The BBFC has re-iterated that its Age Verification certification scheme does not allow for personal data to be used for another purpose beyond age verification. In particular age verification should not be coupled with electronic wallets.
Presumably this is intended to prevent personal date identifying porn users to be dangerously stored in databases use for other purposes.
In passing, this suggests that there may be commercial issues as age verification systems for porn may not be reusable for age verification for social media usage or identity verification required for online gambling. I suspect that several AV
providers are only interested in porn as a way to get established for social media age verification.
This BBFC warning may be of particular interest to users of the porn site xHamster. The preferred AV option for that website is the electronic wallet 1Account.
The BBFC write in a press release:
The Age-verification Regulator under the UK's Digital Economy Act, the British Board of Film Classification (BBFC), has advised age-verification providers that they will not be certified under the Age-verification Certificate (AVC) if they use a
digital wallet in their solution.
The AVC is a voluntary, non-statutory scheme that has been designed specifically to ensure age-verification providers maintain high standards of privacy and data security. The AVC will ensure data minimisation, and that there is no handover of
personal information used to verify an individual is over 18 between certified age-verification providers and commercial pornography services. The only data that should be shared between a certified AV provider and an adult website is a token or
flag indicating that the consumer has either passed or failed age-verification.
Murray Perkins, Policy Director for the BBFC, said:
A consumer should be able to consider that their engagement with an age-verification provider is something temporary.
In order to preserve consumer confidence in age-verification and the AVC, it was not considered appropriate to allow certified AV providers to offer other services to consumers, for example by way of marketing or by the creation of a digital
wallet. The AVC is necessarily robust in order to allow consumers a high level of confidence in the age-verification solutions they choose to use.
Accredited providers will be indicated by the BBFC's green AV symbol, which is what consumers should look out for. Details of the independent assessment will also be published on the BBFC's age-verification website, ageverificationregulator.com,
so consumers can make an informed choice between age-verification providers.
The Standard for the AVC imposes limits on the use of data collected for the purpose of age-verification, and sets out requirements for data minimisation.
The AVC Standard has been developed by the BBFC and NCC Group - who are experts in cyber security and data protection - in cooperation with industry, with the support of government, including the National Cyber Security Centre and Chief
Scientific Advisors, and in consultation with the Information Commissioner's Office. In order to be certified, AV Providers will undergo an on-site audit as well as a penetration test.
Further announcements will be made on AV Providers' certification under the scheme ahead of entry into force on July 15.
Starting with a little background into the authorship of the document under review. AVSecure CMO Steve Winyard told XBIZ:
The accreditation plan appears to have very strict rules and was crafted with significant input from various governmental bodies, including the DCMS (Department for Culture, Media & Sport), NCC Group plc (an expert security and audit firm),
GCHQ (U.K. Intelligence and Security Agency), ICO (Information Commissioner's Office) and of course the BBFC.
But computer security expert Alec Muffett writes:
This is the document which is being proffered to protect the facts & details of _YOUR_ online #Porn viewing. Let's read it together!
What could possibly go wrong?
....
This document's approach to data protection is fundamentally flawed.
The (considerably) safer approach - one easier to certificate/validate/police - would be to say everything is forbidden except for upon for ; you would then allow vendors to
appeal for exceptions under review.
It makes a few passes at pretending that this is what it's doing, but with subjective holes (green) that you can drive a truck through:
...
What we have here is a rehash of quite a lot of reasonable physical/operational security, business continuity & personnel security management thinking -- with digital stuff almost entirely punted.
It's better than #PAS1296 , but it's still not fit for purpose.
Batman Returns reduced from 15 uncut to 12A uncut for 2019 cinema release
27th April 2019
Batman Returns is a 1992 USA / UK action crime fantasy by Tim Burton.
Starring Michael Keaton, Danny DeVito and Michelle Pfeiffer.
Cut by the BBFC for a 12 rated cinema release in 1992 and the follow up VHS. Less cut for 12 rated DVD in 2006. Then uncut for 15 rated Blu-ray in 2008 and finally rated 12A uncut for 2019 cinema release. Always uncut and MPAA PG-13 rated in the
US.
UK: Passed 12A uncut for moderate violence, injury detail, sex references, threat, sexual threat ( 126:18s ) :
2019 cinema release
Summary Notes
In the sewers of gotham city to the rooftops of the gotham city the penguin wants to know where he came from well in his villain ways catwoman plans to kill rich man of gotham max shreak but as he battles with millionaire Bruce Wayne both ladies
men have their own secrets Bruce Wayne is back as Bat man trying to stop the penguin Max is helping penguin steal gotham city while selina Kyle/catwoman tries to help penguin not knowing her man murder target also her murder is helping him but
all four men have their goals taking gotham from crime winning gotham city assassination for two men and more money to be gotham citys number one rich man.
