Here’s why we #ResistAV

The new age verification laws

The Conservatives have brought in new legislation, the Digital Economy Act 2017, which at first look may seem like a simple matter of restricting online porn to over-18s. But in reality, it’s an extraordinary attack on privacy and online freedom, found in no other democratic country and for good reason.

Age verification means that sites providing online porn will have to verify the age of all users before allowing them access. In practice, you cannot verify age without also verifying identity, so all porn sites will now need to check identity using details like real name, date of birth, credit card details, etc. What’s more, to be able to check that against a central database requires some fairly complex technology, so small sites will need to buy a solution rather than building their own. Any age-verification solution will have access to users’ real identities as well as their porn-watching behaviour across multiple websites – not just user-provided data to verify age, but also details of what websites they access, when and how often, what videos they watch, what search terms they use, and more. This is highly sensitive data.

“Pornographic material” is very broadly defined:

  • It includes things which anybody would recognise as porn – ie anything that has been rated R18 by the BBFC, or one might “reasonably assume” it would get that rating
  • Or – and here is where it gets especially draconian, catching quite soft-core things – material that “was produced solely or principally for the purposes of sexual arousal” and that would be rated “18” if it were classified. This would include still images, and even “series of visual images shown as a moving picture, with or without sound”, and audio only materials.

While this is UK legislation, it concerns all sites that host adult material, no matter where in the world they are hosted. If the site can be accessed from the UK, it will have to verify the age of each visitor. People visiting from outside the UK will also be affected – unless a site takes the extra steps to create geographic filters, which is quite difficult for smaller sites to arrange.

What’s the danger to user privacy?

There are two main types of risk here.

1. Misuse of data

If a company collects this kind of data, how might they use it to target you in future? Who might they be willing to sell it to? How might they use it to decide their corporate direction, to make decisions about what niche, kink or LGBTQ content to buy out or water down?

2. Data breaches

No database is perfectly secure, no matter what good intentions lie behind it. And the leaking or hacking of this kind of sensitive information would be truly devastating; after the Ashley Madison hack, some of those affected committed suicide. One can only imagine the media appetite for the verified porn-watching history of a prominent MP, or disgraced teacher, or outed celebrity.

MindGeek, the owners of some of the main streaming sites, have been developing their own age verification software for some time now, and have been working with government on getting this legislation passed. Given their influence and existing market dominance, any solution they build is likely to get taken up by the majority of sites – giving MindGeek an extraordinary database of millions of users (their estimate is 20-25 million people signing up in the first month). For a company whose business model is currently largely based on advertising, that’s a lot of valuable data. And even if we trust that MindGeek have the very best of intentions for how they might use (or not use) that data, they don’t have a great history with protecting users’ confidential data, with a succession of leaked account details and malware campaigns.

Other software providers are also working to create solutions for age verification, and some of them are doing their best to create software that respects privacy. Even so, MindGeek’s solution will, realistically speaking, be the most accessible, because the first time many people will find out about the need to verify their age will be when they visit MindGeek’s streaming sites.

We shouldn’t have to rely on the market to create AV solutions that respect privacy – the Government should take responsibility for regulating the market they have created. The only privacy requirement in the law is GDPR, which is inadequate for this extraordinary risk. We need a change in the legislation that requires AV providers to take user privacy seriously.

What can you do?

Most people don’t often talk about their porn-watching habits – and are even less likely to stand up and be counted. But this is exactly why pornography makes such an effective target for the restriction of civil liberties. As Myles Jackman has put it, pornography is the canary in the coalmine of free speech.

We need to #ResistAV. Here is how you can get involved:

  • We are raising a legal challenge in order to force legislators to take privacy seriously. Donate money to support our work.
  • The UK Parliament will soon have a vote on how age verification is going to be enforced. You can write to your MP, to make sure they are aware of the issues in time for the vote. Or tweet your MP the link to Open Rights Group briefing on AV.
  • Share information with your networks, whether privately or more publicly on social media; use the hashtag #ResistAV. The more people who are willing to stand up and talk about this, the more attention it will get and the less the government will be able to get away with sliding it under the radar.