Internet Porn Censorship

The Observer today published an article generally supporting the upcoming porn censorship and age verification regime. It did have one interesting point to note though:

Brexit's impact on the pornography industry has gone unnoticed. But the chaos caused by the UK's disorderly exit from the European Union even stretches into the grubbier parts of cyberspace.

A new law forcing pornography users to prove that they are adults was supposed to be introduced early next month. But sources told the Observer that it may not be unveiled until after the Brexit impasse is resolved as the government, desperate for other things to talk about, believes it will be a good news story that will play well with the public when it is eventually unveiled.

Despite the prevailing porn ban in Uganda, it can safely be said that pornographic materials and information has never been more consumed than now. The latest web rankings from Alexa show that Ugandans consume more pornographic materials and information than news and government information, among other relevant materials.

The US website Porn555.com is ranked as the 6th most popular website in Uganda, ahead of Daily Monitor, Twitter, BBC among others.

The country's internet censors claim to have blocked 30 of the main porn websites so perhaps that is the reason for porn555 to be the most popular rather then the more obvious PornHub, YouPorn, xHamster etc.

Sky News has learned that the government has delayed setting a date for when age verification rules will come into force due to concerns regarding the security and human rights issues posed by the rules. A DCMS representative said:

This is a world-leading step forward to protect our children from adult content which is currently far too easy to access online.

The government, and the BBFC as the regulator, have taken the time to get this right and we will announce a commencement date shortly.

Previously the government indicated that age verification would start from about Easter but the law states that 3 months notice must be given for the start date. Official notice has yet to be published so the earliest it could start is already June 2019.

The basic issue is that the Digital Economy Act underpinning age verification does not mandate that identity data and browsing provided of porn users should be protected by law. The law makers thought that GDPR would be sufficient for data protection, but in fact it only requires that user consent is required for use of that data. All it requires is for users to tick the consent box, probably without reading the deliberately verbose or vague terms and conditions provided. After getting the box ticked the age verifier can then do more or less what they want to do with the data.

Realising that this voluntary system is hardly ideal, and that the world's largest internet porn company Mindgeek is likely to become the monopoly gatekeeper of the scheme, the government has moved on to considering some sort of voluntary kitemark scheme to try and convince porn users that an age verification company can be trusted with the data. The kitemark scheme would appoint an audit company to investigate the age verification implementations and to approve those that use good practises.

I would guess that this scheme is difficult to set up as it would be a major risk for audit companies to approve age verification systems based upon voluntary data protection rules. If an 'approved' company were later found to be selling, misusing data or even getting hacked, then the auditor could be sued for negligent advice, whilst the age verification company could get off scot-free.

Pornhub and sister websites will soon require ID from users before being able to browse its porn.

The government most recently suggested that this requirement would start from about Easter this year, but this date has already slipped. The government will give 3 months notice of the start date and as this has not yet been announced, the earliest start date is currently in June.

Pornhub and YouPorn will use the AgeID system, which requires users to identify themselves with an email address and a credit card, passport, driving licence or an age verified mobile phone number.

Metro.co.uk spoke to a spokesperson from AgeID to find out how it will work (and what you'll actually see when you try to log in). James Clark, AgeID spokesperson, said:

When a user first visits a site protected by AgeID, a landing page will appear with a prompt for the user to verify their age before they can access the site.

First, a user can register an AgeID account using an email address and password. The user verifies their email address and then chooses an age verification option from our list of 3rd party providers, using options such as Mobile SMS, Credit Card, Passport, or Driving Licence.

The second option is to purchase a PortesCard or voucher from a retail outlet. Using this method, a customer does not need to register an email address, and can simply access the site using the Portes app.

Thereafter, users will be able to use this username/password combination to log into all porn sites which use the Age ID system.

It is a one-time verification, with a simple single sign-on for future access. If a user verifies on one AgeID protected site, they will not need to perform this verification again on any other site carrying AgeID.

The PortesCard is available to purchase from selected high street retailers and any of the UK's 29,000 PayPoint outlets as a voucher. Once a card or voucher is purchased, its unique validation code must be activated via the Portes app within 24 hours before expiring.

If a user changes device or uses a fresh browser, they will need to login with the credentials they used to register. If using the same browser/device, the user has a choice as to whether they wish to login every time, for instance if they are on a shared device (the default option), or instead allow AgeID to log them in automatically, perhaps on a mobile phone or other personal device.

Clark claimed that AgeID's system does not store details of people's ID, nor does it store their browsing history. This sounds a little unconvincing and must be taken on trust. And this statement rather seems to be contradicted by a previous line noting that user's email will be verified, so that piece of identity information at least will need to be stored and read.

