Buried in the 2017 Conservative Party manifesto was a vow to make it "as hard for children to access violent and degrading pornography online as it is in the high street" and that "where technology can find a solution, we will pursue it".

It continued: "We will put a responsibility on industry not to direct users – even unintentionally – to hate speech, pornography, or other sources of harm."

iStock
iStock

That vow soon became law. As part of the 2017 Digital Economy Act, the government brought in new rules to ensure online pornography sites - not, somewhat crucially, social media sites, which lie beyond the legislation's remit - be blocked by age verification technology to ensure users are over the age of 18, marking a world's first for a law of this kind.

The act called for the implementation of an 'age-verification regulator', which has been assigned to be the British Board of Film Classification (BBFC). The regulator will have powers to fine non-compliant sites and force internet service providers to block companies' websites that fail to comply with the legislation. (There is also a somewhat bizarre exemption to the law in place for websites that publish pornographic content for free but where it makes up under one-third of their content.)

David Austin, chief executive of the BBFC, says: "The BBFC's new role as age-verification regulator aligns with our existing work in helping to protect children from potentially harmful material. There are a range of methods for verifying whether someone is 18 or over and we expect to see a number of solutions offered by providers to give people different ways to verify their age. The new law is not about stopping adults from watching pornography that is legal, it is about making the internet a safer place for children."

These protections were widely expected to come into effect this month, but a firm date for implementation of the policy has yet to be announced by the Department for Digital, Culture, Media & Sport (DCMS).

"This work is a world-leading step forward to protect our children from adult content which is currently far too easy to access online," a DCMS spokesperson told Techworld. "We are taking the time to get the implementation of this policy right and to ensure it is effective, and we will announce a commencement date shortly."

Editor's note: DCMS has now confirmed that age verification for online pornography will come into force on 15 July 2019.

How will age verification be implemented?

There are myriad reasons why this legislation is badly thought through, but the continued delays hint towards a government which is struggling to enforce the new blocking powers while striking the right balance on addressing data privacy concerns.

Details as to how the age verification mechanism will work after the law comes into effect are currently thin on the ground, but the BBFC will put the onus on the sites themselves to pick the right technology, before bearing down on those that don't comply.

"There will be a number of age-verification options available and these are normally provided by third-party companies, so there is no need to share personal information directly with a pornographic website," the BBFC says on its FAQ on the topic.

It adds that as the "age-verification regulator", the BBFC can't recommend individual solutions - but that it will be publishing a list of "certified solutions".

This voluntary certification scheme is in the works, and will eventually lead to a list of certified age verification solutions being published on the BBFC website, giving consumers better insight into which age verification product to use when trying access an adult site, depending on its data security standards.

The BBFC continues: "Additionally, to make sure that age-verification providers maintain high standards, including on privacy and data security, we are developing a voluntary certification scheme for them. This involves a third-party audit and includes an assessment of an age-verification solution's compliance with strict privacy and data security requirements."

One such solution however comes from the offices of a small band of software developers in south-east London, and requires British adults to go down to their local newsagents to purchase a physical card, dubbed by the tabloids as a 'porn pass', to verify their age - but crucially not their identity - online.

The company in question, OCL, has created an age verification mechanism called Portes, which has since been selected by AgeID - an age verification portal owned by the world's biggest distributor of pornography and operator of the Pornhub and YouPorn websites, MindGeek - as its preferred age verification method ahead of the UK's rollout of the new age verification rules.

How does it work?

Serge Acker, CEO at OCL, told Techworld that his team were originally developing a new system for monetising content online, but when he came across the guidelines for age verification in the Digital Economy Act he "realised everything they talked about didn't make sense and was predicated on personal data being shared, like a passport scan. We thought we could develop something better."

That solution soon landed on the desk of AgeID, which selected OCL as an exclusive partner "for anonymous face-to-face age verification, plus workplace and child protection" in the UK.

"We had already seen [AgeID] take some flak for their solution and being accused of creating 'the Facebook of porn' to get all that information on people's proclivities and preferences," Acker said, "so we offered a solution to allow them to have a third-party provider that would mean they aren't judge and jury. A solution which is transparent and gives them and their users reassurance that data is not being collected in that form."

That solution, the PortesCard, will be available to purchase from anywhere with a PayPoint outlet (newsagents, essentially) at £4.99 for a single device, or £8.99 across multiple devices. Once you have bought the voucher the code must be entered or scanned via the Portes app within 24 hours. The app then generates a token, called a 'DIID', which is secured with a password, verifying your age on that device for any site that integrates with the technology, which will include all MindGeek sites from day one.

