Age verification

The Online Safety Act is in force to block porn sites accessed in the UK now. You have to prove your age.

There is even a petition to repeal and rework it. Do sign, but we all doubt it will help. Maybe if it gets to millions.

Just to be clear - this legislation does not just impact porn sites, or just adult sites, but millions of sites and services, and there are millions more that may be in scope. This is not something where one can say that compliance is a "cost of doing business" as the vast majority of sites and services in scope are not businesses. They do not have money to comply, or even to get legal advice to find out if they have to comply - get it wrong and they face huge fines. That is the crux of the petition.

Let's stick to porn sites for now.

This is a huge invasion of privacy and a largely pointless exercise as there is no real way to stop teenagers that want to access porn from doing so. In my opinion a better approach is education, and especially on the nature of porn as fantasy and fiction so young people do not get the wrong idea about healthy sexual relationships. Blocking will not work, in my view, but it creates a lot of problems.

• It does not just impact kids, it impacts everyone.
• The legislation has huge overreach causing a lot harmless sites to shutdown to avoid the burdens and risk involved. It is not even clear when it applies (what of a shared diary with my wife and nobody else? That seems in scope of risk assessments, at least, as we can each post user content the other sees, and perhaps even AV if anything we add is racy).
• It creates a norm of proving your ID, or camera access, in order to access many web sites (not just porn sites), so opening the floodgates for scammers. Even if some sites have less intrusive means (see SMS below) there will be scammer sites that insist on camera access.
• Even when not scammers it creates the risk of a huge databases of sexual preferences linked to real identities being leaked.
• Teenagers will find ways around it, and even have to help adults to do so (irony!).
• It is questionable as to the extent that porn is actually harmful in the first place, especially with associated education.
• Obviously VPNs are a way to bypass as the restrictions are country specific.

So, let's look at what has happened.

I have done a few checks, and the AV falls in to a few categories as to how it works. This is "legit" AV, scammers may be more creative... Actually I have only checked one site which seems to use "age>>go". Some other sites start by insisting on a sign up to the site and creating a login before they do any more checks, which seems intrusive.

But these are some of the "age>>go" choices...

• A selfie - i.e. allow video/camera access on your device (can you see how that can be abused), and confirm some facial expressions (open mouth). Apparently there are on-line images with expression settings to which you can easily point your camera in order to circumvent this and that is just some games, not even a site set up for this purpose, yet.
• ID upload, like wow - how can that be abused, but also selfie to match ID. No idea if that copes well with edited images in the ID. I was not going to upload an ID, sorry.
• An SMS check, sends a code and they confirm the mobile operator has no age restriction.
• A credit card check. I have not tried this, but they do know kids can have cards? Maybe kids cards are debit not credit cards and that matters somehow. It claims to be a zero value "active card check" - does that show on all card apps? i.e. borrowing a parent's card may work, and leave no trace... Again, I was not going to provide a credit card - but you can see how scam sites will abuse this.

SMS

I looked specifically at the SMS, which concerns me for several reasons. This is, however, by far the least intrusive - as no camera or images or actual ID, just a mobile number.

They take a number and send an SMS with a code to enter, and then do a check with the operator to confirm the number has no age restrictions. This may be an issue in itself - the privacy policy for mobile services can be vague, but sharing whether you have age restrictions with a third party, for a number, is not a clearly identified thing that I can see. So may, in itself, be a GDPR issue.

What they do not immediately say is they then want an email address to which they can send a code. This too is a GDPR issue, as having confirmed you (a) control the number (can get SMS), and (b) the operator confirms no age restrictions, they have no legitimate interest in knowing an email address, and no option to not provide one that works. And this was a "legit" AV site. Scammers will do way more.

What is interesting is the email address has a "remember me" option - but not clear what for. Well, the answer is that you can then verify using "login", i.e. enter the email address and get emailed a code. So the use of the mobile number has now made the email verified with no further need to use the mobile number.

Back of the bike sheds!

This is one of the concerns I had with any age verification system.

So let's assume that..

• Some teenager happens to have access to a mobile with SMS and no age restriction for some reason, or
• A sixth former that is 18 has legitimate mobile SMS with no age restriction, or
• Some guy in a dodgy trench coat has legitimate mobile SMS with no age restriction.

Can they sell (or just give) AV access to horny teenagers?

(Just to be clear, A&A numbers fail to get this to work, the SMS works, but then says you do not have access. This is no surprise as we have no system to allow some third party to check if our SIMs have age restrictions.)

Obviously they can simply provide the code sent to their mobile, and code emailed to them, to their customer to allow them access.

