The UK's smut overlord has been told it isn't up to the mammoth challenge it faces in regulating age checks for online porn, and that its guidelines do little to offer users much-needed guarantees on privacy.
The British Board of Film Classification was this year named as the body in charge of regulating the government's controversial plans to require online porn providers to check their users are over 18 before letting them into the site.
Although the rules were due to come into force at the start of April, the government pushed the deadline back so the BBFC could draw up and consult on the guidelines it will use to enforce the law.
The plan is ostensibly to stop kids stumbling across sex online, but it has been slammed for failing to properly balance any potential benefits with the technical challenges and societal damage it might do.
Respondents to the consultation make it clear that they don't believe the plan is based on robust evidence, and that age verification is not a proportionate response: effectively, they see it as akin to using a sledgehammer to crack a nut.
"[The guidelines] are still overshadowed by major fundamental concerns which have existed since the inception of the Digital Economy Act," wrote law PhD student and associate lecturer Rosie Hodsdon. "The rationale behind the Act is poorly justified and unsupported by research."
She said that age verification was an "ineffective, unsubstantiated patch-up for a much wider social issue" of how young people learn about sex and sexual culture – an opinion echoed by the joint response (PDF) from pornographer Pandora Blake and obscenity lawyer Myles Jackman, who say it is a "distraction from the real issues" of poor funding for compulsory sex education in schools.
These fundamental complaints, along with some of the other concerns expressed in the responses - such as the risk of stigmatising consensual adult sex, imposing limits on freedom of speech and expression and encouraging poor security behaviours - have been discussed at length before.
But beyond these issues, the responses show a lack of confidence in the BBFC to be able to do its job and concerns that the guidelines can't protect users as they don’t mandate privacy protections.
'A Sisyphean task'
A number of the respondents say the BBFC has bitten off more than it can chew, pointing to the BBFC chief executive David Austin's evidence to Parliament that he "may well need to recruit one or two extra people".
Hwyel Phillips, of foot fetish porn provider Silk Soles noted (PDF) that there are an estimated 200 million active websites in the world, and that as many as 4 per cent might include adult entertainment, with about one website created every second. By comparison, it said, in 2016 the BBFC classified 1,075 cinema films, 8,201 videos and 74 music videos – about 30 a day.
"No serious consideration seems to have been given as to how a small organisation like the BBFC will be able to apply these regulations in anything like an even-handed manner given the scale of what is proposed," he said.
Similarly, Hodsdon said that assessing providers that make porn available in the UK would be “a Sisyphean task for hundreds of people, let alone the one or two the BBFC has suggested they will employ for this”.
The Open Rights Group said that “the task of verifying that age verification is correctly implemented on all of these sites would be… well beyond the budgetary and time constraints of the BBFC”, noting that the guidelines indicate the body is aware of this.
Indeed, the guidelines say the BBFC will take a "proportionate approach", focusing first on sites with more users and those "most frequently visited" by children. But responses point out that it is hard to establish traffic levels robustly and questioning how the BBFC will identify which sites are most visited by children.
"We need something more rigorous and even-handed than 'most frequently visited' as a criterion and the BBFC needs to set this out publicly and transparently," said Silk Soles.
BBFC will be 'complicit in data breach catastrophe'
However, despite these concerns, data protection is the issue that comes across most strongly in the consultation responses El Reg pored over.
Almost all make reference to the long-term damage caused by the Ashley Madison hack, and criticise the BBFC for what they see as mealy-mouthed, non-binding encouragement of privacy-protecting measures.
It should be obvious that there is a difference in the sensitivity of data between 'John Doe purchased a Swiss Army Knife from Amazon', versus 'Jane Doe visited LesbianSpankInferno
Under the Digital Economy Act, the BBFC can't dictate what AV solutions sites use, nor can it specify privacy or security arrangements or enforce against sites or tools that don't protect users' privacy. This has resulted in the guideline using words like "recommend", "should" and "good practice" when referring to privacy and security safeguards, which has invoked the wrath of respondents.
"The minimal and weakly-expressed 'recommendations'… that age verification providers 'should' protect user privacy are wholly inadequate," say Blake and Jackman. "Data protection and minimisation standards must be an enforceable regulatory requirement, rather than mere recommendations which the BBFC are not empowered to enforce."
Jon Fuller, chair of sexual freedoms campaign group Backlash, agreed:
I cannot emphasise strongly enough that the BBFC is not taking data protection seriously and has not shown an appreciation of the scale of harm that its lax guidelines represent… If the BBFC does not use powerful language that sets the standards required of providers then it will be complicit in the potentially catastrophic effects that follow.
There are also concerns that the BBFC is shifting data-protection concerns to the rules set out in the General Data Protection Regulation – which, as security researcher Alec Muffet said, does not set operational and functional standards.
This, he said, will lead "inevitably, to diverse 'homebrew' security implementations" that risk bulk data breaches.
Similarly, the ORG raised the concern that the tools would not be proactively assessed for data protection compliance by the UK’s data protection watchdog and would get only "an incidental inspection" by the BBFC.
Indeed, the only specification there is for online age verification - PAS:1296, available for £90 – has been criticised for being too generic and not enforceable, with Muffet noting it is "a general-purpose document…for all businesses from online penknife sales to hardcore pornography".
