El Reg talks to PornHub sister biz AgeID – and an indie pornographer – about age verification

Smut empire Mindgeek's age verification arm, AgeID, has commissioned an independent security assessment – and pledged not to store data – in a bid to reassure detractors it won't create hackable databases of users' kinks.

The move comes as the UK government pushes ahead with controversial age check rules for online porn, which should come into force around Easter. They will require visitors to prove they are over-18 in order to access a site where adult content makes up more than one-third of the material.

This means all porn sites will need to have some kind of age verification (AV) system in place – and if they don’t comply, the regulator, the British Board of Film Classification, can order ISPs to block them or ask payment service providers to cut them off.

The rules were laid out in the Digital Economy Act 2017, and a number of providers have been popping up since then – but perhaps most closely scrutinised has been the age verification tool from AgeID, due to its parent company being Mindgeek, which also owns mainstream mega-sites like PornHub and RedTube.

Not only does the company have a poor security rep, critics warned that Mindgeek might not be able to resist the temptation to gather up and merge information on individuals' browsing habits from its two arms. Many in the porn industry also fear it will help the giant increase its stranglehold on the market, pushing out smaller providers that cater for more diverse tastes.

Infoseccers to check over AgeID's work

AgeID is trying to tackle these issues head on, and has exclusively revealed to The Register that it commissioned the NCC Group to carry out an independent security assessment to confirm the application doesn't track user behaviour or store any age verification data.

And in an email interview, AgeID spokesman James Clark sought to hammer home the message that the firm understood the importance of user privacy, and that the law "has the unintended consequence of exposing the data of millions of adults if protections are not securely in place".

Users who decide to register with AgeID do so using an email address and password, which the firm said were protected by a salted, one-way hash from the transport layer.

After the user has verified their email address, they verify their age via a third-party provider, using options including documents like a passport or driving licence. That provider then sends back a pass or fail to AgeID.

"We wanted to ensure clear separation between AgeID and age verification data and have taken very big steps in ensuring that is the case," Clark said.

"AgeID does not know the identity or date of birth of its users, all it knows is whether a hashed account is over 18. AgeID is just a single sign-on, it is not age-verifying the age of its users, it doesn't even receive the user data and transfer it onto our third-party age verifiers."

Clark "categorically" confirmed that information on the sites visited, and the data, time and length of those visits, are not stored or analysed by the company.

"AgeID cannot see, let alone store, what a user does on a site, it simply verifies they are 18 or over and grants them access," Clark said. "This information will never be received nor stored and therefore no analysis can be carried out."

When asked whether AgeID and Mindgeek would ever link up or amalgamate their data sets, Clark said "that will never happen", arguing that AgeID doesn't collect any data so "there is no user data to amalgamate".

AgeID declined to share privacy assessments with The Register that it said had been carried out internally with, saying instead that it "welcome[d] further scrutiny via the regulator's certification scheme". This has yet to be launched.

The NCC Group's assessment saw it create a framework against control statements from four relevant pieces of legislation and guidance: the Digital Economy Act, the BBFC's guidance on age verification arrangements, the BSI's Publicly Available Specification for tools to verify age and the GDPR.

A version of the report for general publication, seen by The Reg, said that, of the 34 controls related to the relevant parts of the DE Act, AgeID had 28 that complied fully, while six weren't applicable. Of the 91 controls related to GDPR compliance, AgeID met 86 and the remaining five were recorded as not applicable.

The report added that AgeID had made some changes to its processes after the BBFC published the results of its consultation. This included removing the default setting of "remember me" after the BBFC said users should be logged out by default.

The NCC Group also noted that the BBFC was yet to issue formal audit requirements or control maturity ratings on its guidance, so the control assessments were "based on NCC's experience in information protection" and that AgeID should carry out another review once these processes have been formalised.

'An assessment now isn't a long-term guarantee'

Commenting on AgeID's efforts, Pandora/Blake, a pornographer and leading campaigner against age verification, said: "I'm glad AgeID are feeling the pressure not to track user behaviour. The problem is that there's no guarantee about how their policies and values will change over time."

The Open Rights Group – which has long lobbied against age checks for online porn – echoed this view. "Whatever this assessment says today, you have no idea if the same standards will apply next year, or in ten," said executive director Jim Killock.

"The only way to trust these products is to regulate them, so the standards are fixed, regularly audited and trustworthy... We have a very risky situation, which needs immediate action to make BBFC's regulatory scheme meaningful."

Both Blake and Killock noted that the BBFC had promised a scheme along these lines, but that this was voluntary and there hadn't been a wide consultation on what it should guarantee.

A BBFC spokesperson said the certification scheme was being developed "in collaboration with industry, with the support of government and input from the [Information Commissioner's Office]", but didn't give a solid time frame for the work, saying only that more details would be published "soon".

For his part, Clark said that AgeID would not be open to UK users "until we have achieved BBFC certification", and that it would also require all its third-party providers to be certified.

Despite there being no public details of the criteria, he said he was "very confident" AgeID would pass, and expected the regulator's best practice guidance and a penetration test to be included.

And, despite saying that the firm "understands and expects" the level of scrutiny it is getting, Clark pointedly added that AgeID was "far from being the only age verification solution in the market".

However, it is the only one from a porn kingpin that is frequently rounded upon by independent providers – and AgeID makes no mention of its parent company, Mindgeek, on its website.

Blake said this came as no surprise. "Mindgeek have not historically taken responsibility for videos posted on their site which infringe copyright, nor for the way their business model has made it harder to find ethical and niche content.

"Given this, and MindGeek's catastrophic track record when it comes to keeping user data safe, it's not surprising that AgeID wants to keep the identity of their parent company quiet. But people need know the nature of the companies that they are giving their data to."

Neil Brown, lawyer at Decoded:Legal, said he suspected that for many people the lack of transparency "will not cause undue concern" – but that people who prefer to pay for porn from independent providers would likely care.

"They may not wish to support Mindgeek," he said. "However (a) that is, I expect, a small group, (b) they are probably aware of this issue, and (c) I wonder if their chosen porn sites would even use AgeID as their verification mechanism, so the issue might not arise."

It is possible that some sites have chosen not to use AgeID – but Clark declined to give any information on industry take-up of the product. However, some pornographers previously said that if AgeID became commonplace, they might have to offer it as visitors might not want to go through another, separate verification process.

The picture will become clearer over the next couple of months, as the deadline approaches and porn sites are forced to make their decisions. But in the meantime, there might be a silver lining: xHamster recently reported that traffic from the UK rose 6 per cent in 2018, which it said was typical in countries that have high-profile plans to block porn. ®