But actually it is even simpler.

Using the mobile number for the first step, and their customer's email address for the second step, the customer tells them the emailed code, or the supplier can tell them the mobile code, either way, but use the customer's email address. Now the customer's email is considered verified, and can be used to login in future without the need for the mobile number. It just needs access to an email address.

By using a domain and mail forwarding the customer's email can be hidden as well, allowing for some ongoing income as the supplier can revoke the mail forwarding at any time.

So yes, this now creates an opportunity for people to exploit others - even adults that want access without giving up any details! Of course those doing the exploiting can be scammy as well, they know the email address, and can even see how often it is used if they wanted.

Testing

I used a mobile (Three data SIM with no age restriction - I am an adult after all) and an email address (one of my @fuck.me.uk addresses) to get access to a dodgy site, yay! But also I can then login using just the email address.

I then did the same, using the same mobile number, but a different email address. This also worked, and both email addresses can now simply login using the email address. I can now forward the second email address to someone else and they can simply login. This has the advantage for them that the site and AV service do not have their details (mobile or real email). No, I am not going to send to a child, obviously.

Now, I do not know if they permanently allow the login or ever re-validate using SMS. It is not even clear how long a site grants access from a login (though clearly at least a day, from my testing).

More data collection

Another issue here is that it allows access to a site to be correlated. With NAT and incognito browsing it is harder to link multiple accesses to be the same person (though browser fingerprinting may allow this). But if there is a login of some sort - or some auth code from the AV service, it can allow all accesses to be linked together, even if not knowing the actual personal identity. With common AV systems it could allow multiple site's accesses to be correlated now without even the need for working cross site cookies / pixels, etc.

Update:

What is interesting is that age>>go have dropped ID check as a verification, and then a bit later dropped credit card check as well. They only have selfie and SMS now, but still - once an email address is validated you only need that working email address!

Update:

Oddly it has changed to Selfie and credit card now. There is shit going down behind the scenes.

Hamsters

You may or may not know, there is a porn site called xhamster - I have literally no idea why it is called that. 

I'll save you visiting the site to check: Even though it has a cookie banner, it has no attempt whatsoever to operate the age verification required by the Online Safety Act. Not even a simple "I am over 18" button (which would not comply).

Yet, it is reported a forum for people with pet hamsters has shut down, along with hundreds of other sites and forums run by volunteers and individuals, because of the risk of fines and cost of compliance with this crazy new law.

OFCOM reportedly consider the costs of compliance for small sites “are likely to be negligible or in the small thousands at most”. Even without the risk of a fine of up to £18,000,000.00, the costs of "small thousands" of pounds, which OFCOM considers negligible, is more than a small volunteer site can bear, understandably. We are not talking businesses with income and a budget for legal fees here!

What is especially frustrating is the unknown - I don't know if this blog is in scope, and if so whether google or I personally am at risk of a fine. Worse - actual lawyers don't know either. I don't know if my GitHub repositories are in scope, and if so whether GitHub or I am liable. I don't know if my single user mastodon instance is in scope, etc... OFCOM have even admitted that they have no definition of "email" (one of the exceptions - yes you, or kids, can be on a porn email mailing list with no restrictions under this law). I have, again, written to my MP asking these questions.

A fun one, I do not know: If my blog is in scope as it has user generated content (comments), if I stop publishing comments (i.e. they get emailed to me, which is out of scope, and maybe I paraphrase and reply by an edit on the blog post) does that make it out of scope, or do I have to delete the user comments from before the new law came in to force as well?

Think of the Children, indeed, but making millions of individuals with small sites comply, at a cost of thousands of pounds each, is just crazy, especially when the law is not even doing what it aimed to in the first place.

By the way, my personal view on porn is that we need better education for children on the nature of porn as entertainment, and how actual relationships are not the same - after all we allow crazy violence in TV films and shows as entertainment, which people know is not "real" (even for <18 rated films where someone blows ups the planet, etc), but have a hang up over porn for some reason. At the end of the day nothing will stop a teenager with hormones from seeing porn, so let's accept that and educate to make that safer for society. But that is just my view. You may disagree, which is fine.

“There is a simple solution – the Secretary of State can exempt small, safe websites from onerous Online Safety duties, and protect plurality online.”. In practice this could be suitably worded so that small sites (by some measurable metric), and non business sites, etc, only need to comply if explicitly notified by OFCOM. This would mean no loophole for small sites that are actually porn sites, but provide the reassurance for those with pet hamsters to be able to continue their forum.