The Portes App solution seems a little doubtful too. It claims not to log device data and then goes on to explain that the PortesCard needs to be locked to a device, rather suggesting that it will in fact be using device data. It will be interesting to see what app permissions the app will require when installing. Hopefully it won't ask to read your contact list.

This AgeID statement rather leaves the AVSecure card idea in the cold. The AVSecure system of proving your age anonymously at a shop, and then obtaining a password for use on porn websites seems to be the most genuinely anonymous idea suggested so far, but it will be pretty useless if it can't be used on the main porn websites.

We met to discuss BBFC's voluntary age verification privacy scheme, but BBFC did not attend. Open Rights Group met a number of age verification providers to discuss the privacy standards that they will be meeting when the scheme launches, slated for April. Up to 20 million UK adults are expected to sign up to these products.

We invited all the AV providers we know about, and most importantly, the BBFC, at the start of February. BBFC are about to launch a voluntary privacy standard which some of the providers will sign up to. Unfortunately, BBFC have not committed to any public consultation about the scheme, relying instead on a commercial provider to draft the contents with providers, but without wider feedback from privacy experts and people who are concerned about users.

We held the offices close to the BBFC's offices in order that it would be convenient for them to send someone that might be able to discuss this with us. We have been asking for meetings with BBFC about the privacy issues in the new code since October 2018: but have not received any reply or acknowledgement of our requests, until this morning, when BBFC said they would be unable to attend today's roundtable. This is very disappointing.

BBFC's failure to consult the public about this standard, or even to meet us to discuss our concerns, is alarming. We can understand that BBFC is cautious and does not wish to overstep its relationship with its new masters at DCMS. BBFC may be worried about ORG's attitude towards the scheme: and we certainly are critical. However, it is not responsible for a regulator to fail to talk to its potential critics.

We are very clear about our objectives. We are acting to do our best to ensure the risk to adult users of age verification technologies are minimised. We do not pose a threat to the scheme as a whole: listening to us can only result in making the pornographic age verification scheme more likely to succeed, and for instance, to avoid catastrophic failures.

Privacy concerns appear to have been recognised by BBFC and DCMS as a result of consultation responses from ORG supporters and others, which resulted in the voluntary privacy standard. These concerns have also been highlighted by Parliament, whose regulatory committee expressed surprise that the Digital Economy Act 2017 had contained no provision to deal with the privacy implications of pornographic age verification.

Today's meeting was held to discuss:

• What the scheme is likely to cover; and what it ideally should cover;

• Whether there is any prospect of making the scheme compulsory;

• What should be done about non-compliant services;

• What the governance of the scheme should be in the long tern, for instance whether it might be suitable to become an ICO backed code, or complement such as code

As we communicated to BBFC in December 2018, we have considerable worries about the lack of consultation over the standard they are writing, which appears to be truncated in order to meet the artificial deadline of April this year. This is what we explained to BBFC in our email:

• Security requires as many perspectives to be considered as possible.

• The best security standards eg PCI DSS are developed in the open and iterated

• The standards will be best if those with most to lose are involved in the design.
   

  • For PCI DSS, the banks and their customers have more to lose than the processors

  • For Age Verification, site users have more to lose than the processors, however only the processors seem likely to be involved in setting the standard

We look forward to BBFC agreeing to meet us to discuss the outcome of the roundtable we held about their scheme, and to discuss our concerns about the new voluntary privacy standard. Meanwhile, we will produce a note from the meeting, which we believe was useful. It covered the concerns above, and issues around timing, as well as strategies for getting government to adjust their view of the absence of compulsory standards, which many of the providers want. In this, BBFC are a critical actor. ORG also intends as a result of the meeting to start to produce a note explaining what an effective privacy scheme would cover, in terms of scope, risks to mitigate, governance and enforcement for participants.

Bangladesh internet censors have blocked almost 20,000 websites as part of an anti-pornography campaign, a minister has reported.

ISPs have blocked pornography and gambling websites in the past week under orders from the telecommunications censor. war, Mustafa Jabbar, the posts and telecommunications minister, told AFP:

I want to create a safe and secure internet for all Bangladeshis, including children. And this is my war against pornography. And this will be a continuous.

Popular social media apps such as TikTok and Bigo - which authorities believe are misused - have also been blocked

Update: And of course the government took the opportunity to ban a few other things too

26th February 2019. See article from dw.com

While most of the blocked sites are foreign, a few local websites and social media platforms have also been targeted by the government censorship. One of these websites, somewhereinblog.net, is the largest Bengali-language community blog platform in the world.

The post and telecommunications minister blamed the site for spreading atheism in Bangladesh.

A group of 33 Bangladeshi university teachers, journalists, bloggers, and activists have demanded that the government lift the ban on the blog platform immediately.