"It is ready to go and cards likewise are integrated with PayPoint's, so we can pull the trigger when the government wants to," he said. "What annoys me is they have had ample time and we have been ready, but supposedly it is more complicated than they anticipated, it isn't, so we are ready to go."

Does Acker really think people are going to go down to their newsagents to buy a porn pass though?

"I think we can mitigate that by expanding the appeal of this beyond age verification for one thing, so the shame factor of buying a 'porn pass', so specifically marketing that as simply status verification, which has privacy as its first and foremost concern," he said, citing online gambling as another use case.

Privacy concerns

Obviously privacy is a massive concern when potentially a huge number of British adults' intimate browsing habits are at stake. Some age verification technology relies on credit card details to verify a user's age. Others - like Yoti - rely on scans of a government document, like a passport.

Yoti, for it's part, says that it believes "people should not have to disclose sensitive or excessive amounts of personal information just to prove they are over 18," CEO Robin Tombs told Techworld.

"So, in this instance, they can share their verified ‘over 18’ attribute with an adult website without sharing any other personal details, ensuring complete anonymity," he added.

Yoti also ensures users that it encrypts and stores data "using separate cryptographic keys, [meaning] we ensure there isn’t one big honeypot of data for hackers to target. Your data is stored in a Tier 3 UK data centre and as a company we are ISO27001 certified, which means we follow a strict set of security guidelines in all of our operations," according to the security page of its website.

"In the unlikely event that our systems were compromised and our 256-bit encryption keys were cracked, a criminal might get to just one piece of information about you - your date of birth, for example. Nothing else, just your date of birth," it adds.

Acker makes it very clear that OCL's Portes solution collects no personal data in the first place, as the card is obtained from an independent retailer and no data is collected at purchase, and then the app asks for no personally identifiable information. There can't be an Ashley Madison-esque database to hack because there is no database in the first place.

"That honeypot doesn't exist because we don't link anything together," he said. "We never ask for an email address to create a login that goes onto a database, we don't collect an IP address, phone number, anything remotely connected to you."

Acker added that OCL is currently working on developing its software development kit (SDK) and is "thinking of ways to open source that while remaining a commercial enterprise". He also said the company will go through the voluntary certification process and submit to regular data audits from the Information Commissioner's Office (ICO) to assure customers that no data is being collected.

"We had a lot of ethical concerns getting involved with the adult market at all," he added. "But what clinched it was ensuring that privacy is being regarded as important. Also, we thought we could add value to allow people to do something without being stigmatised or recorded for that. What really clinched it for us ethically though is that we can allow people to do what they want, while also protecting children."

For its part the BBFC says that "data privacy is so important that it has its own regulator – the ICO – which has the expertise and powers to apply strict data protection standards that pornographic services have to adhere to". The BBFC says it has a memorandum of understanding with the ICO on this issue, with little clarity as to what that actually means.

Read next: Best VPN for small businesses

In a May 2018 blog post, Jim Killock, executive director at the Open Rights Group, outlined his concerns with the legislation.

"We asked the BBFC to tell government that the legislation is not fit for purpose," he wrote, "and that they should halt the scheme until privacy regulation is in place. We pointed out that card payments and email services are both subject to stronger privacy protections than Age Verification."

"The government's case for non-action is that the Information Commissioner and data protection fines for data breaches are enough to deal with the risk. This is wrong: firstly because fines cannot address the harm created by the leaking of people's sexual habits. Secondly, it is wrong because data breaches are only one aspect of the risks involved."

Killock takes particular issue with the voluntary nature of the BBFC's privacy certification scheme, writing: "There is nothing to stop an operator from leaving the voluntary scheme so it can make its data less private, more shareable, or more monetisable. It's voluntary, after all."

In the post he goes on to list the myriad ways a voluntary scheme is unsatisfactory, concluding that making the provisioning of privacy for age verification compulsory "may involve a short delay to this already delayed scheme. But that is better, surely, than risking damage to the privacy, personal lives and careers of millions of UK people regularly visiting these websites."

"The problem is a lack of specific regulation," Killock told Techworld. "Without that, there is no reason to trust any company's promises on privacy. Policies change. Ownership of companies changes. Only the law can give you certainty."

DCMS told Techworld that a commencement date for the implementation of age verification for adult sites will be shared "soon".