The BBFC has tweaked the look and feel of its website with a new bolder looking typeface set against a white background.
The BBFC has also corrected the previously slow starting search box that used to delete what you typed if you started before the form was ready.
Otherwise the data presented seems to about the same as before, but I did spot one significant change. The short and long summaries of ratings issues in a film have been changed. They were previously referred to as BBFCInsight but
are now labelled: Rating Info
Previously the BBFC has steered away form using the word 'rating' preferring to use the term 'classification'.
The latest UK cinema release suffering BBFC advised category cuts for a 15 rating
24th April 2019
Brightburn is a 2019 USA Sci-Fi horror thriller by David Yarovesky.
Starring Elizabeth Banks, David Denman and Matt Jones.
UK: Passed 15 for strong gory injury detail, violence, language after BBFC advised pre-cuts ( 90:12s ) :
2019 cinema release
The BBFC commented:
This film was originally seen for advice at which stage the company was informed it was likely to be classified 18 uncut but that their preferred 15 classification could be achieved by making reductions to two scenes featuring both strong gory
images and a dwelling on the infliction of pain and injury. When the film was submitted for formal classification these scenes had been acceptably reduced.
For comparison in the US the film was rated R uncut for horror violence/bloody images, and language.
Summary Notes
What if a child from another world crash-landed on Earth, but instead of becoming a hero to mankind, he proved to be something far more sinister?
The BBFC has published a detailed standard for age verifiers to get tested against to obtain a green AV kite mark aiming to convince users that their identity data and porn browsing history is safe.
I have read through the document and conclude that it is indeed a rigorous standard that I guess will be pretty tough for companies to obtain. I would say it would be almost impossible for a small or even medium size website to achieve the
standard and more or less means that using an age verification service is mandatory.
The standard has lots of good stuff about physical security of data and vetting of staff access to the data.
Age verifier AVSecure commented:
We received the final documents and terms for the BBFC certification scheme for age verification providers last Friday. This has had significant input from various Government bodies including DCMS (Dept for Culture, Media & Sport), NCC Group
plc (expert security and audit firm), GCHQ (UK Intelligence & Security Agency) ICO (Information Commissioner's Office) and of course the BBFC (the regulator).
The scheme appears to have very strict rules.
It is a multi-disciplined scheme which includes penetration testing, full and detailed audits, operational procedures over and above GDPR and the DPA 2018 (Data Protection Act). There are onerous reporting obligations with inspection rights
attached. It is also a very costly scheme when compared to other quality standard schemes, again perhaps designed to deter the faint of heart or shallow of pocket.
Consumers will likely be advised against using any systems or methods where the prominent green AV accreditation kitemark symbol is not displayed.
But will the age verifier be logging your ID data and browsing history?
And the answer is very hard to pin down from the document. At first read it suggests that minimal data will be retained, but a more sceptical read, connecting a few paragraphs together suggests that the verifier will be required to keep extensive
records about the users porn activity.
Maybe this is a reflection of a recent change of heart. Comments from AVSecure suggested that the BBFC/Government originally mandated a log of user activity but recently decided that keeping a log or not is down to the age verifier.
As an example of the rather evasive requirements:
8.5.9 Physical Location
Personal data relating to the physical location of a user shall not be collected as part of the age-verification process unless required for fraud prevention and detection. Personal data relating to the physical location of a user shall only be
retained for as long as required for fraud prevention and detection.
Here it sounds like keeping tabs on location is optional, but another paragraph suggest otherwise:
8.4.14 Fraud Prevention and Detection
Real-time intelligent monitoring and fraud prevention and detection systems shall be used for age-verification checks completed by the age-verification provider.
Now it seems that the fraud prevention is mandatory, and so a location record is mandatory after all.
Also the use off the phrase only be retained for as long as required for fraud prevention and detection. seems a little misleading too, as in reality fraud prevention will be required for as long as the customer keeps on using it. This may
as well be forever.
There are other statements that sound good at first read, but don't really offer anything substantial:
8.5.6 Data Minimisation
Only the minimum amount of personal data required to verify a user's age shall be collected.
But if the minimum is to provide name and address + eg a drivers licence number or a credit card number then the minimum is actually pretty much all of it. In fact there are only the porn pass methods that offer any scope for 'truely minimal'
data collection. Perhaps the minimal data also applies to the verified mobile phone method as although the phone company probably knows your identity, then maybe they won't need to pass it on to the age verifier.
