers the cost of providing the service whilst letting the broadest number of users benefit from a private age verification solution. The alternative would be to charge the users, the adult sites or otherwise monetise the user, which we do not regard to be better options.
In sum, the primary reason we have not sought an AV Certificate is because the BBFC says it will not certify a wallet solution or a solution that offers a service, like our VPN, to users alongside age verification. If the BBFC changes its position on this, we’ll likely seek an AV Certificate.
That said, we have some other concerns with the AV Certificate scheme. At the moment, the AV Certificate does not vet whether an age verifier’s solution provides user anonymity. Privacy is the primary concern of users, but the AV Certificate is focused primarily on data security, meaning, in plain English, whether the data an age verifier gathers can be accessed by a third-party. The AV Certificate’s main audit requirement is to obtain a penetration test to find security vulnerabilities that an attacker could exploit. Of course, data security is important. But most users value privacy and would intuitively expect the certificate to be issued only to age verifiers who collect the least amount of data. Unfortunately, that appears not to be the primary aim of the AV Certificate.
In our view, the AV Certificate should be updated to primarily report on the level of privacy offered by the solution. We believe a better program would provide an easy to understand summary of the private data collected an age verifier in the process of verifying and then have this summary certified as ‘true’ by the BBFC and the third-party auditor.
We also are concerned about the role of the NCC Group in the process of first helping the BBFC define the AV Certificate guidelines and then serving as the only recognised provider for the penetration test required to obtain an AV Certificate. A government program should not recognise only one private company as the supplier of a service when that same company participated in drafting the rules requiring that service as a condition of the program.
Before the BBFC ruled out wallet solutions, we asked them whether we could use a highly recognised, EU based IT security company to perform our penetration test, and we were told ‘no’, only a report issued by NCC Group would be recognised. We thought perhaps this policy came from the BBFC wanting to ensure the security auditor met certain standards, so we asked for the procedure for an IT company to become licensed to perform a security assessment under the AV Certificate, to which the BBFC did not respond.
To conclude, whilst our primary reason for not obtaining an AV Certification from the BBFC resulted from its policy pronouncement concerning wallets, we also question whether the AV Certification addresses what consumers really care about, which is an assessment of their anonymity, and specifically, whether an age verifier obtains a record that ties the identity of the user to the specific websites the user visits.
The AV Certificate is purely optional. Adult websites are not required to use an age verification solution with an AV certificate, and an AV Certificate provides no assurance of user privacy or anonymity.
We’ve designed 18+ with user privacy as our main focus. That’s the entire reason we built 18+ specific to address the UK age verification requirements. Our age gateway code is open source.
We’re happy to answer any questions about our system architecture or user privacy. Just ask us by contacting support on our website.