Age verification

The Online Safety Act is in force to block porn sites accessed in the UK now. You have to prove your age.

There is even a petition to repeal and rework it. Do sign, but we all doubt it will help. Maybe if it gets to millions.

Just to be clear - this legislation does not just impact porn sites, or just adult sites, but millions of sites and services, and there are millions more that may be in scope. This is not something where one can say that compliance is a "cost of doing business" as the vast majority of sites and services in scope are not businesses. They do not have money to comply, or even to get legal advice to find out if they have to comply - get it wrong and they face huge fines. That is the crux of the petition.

Let's stick to porn sites for now.

This is a huge invasion of privacy and a largely pointless exercise as there is no real way to stop teenagers that want to access porn from doing so. In my opinion a better approach is education, and especially on the nature of porn as fantasy and fiction so young people do not get the wrong idea about healthy sexual relationships. Blocking will not work, in my view, but it creates a lot of problems.

• It does not just impact kids, it impacts everyone.
• The legislation has huge overreach causing a lot harmless sites to shutdown to avoid the burdens and risk involved. It is not even clear when it applies (what of a shared diary with my wife and nobody else? That seems in scope of risk assessments, at least, as we can each post user content the other sees, and perhaps even AV if anything we add is racy).
• It creates a norm of proving your ID, or camera access, in order to access many web sites (not just porn sites), so opening the floodgates for scammers. Even if some sites have less intrusive means (see SMS below) there will be scammer sites that insist on camera access.
• Even when not scammers it creates the risk of a huge databases of sexual preferences linked to real identities being leaked.
• Teenagers will find ways around it, and even have to help adults to do so (irony!).
• It is questionable as to the extent that porn is actually harmful in the first place, especially with associated education.
• Obviously VPNs are a way to bypass as the restrictions are country specific.

So, let's look at what has happened.

I have done a few checks, and the AV falls in to a few categories as to how it works. This is "legit" AV, scammers may be more creative... Actually I have only checked one site which seems to use "age>>go". Some other sites start by insisting on a sign up to the site and creating a login before they do any more checks, which seems intrusive.

But these are some of the "age>>go" choices...

• A selfie - i.e. allow video/camera access on your device (can you see how that can be abused), and confirm some facial expressions (open mouth). Apparently there are on-line images with expression settings to which you can easily point your camera in order to circumvent this and that is just some games, not even a site set up for this purpose, yet.
• ID upload, like wow - how can that be abused, but also selfie to match ID. No idea if that copes well with edited images in the ID. I was not going to upload an ID, sorry.
• An SMS check, sends a code and they confirm the mobile operator has no age restriction.
• A credit card check. I have not tried this, but they do know kids can have cards? Maybe kids cards are debit not credit cards and that matters somehow. It claims to be a zero value "active card check" - does that show on all card apps? i.e. borrowing a parent's card may work, and leave no trace... Again, I was not going to provide a credit card - but you can see how scam sites will abuse this.

SMS

I looked specifically at the SMS, which concerns me for several reasons. This is, however, by far the least intrusive - as no camera or images or actual ID, just a mobile number.

They take a number and send an SMS with a code to enter, and then do a check with the operator to confirm the number has no age restrictions. This may be an issue in itself - the privacy policy for mobile services can be vague, but sharing whether you have age restrictions with a third party, for a number, is not a clearly identified thing that I can see. So may, in itself, be a GDPR issue.

What they do not immediately say is they then want an email address to which they can send a code. This too is a GDPR issue, as having confirmed you (a) control the number (can get SMS), and (b) the operator confirms no age restrictions, they have no legitimate interest in knowing an email address, and no option to not provide one that works. And this was a "legit" AV site. Scammers will do way more.

What is interesting is the email address has a "remember me" option - but not clear what for. Well, the answer is that you can then verify using "login", i.e. enter the email address and get emailed a code. So the use of the mobile number has now made the email verified with no further need to use the mobile number.

Back of the bike sheds!

This is one of the concerns I had with any age verification system.

So let's assume that..

• Some teenager happens to have access to a mobile with SMS and no age restriction for some reason, or
• A sixth former that is 18 has legitimate mobile SMS with no age restriction, or
• Some guy in a dodgy trench coat has legitimate mobile SMS with no age restriction.

Can they sell (or just give) AV access to horny teenagers?

(Just to be clear, A&A numbers fail to get this to work, the SMS works, but then says you do not have access. This is no surprise as we have no system to allow some third party to check if our SIMs have age restrictions.)

Obviously they can simply provide the code sent to their mobile, and code emailed to them, to their customer to allow them access.

But actually it is even simpler.

Using the mobile number for the first step, and their customer's email address for the second step, the customer tells them the emailed code, or the supplier can tell them the mobile code, either way, but use the customer's email address. Now the customer's email is considered verified, and can be used to login in future without the need for the mobile number. It just needs access to an email address.

By using a domain and mail forwarding the customer's email can be hidden as well, allowing for some ongoing income as the supplier can revoke the mail forwarding at any time.

So yes, this now creates an opportunity for people to exploit others - even adults that want access without giving up any details! Of course those doing the exploiting can be scammy as well, they know the email address, and can even see how often it is used if they wanted.

Testing

I used a mobile (Three data SIM with no age restriction - I am an adult after all) and an email address (one of my @fuck.me.uk addresses) to get access to a dodgy site, yay! But also I can then login using just the email address.

I then did the same, using the same mobile number, but a different email address. This also worked, and both email addresses can now simply login using the email address. I can now forward the second email address to someone else and they can simply login. This has the advantage for them that the site and AV service do not have their details (mobile or real email). No, I am not going to send to a child, obviously.

Now, I do not know if they permanently allow the login or ever re-validate using SMS. It is not even clear how long a site grants access from a login (though clearly at least a day, from my testing).

More data collection

Another issue here is that it allows access to a site to be correlated. With NAT and incognito browsing it is harder to link multiple accesses to be the same person (though browser fingerprinting may allow this). But if there is a login of some sort - or some auth code from the AV service, it can allow all accesses to be linked together, even if not knowing the actual personal identity. With common AV systems it could allow multiple site's accesses to be correlated now without even the need for working cross site cookies / pixels, etc.