What does the porn site get to know
The rare unequivocal and reassuring statement is
8.5.8 Sharing Results
Age-verification providers shall only share the result of an age-verification check (pass or fail) with the requesting website.
So it seems that identity details won't be passed to the websites themselves.
However the converse is not so clear:
8.5.6 Data Minimisation
Information about the requesting website that the user has visited shall not be collected against the user's activity.
Why add the phrase, against the user's activity. This is worded such that information about the requesting website could indeed be collected for another reason, fraud detection maybe.
Maybe the scope for an age verifier to maintain a complete log of porn viewing is limited more by the practical requirement for a website to record a successful age verification in a cookie such that the age verifier only gets to see one
interaction with each website.
No doubt we shall soon find out whether the government wants a detailed log of porn viewed, as it will be easy to spot if a website queries the age verifier for every film you watch.
Fraud Detection
And what about all this reference to fraud detection. Presumably the BBFC/Government is a little worried that passwords and accounts will be shared by enterprising kids. But on the other hand it may make life tricky for those using shared
devices, or perhaps those who suddenly move from London to New York in an instant, when in fact this is totally normal for someone using a VPN on a PC.
Wrap up
The BBFC/Government have moved on a long way from the early days when the lawmakers created the law without any real protection for porn users and the BBFC first proposed that this could be rectified by asking porn companies to voluntarilyfollow
'best practice' in keeping people's data safe.
A definite improvement now, but I think I will stick to my VPN.
VPNCompare reports a significant increase in website visitors in response to upcoming porn censorship. Meanwhile age verifications options announced so far for major websites seem to be apps only
VPNCompare is reporting that internet users in Britain are responding to the upcoming porn censorship regime by investigating the option to get a VPN so as to workaround most age verification requirements without handing over dangerous
identity details.
VPNCompare says that the number of UK visitors to its website has increased by 55% since the start date of the censorship scheme was announced. The website also sated that Google searches for VPNs had trippled. Website editor, Christopher Seward
told the Independent:
We saw a 55 per cent increase in UK visitors alone compared to the same period the previous day. As the start date for the new regime draws closer, we can expect this number to rise even further and the number of VPN users in the UK is likely to
go through the roof.
The UK Government has completely failed to consider the fact that VPNs can be easily used to get around blocks such as these.
Whilst the immediate assumption is that porn viewers will reach for a VPN to avoid handing over dangerous identity information, there may be another reason to take out a VPN, a lack of choice of appropriate options for age validation.
3 companies run the 6 biggest adult websites. Mindgeek owns Pornhub, RedTube and Youporn. Then there is Xhamster and finally Xvideos and xnxx are connected.
Now Mindgeek has announced that it will partner with Portes Card for age verification, which has options for identity verification, giving a age verified mobile phone number, or else buying a voucher in a shop and showing age ID to the shop
keeper (which is hopefully not copied or recorded).
Meanwhile Xhamster has announced that it is partnering with 1Account which accepts a verified mobile phone, credit card, debit card, or UK drivers licence. It does not seem to have an option for anonymous verification beyond a phone being age
verified without having to show ID.
Perhaps most interestingly is that both of these age verifiers are smart phone based apps. Perhaps the only option for people without a phone is to get a VPN. I also spotted that most age verification providers that I have looked at seem to be
only interested in UK cards, drivers licences or passports. I'd have thought there may be legal issues in not accepting EU equivalents. But foreigners may also be in the situation of not being able to age verify and so need a VPN.
And of course the very fact that is no age verification option common to the major porn website then it may just turn out to be an awful lot simpler just to get a VPN.
The BBFC (on its Age Verification website)...err...no!...:
An assessment and accreditation under the AVC is not a guarantee that the age-verification provider and its solution (including its third party companies) comply with the relevant legislation and standards, or that all data is safe from
malicious or criminal interference.
Accordingly the BBFC shall not be responsible for any losses, damages, liabilities or claims of whatever nature, direct or indirect, suffered by any age-verification provider, pornography services or consumers/ users of age-verification
provider's services or pornography services or any other person as a result of their reliance on the fact that an age-verification provider has been assessed under the scheme and has obtained an Age-verification Certificate or otherwise in
connection with the scheme.
The BBFC has tweaked the look and feel of its website with a new bolder looking typeface set against a white background.
And the answer is very hard to pin down from the document. At first read it suggests that minimal data will be retained, but a more sceptical read, connecting a few paragraphs together suggests that the verifier will be required to keep extensive
records about the users porn activity.
The rare unequivocal and reassuring statement is
The Interrogator :