"It should be obvious that there is a difference in the sensitivity of data between 'John Doe purchased a Swiss Army Knife from Amazon', versus 'Jane Doe visited LesbianSpankInferno.co.uk'," he said.
The government should define operational and functional security standards, akin to PCI-DSS for credit cards, for sensitive age-verification data services, Muffet said; with the regulator able to audit and shut down non-compliant providers.
Blake and Jackman agree, noting that the PAS is voluntary and that sensitive credit card data is offered more robust compulsory security standard than porn.
“Users cannot be expected to take it on faith that age verification providers will be trustworthy,” they write. “Companies may claim that they are interested in protecting user privacy, but regulatory oversight is required to ensure that they do. Good security practice consists of baking security into the protocols.”
Meanwhile, respondents note that although the BBFC say that AV tools should confirm age not identity, they list a series of methods, like credit cards or passports, which can be linked to personal information. Moreover, not everyone has access to such forms of documentation.
A further concern about the wording of the guidelines is that the BBFC asks for “ease of use” - although this is important to ensuring people can still access legal adult content, respondents say it could have repercussions for tracking.
An AV tool that allows for ease of use might end up being single sign-on; this, Blake and Jackman said, can “only be achieved if the AV provider keeps records about which websites have been visited by which verified individuals”.
Such record-keeping is not only demeaning, it also poses “an extraordinary privacy risk” by creating a database of sexual preferences and porn browsing history linked to email addresses or logins.
MindGeek looms large
Throughout the responses, it is impossible to escape the concerns about the stranglehold tube site kingpin MindGeek has on the industry, and fears that with its AV tool, AgeID, it will expand this.
“MindGeek anticipate 20 to 25 million adults in the UK will use Age ID “within the first month”. That’s 39% of the UK population,” noted Blake and Jackman.
“This poses a massive conflict of interest. Advertising is MindGeek’s main source of revenue, and they have a direct profit motive to retain and monetise data on what people like to look at.”
They also note that, because AgeID will be offered for free to independent pornographers, it will give MindGeek “access to a unique new seam of profitable data: information about what porn sites AgeID users log into across the world wide web.
"MindGeek may not see user IDs, but they will ask for email addresses and passwords to provide ease of use; data that they have repeatedly compromised in the past”.
But this freebie AV - which isn't limited to AgeID - is making some porn providers pause for thought.
"We've seen promises that AV won't cost consumers anything, it won't cost site owners anything, and they won't be able to monitor or sell anyone's data," Alex Hawkins, veep of xHamster, told The Reg.
"Sounds great, right? But not exactly profitable. So why are dozens of companies are still clamoring to get in on the space where, according to regulators, there's no profit to be had, and nothing to be gained. It's not because they're altruists. That makes us suspicious, to say the least. We're sensing something is missing, and that's what worries us."
Meanwhile, the respondents re-iterated major concerns about the effect this will have on smaller pornographers, beyond MindGeek's influence. They will, for instance, have to deal with the costs of compliance – whether that's because they choose a paid-for AV tool, or in legal or labour costs – especially for amateurs who just use a website template and lack IT skills.
Blake and Jackman suggest that the regulation be changed to set a minimum number of visitors per day, or a minimum turnover a year, below which sites don’t have to comply.
El Reg deep dive: Everything you need to know about UK.gov's pr0n blockREAD MORE
The responses also note the importance of privacy for pornographers. The BBFC has said that it will publish details of actions taken and appeal outcomes, which is on the face of it positive, but could have unintended consequences.
“While this is appreciated as a move towards transparency,” said Hodsdon, “there must be a balance drawn to protect the privacy and business interests of services involved. The details of what information will be published…must be decided upon and clearly specified before these guidelines can be accepted.”
Ancillary service provider rules 'inadequate and unfair'
Under the new law, internet service providers will be compelled to block sites that are non-compliant, which could come with huge technical and administrative costs, the respondents note.
But of greater focus is the impact on ancillary service providers, such as social media networks, which can only be asked to remove their services from non-compliant site.
On first blush, this seems like a positive move - in that the BBFC is not able to compel another chunk of businesses - but the ORG said it puts the ASPs in a "difficult position" of potentially saying no to a regulator.
And, because the law refers to sites that offer services to UK users - not just UK sites - the ORG questions whether it was reasonable for a US provider, like Twitter, to withdraw its service for a US customer when no US laws are being broken. Usually, Twitter only censors content for UK customers if that content itself is illegal.
“The BBFC must communicate to the government that the current regime is inadequate, unfair and needs to be ceased,” it said.
In contrast, John Carr, secretary of the Children's Charities' Coalition on Internet Safety – the only response we saw that was in favour of the regulation - said that the ASPs section should go further, and include App stores.
"In an increasingly 'App-centric' internet the role of the App Stores may need to receive greater scrutiny," he said. "It may therefore be necessary to revisit this should evidence emerge that Apps are providing a significant circumvention route."
The BBFC is due to publish the responses to the consultation before it submits the final versions of the guidance to the government, after which it will be rubber-stamped and the age checks can begin.
The community will be hoping for more than window dressing changes to what they see as an insufficient guidance for a fundamentally flawed regulation. ®