Age-verification providers are privately calling for a compulsory certification scheme ahead of the UK government's controversial online porn laws due to come into force next month.
The voluntary standard for protecting the privacy of people viewing filth online, who will have to pass mandatory age checks, is being overseen by the British Board for Film Classification.
However, according to the Open Rights Group (ORG), that currently falls short in meeting adequate standards of cybersecurity and data protection.
The controversial legislation could risk serious data breaches as age verification connects the identities of millions of British adults to their viewing choices.
"In our view, the government must legislate without delay to place a statutory requirement on the BBFC to implement a mandatory certification scheme and to grant the BBFC powers to require reports and penalise non-compliant providers," said the digital campaign group.
As it stands, the BBFC cannot fine or discipline providers that fail to protect people's data, making it hard for consumers to distinguish between trustworthy and untrustworthy providers, said the ORG.
El Reg deep dive: Everything you need to know about UK.gov's pr0n blockREAD MORE
ORG chief exec Jim Killock said the body is not alone. "Privately many age-verification providers have expressed a preference for the certificate to be compulsory."
Such a move would level the playing field – meaning providers' competitors adhere to the same standard of compliance, and provide better protection for the data of those of us who visit age-checked websites.
The body noted the current guidance on security, encryption, pseudonymisation and data retention in the standard (PDF) - published in April - is vague and imprecise, and often refers to generic "industry standards" without explanation.
"At a bare minimum, the standard should specify a list of cryptographic protocols which are not adequate for certification," it said.
Under the The Digital Economy Act 2017, commercial pornographic websites will be required to implement controls that prevent individuals under the age of 18 from accessing content from 15 July.
MindGeek's AgeID, one of the major age-verification portals and one which shares its parent firm with mega pornographic video sharing and pornography site PornHub, has said it expects 20-25 million UK adults to sign up for its service in the first month.
El Reg talks to PornHub sister biz AgeID – and an indie pornographer – about age verificationREAD MORE
Alastair Graham, CEO of AgeChecked, said: "I believe that AgeChecked is not alone in having wanted the Digital Economy Act to require providers to go through a mandatory certification. The BBFC's scheme scrutinises the security and privacy practices of providers, but its voluntary nature means that not all age verification providers have to go through the rigorous certification process.
A spokesman from the Department for Digital, Culture, Media and Sport said: "Adult content is currently far too easy for children to access online. The introduction of mandatory age-verification is a world-first, and we've taken the time to balance privacy concerns with the need to protect children from inappropriate content.
"We want the UK to be the safest place in the world to be online, and these new laws will help us achieve this."
The department has said providers of age-verification controls will be subject to data protection laws as usual, while the BBFC will work closely with the Information Commissioner's Office to ensure that their standards are met by providers, particularly with regards to security, data minimisation and privacy by design. ®