UK’s Porn Law and the saga of mandatory age checks

What does UK’s Digital Economy Act 2017 demand and how can you be compliant — or rebellious?

Akshay ‘Ax’ Sharma
Jul 26 · 6 min read

Porn and age checks don’t mix in the opinion of many.
While the idea behind the law might be a noble one — to keep minors from accessing adult content, the practicalities of enforcing the law are, to say the least, a mess.

With “porn law” being its informal moniker, the provision of UK’s Digital Economy Act 2017, supposed to go into effect sometime earlier this year, before July 15 2019, is delayed yet again for six months. The provision mandates commercial adult websites to impose an automatic block on their websites until the user verifies their age — and not by merely checking the “over 18” box. Failure to verify the users’ age authoritatively could lead to a fine of “£250,000, or a blanket block by UK internet service providers.

Age-check methods

The discretion to choose an appropriate age-verification method is largely left up to the commercial adult content providers, with the BBFC tasked with providing official guidance. However, while the webmasters need not necessarily verify identity to check age (for privacy reasons of course), it is hard to authoritatively verify someone’s age while promising total anonymity over the web.

MindGeek, the company that owns these commercial adult sites has already come up with their own solution, AgeID. It’s a smart move — regulating yourselves while staying in control, before a government body gets tempted to step in and regulate you.

One of their spokespersons explained:

“The user verifies their email address and then chooses an age verification option from our list of third-party providers, using options such as SMS, credit card, passport, or driving licence.”

You can see some options may be more private than others — none offer total secrecy or anonymity.

My very own solution AgeSafe.co.uk relies purely on credit card verification — both for instant age-verification and because I really didn’t want to store images of a photo ID on a server. It is too much of a liability if you are breached. While AgeSafe does offer increased privacy as the credit card check is performed through a reputable third-party, Stripe without your name or personal information ever entering our systems — it’s not perfect. The very fact that a credit card needs to be used may raise eyebrows of many. I kept this system simple and straightforward as I have no interest in your data or activities, in this context. For a tiny one-quid verification charge, one gets an “access code” which may then be used on any of the providers accepting AgeSafe.

Some companies offering totally “free” age checks will likely, if not mine your information, have an ulterior motive. For 1Account, for example, they offer a free service as their main business model is acting as a payment system on the website simultaneously — beware of the catches. Some other “disconnected” solutions like AgePass rely on selling physical “age cards” in UK shops and supermarkets for £5–10. The burden then falls on the seller to ensure that the customer looks visibly an adult or they need to show an ID — just like when you buy tobacco or alcohol.

Privacy

One of the criticisms of the law arises primarily from privacy concerns.

Imagine having to pull up your ID or credit card in the event that a lesser intrusive option, such as SMS-based verification fails — as I’m sure it will for prepaid, pay-as-you-go users who do not have their age recorded with the cellular provider.

And what happens if a server processing the photo ID images is breached? We can only hope that the age check companies are doing their due diligence and not linking our identity and information to anything deemed risqué.

Phishing Scams

Then there’s the possibility of hackers and scammers setting up phishing pages which mimic real ones. The pages that read: “Your credit card will NOT be charged and is only used for ensuring you are over 18.” How do you trust that message? Is your information being submitted to a legitimate payment provider or being milked to send bitcoins to a scammer?

The regulation has loopholes which can be abused by the unscrupulous to trick an honest user.

Bad User Experience (UX)

I said it before and I’ll say it again. How bad is this kind of regulation for the overall User Experience (UX) and interface? The MPs who made this law clearly aren’t trained web design experts, even if they know how to use a computer (let’s hope they do).

I need not ask you to visualise too much but just think how would age checks work in practice?

Even if grabbing your credit card or photo ID is a one-off task for creating an account, what happens subsequently when you need to prove you’re an adult, on every visit?

If the idea is to be able to “sign in once” to an SSO-based system — which fundamentally has problems of its own, would this work across a variety of adult content providers or just a few websites?

Incognito Mode

We didn’t even think of the Incognito problem yet!

Image Credit: The Independent

In practice, many users visiting anything they would not want to leave a trace of, are likely using Incognito browser sessions on their devices which introduces additional complications.

“Remember Me” cookies simply don’t work in incognito and private sessions — that is the whole point of using the feature. Clearly, a lot of age-check workflows would become an inconvenience without actually being effective.

Does it work?

Frankly, I think it keeps honest people honest. Let’s face it — the elephant in the room most MPs were too shy to talk about: teens have been watching porn and exploring themselves for ages, and a law won’t change that. There are always ways to get around such systems, and teens are smart enough to be always on to them, especially in this day and age where a kindergartener is a fluent iPad user.

One can fake a photo ID scan, or use their parents’ credit card — or happen to be an authorised user on the card, or be using a shared phone plan with the primary bill payer being an adult — all of these practicalities make it impossible to authoritatively verify someone’s age while ensuring enough privacy. I’m not encouraging anyone to break the law, but the practice of making stupid laws and assuming it will work, without exploring the obvious practical hurdles is futile and invites a reprimand.

Moreover, given the nature of technology and its ease of access, one could simply evade the law altogether by pretending to be not present in the UK, using a VPN.

As a parent if all of this concerns you, either don’t buy your kid an iPad or use simple parental controls. In case you missed it, there’s decades-old NetNanny. There is legitimate concern if an 8-year old child stumbles upon something inappropriate. But when a 17-year old minor does, is it cause for crisis? I don’t think so. Perhaps we shouldn’t be mixing the terms: minors and children in legal sense. And perhaps children shouldn’t have unmonitored access to technology to begin with — that decision is left up to the parents.

While a business better stay compliant with the Act so as not to risk a fine, the users can largely rebel — and they will. The ‘lip service’ law is yet another example of ineffective legislation, something which sounds good in a Parliamentary setting, but in practice just doesn’t work.
After all, porn and age checks don’t mix.

© 2019. Akshay ‘Ax’ Sharma. All Rights Reserved.
Twitter: AkshaySharmaUS

Akshay ‘Ax’ Sharma

Written by

Security Researcher/Engineer, Digital Technologist and a perpetual learner. https://akshaysharma.net

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade