Archive for the ‘Age Verification’ Category

Read more uk_internet_censors.htm at MelonFarmers.co.uk
ICO’s Data Protection Training
The Pavlov Method
nodding dog
 ☑  Yes I won’t read this message. and yes you can do what the fuck you like with my porn browsing data
 ☑  Yes please do, I waiver all my GDPR rights
 ☑  Yes I won’t read this message. and yes, feel free to blackmail me
 ☑  Yes you can do anything you like ‘to make my viewing experience better’
 ☑  Yes, no need to ask, I’ll tick anything

With callous disregard for the safety of porn users, negligent lawmakers devised an age verification scheme with no effective protection of porn users’ identity and porn browsing history.The Government considered that GDPR requirements, where internet users are trainer to blindly tick a box to give consent to the internet companies doing what the fuck they like with your data. Now internet users are well conditioned like Pavlov’s dog to tick the hundreds of tick boxes they are presented with daily. And of course nobody ever reads what they are consenting to, life’s too short.

After a while the government realised that the total lack of data protection for porn users may actually prevent their scheme form getting off the ground, as porn users simply would refuse to get age verified. This would result in bankrupt AV companies and perverse disinsentives for porn websites. Those that implement AV would then experience a devastating drop off in traffic and those that refuse age verification would be advantaged.

So the government commissioned a voluntary kitemark scheme for AV companies to try and demonstrate to auditors that they keep porn identity and browsing history safely. But really the government couldn’t let go of its own surveillance requirements to keep the browsing history of porn users. Eventually some AV companies won the right to have a scheme that did not log people’s browsing history, but most still do maintain a log (justified as ‘fraud protection’ in the BBFC kitemark scheme description).

well Now it appears that those that try to avoid the dangers of AV via VPNs may be not s safe as they would hope. The Henry Jackson Society has been researching the VPN industry and has found that 30% of VPNs are owned by Chinese companies that have direct data paths to the Chinese government.

Surely this will have extreme security issues as privately porn using people could then be set up for blackmail or pressure from the Chinese authorities.

The government needs to put an end to the current AV scheme and go back to the drawing board. It needs to try again, this time with absolute legal requirements to immediately delete porn users identity data and to totally ban the retention of browsing logs.

Anyway, the Henry Jackson Society explains its latest revelations:

henry jackson society logo Chinese spies could exploit Government’s new porn laws to gather compromising material on businessmen, civil servants and public figures, say think tanks.

They say Chinese firms have quietly cornered the market in technology that enables people to access porn sites without having to register their personal details with age verification firms or buy an age ID card in a newsagent.

The new law require those accessing porn sites to prove they are 18 but the checks and registration can be by-passed by signing up to a Virtual Private Network (VPNs). These anonymise the location of a computer by routing its traffic through a server based at remote locations.

It has now emerged through an investigation by security experts that many of the VPNs are secretly controlled by Chinese owned firms 203 as many as 30% of the networks worldwide.

It means that a VPN users’ viewing habits and data can not only be legally requested by the Chinese Government under its lax privacy laws but the VPNs could themselves also be state-controlled, according to the Adam Smith Institute and Henry Jackson Society.

Sam Armstrong, spokesman for the Henry Jackson Society, said:

A list of billions of late-night website visits of civil servants, diplomats, and politicians could 203 in the wrong hands — amount to the largest-ever kompromat file compiled on British individuals.

Those in sensitive jobs are precisely the types of individuals who would seek to use a VPN to circumvent the trip to the newsagent to buy a porn pass.

Yet, the opaque ownership of these VPNs by Chinese firms means there is a real likelihood any browsing going through them could fall into the hands of Chinese intelligence.

Advertisements
Read more uk_internet_censors.htm at MelonFarmers.co.uk
ICO’s Data Protection Training
The Pavlov Method
nodding dog
 ☑  Yes I won’t read this message. and yes you can do what the fuck you like with my porn browsing data
 ☑  Yes please do, I waiver all my GDPR rights
 ☑  Yes I won’t read this message. and yes, feel free to blackmail me
 ☑  Yes you can do anything you like ‘to make my viewing experience better’
 ☑  Yes, no need to ask, I’ll tick anything

Digital Minister Margot James has apologised for the six-month delay on the so-called porn block, which had been due to take effect today (16th July). It is designed to force pornography websites to verify users are over 18.

But the law has been delayed twice – most recently because the UK government failed to properly notify European regulators. James told the BBC:

I’m extremely sorry that there has been a delay. I know it sounds incompetent. Mistakes do happen, and I’m terribly sorry that it happened in such an important area,

Of course the fundamental mistake is that the incompetent lawmakers cared only about ‘protecting the children’ and gave bugger all consideration to the resulting endangerment of the adults visiting porn sites.

It took the government months, but it finally started to dawn on them that perhaps they should do something to protect the identity data that they are forcing porn users to hand over that can then be pinned to their porn browsing history. They probably still didn’t care about porn users but perhaps realised that the scheme would not get of the ground if it proved so toxic that no one would ever sign up for age verification at all.

Well as a belated after thought the government, BBFC and ICO went away to dream up a few standards that perhaps the age verifiers ought to be sticking to try and ensure that data is being kept safe.

So then the whole law ended up as a bag of worms. The authorities now realise that there should be level of data protection, but unfortunately this is not actually backed up by the law that was actually passed. So now the data protection standards suggested by the government/BBFC/ICO are only voluntary and there remains nothing in law to require the data actually be kept safe. And there is no recourse against anyone who ends up exploiting people’s data.

The Open Rights Group have just written an open letter to the government to ask that government to change their flawed law and actually require that porn users’ data is kept properly safe:

The Rt Hon Jeremy Wright QC MP Secretary of State for Digital, Culture, Media and Sport

Re: BBFC Age Verification Privacy Certification Scheme

Dear Secretary of State,

open rights group 2016 logo We write to ask you to legislate without delay to place a statutory requirement on the British Board of Film Classification (BBFC) to make their privacy certification scheme for age verification providers mandatory. Legislation is also needed to grant the BBFC powers to require compliance reports and penalise non-compliant providers.

As presently constituted, the BBFC certification scheme will be a disaster. Our analysis report, attached, shows that rather than setting out objective privacy safeguards to which companies must adhere, the scheme allows companies to set their own rules and then demonstrate that these are being followed. There are no penalties for providers which sign up to the standard and then fail to meet its requirements.

The broadly-drafted, voluntary scheme encourages a race to the bottom on privacy protection. It provides no consistent guarantees for consumers about how their personal data will be safeguarded and puts millions of British citizens at serious risk of fraud, blackmail or devastating sexual exposure.

The BBFC standard was only published in April. Some age verification providers have admitted that they are not ready. Others have stated that for commercial reasons they will not engage with the scheme. This means that the bureaucratic delay to age verification’s roll-out can now be turned to advantage. The Government needs to use this delay to introduce legislation, or at the least issue guidance under section 27 of the Digital Economy Act 2017, that will ensure the privacy and security of online users is protected.

We welcome the opportunity to bring this issue to your attention and await your response.

Yours sincerely,

Jim Killock Executive Director Open Rights Group

10th July 2019. See article from ispa.org.uk and article from techdirt.com

villain The villains of ISPA have withdrawn their nomination of the heroic Mozilla as an internet villain. ISPA writes:

Last week ISPA included Mozilla in our list of Internet Villain nominees for our upcoming annual awards.

In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion. We have previously given the award to the Home Secretary for pushing surveillance legislation, leaders of regimes limiting freedom of speech and ambulance-chasing copyright lawyers. The villain category is intended to draw attention to an important issue in a light-hearted manner, but this year has clearly sent the wrong message, one that doesn’t reflect ISPA’s genuine desire to engage in a constructive dialogue. ISPA is therefore withdrawing the Mozilla nomination and Internet Villain category this year.

TechDirt noted that the ISPA nomination was kindly advertising Mozilla’s Firefox option for DNS over HTTPS:

ISPA nominated Mozilla for the organization’s meaningless internet villain awards for, at least according to ISPA, undermining internet safety standards in the UK:

Of course Mozilla is doing nothing of the sort. DNS over HTTPS not only creates a more secure internet that’s harder to filter and spy on, it actually improves overall DNS performance, making everything a bit faster. Just because this doesn’t coalesce with the UK’s routinely idiotic and clumsy efforts to censor the internet, that doesn’t somehow magically make it a bad idea.

Of course, many were quick to note that ISPA’s silly little PR stunt had the opposite effect than intended. It not only advertised that Mozilla was doing a good thing, it advertised DNS over HTTPS to folks who hadn’t heard of it previously. Matthew Prince P (@eastdakota) tweeted:

Given the number of people who’ve enabled DNS-over-HTTPS in the last 48 hours, it’s clear @ISPAUK doesn’t understand or appreciate @mmasnick’s so-called “Streisand Effect.”

Read more uk_internet_censors.htm at MelonFarmers.co.uk

dogital policy alliance logo The AV industry is not yet ready The Digital Policy Alliance (DPA) is a private lobby group connecting digital industries with Parliament. Its industry members include both Age Verification (AV) providers, eg OCL, and adult entertainment, eg Portland TV.

Just before the Government announcement that the commencement of adult verification requirements for porn websites would be delayed, the DPA wrote a letter explaining that the industry was not yet ready to implement AV, and had asked for a 3 month delay.

The letter is unpublished but fragments of it have been reported in news reports about AV.

The Telegraph reported:

The Digital Policy Alliance called for the scheme to be delayed or risk nefarious companies using this opportunity to harvest and manipulate user data.

The strongly-worded document complains that the timing is very tight, a fact that has put some AVPs [age verification providers] and adult entertainment providers in a very difficult situation.

It warns that unless the scheme is delayed there will be less protection for public data, as it appears that there is an intention for uncertified providers to use this opportunity to harvest and manipulate user data.

The AV industry is  unimpressed by a 6 month delay

See article from news.sky.com

Rowland Manthorpe from Sky News contributed a few interesting snippets too. He noted that the AVPs were unsurprisingly not pleased by the government delay:

Serge Acker, chief executive of OCL, which provides privacy-protecting porn passes for purchase at newsagents, told Sky News: As a business, we have been gearing up to get our solution ready for July 15th and we, alongside many other businesses, could potentially now be being endangered if the government continues with its attitude towards these delays.

Not only does it make the government look foolish, but it’s starting to make companies like ours look it too, as we all wait expectantly for plans that are only being kicked further down the road.

There are still issues with how the AV providers can make money

And interestingly Manthorpe revealed in the accompanying video news report that the AV providers were also distinctly unimpressed by the BBFC stipulating that certified AV providers must not use Identity Data provided by porn users for any other purpose than verifying age. The sensible idea being that the data should not be made available for the the likes of targeted advertising. And one particular example of prohibited data re-use has caused particular problems, namely that ID data should not be used to sign people up for digital wallets.

Now AV providers have got to be able to generate their revenue somehow. Some have proposed selling AV cards in newsagents for about £10, but others had been planning on using AV to generate a customer base for their digital wallet schemes.

So it seems that there are still quite a few fundamental issues that have not yet been resolved in how the AV providers get their cut.
Some AV providers would rather not sign up to BBFC accreditation

See article from adultwebmasters.org

Maybe these issues with BBFC AV accreditation requirements are behind a move to use an alternative standard. An AV provider called VeriMe has announced that it has the first AV company to receive a PAS1296 certification.

The PAS1296 was developed between the British Standards Institution and the Age Check Certification Scheme (ACCS). It stands for Public Accessible Specification and is designed to define good practice standards for a product, service or process. The standard was also championed by the Digital Policy Alliance.

Rudd Apsey, the director of VeriMe said:

The PAS1296 certification augments the voluntary standards outlined by the BBFC, which don’t address how third-party websites handle consumer data, Apsey added. We believe it fills those gaps and is confirmation that VeriMe is indeed leading the world in the development and implementation of age verification technology and setting best practice standards for the industry.

We are incredibly proud to be the first company to receive the standard and want consumers and service providers to know that come the July 15 roll out date, they can trust VeriMe’s systems to provide the most robust solution for age verification.

This is not a very convincing argument as PAS1296 is not available for customers to read, (unless they pay about 120 quid for the privilege). At least the BBFC standard can be read by anyone for free, and they can then make up their own minds as to whether their porn browsing history and ID data is safe.

However it does seem that some companies at least are planning to give the BBFC accreditation scheme a miss.
The BBFC standard fails to provide safety for porn users data anyway.

See article from medium.com

The AV company 18+ takes issue with the BBFC accreditation standard, noting that it allows AV providers to dangerously log people’s porn browsing history:

Here’s the problem with the design of most age verification systems: when a UK user visits an adult website, most solutions will present the user with an inline frame displaying the age verifier’s website or the user will be redirected to the age verifier’s website. Once on the age verifier’s website, the user will enter his or her credentials. In most cases, the user must create an account with the age verifier, and on subsequent visits to the adult website, the user will enter his account details on the age verifier’s website (i.e., username and password). At this point in the process, the age verifier will validate the user and, if the age verifier has a record the user being at least age 18, will redirect the user back to the adult website. The age verification system will transmit to the adult website whether the user is at least age 18 but will not transmit the identity of the user.

The flaw with this design from a user privacy perspective is obvious: the age verification website will know the websites the user visits. In fact, the age verification provider obtains quite a nice log of the digital habits of each user. To be fair, most age verifiers claim they will delete this data. However, a truly privacy first design would ensure the data never gets generated in the first place because logs can inadvertently be kept, hacked, leaked, or policies might change in the future. We viewed this risk to be unacceptable, so we set about building a better system.

Almost all age verification solutions set to roll out in July 2019 do not provide two-way anonymity for both the age verifier and the adult website, meaning, there remains some log of?204?or potential to log — which adult websites a UK based user visits.

In fact one AV provider revealed that up until recently the government demanded that AV providers keep a log of people’s porn browsing history and it was a bit of a late concession to practicality that companies were able to opt out if they wanted.

Note that the logging capability is kindly hidden by the BBFC by passing it off as being used for only as long as is necessary for fraud prevention. Of course that is just smoke and mirrors, fraud, presumably meaning that passcodes could be given or sold to others, could happen anytime that an age verification scheme is in use, and the time restriction specified by the BBFC may as well be forever.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

jeremy wright Jeremy Wright, the Secretary of State for Digital, Culture, Media and Sport addressed parliament to explain that the start data for Age Verification scheme for porn has been delayed by about 6 months. The reason is that the Government failed to inform the EU about laws that effect free trade (eg those that that allow EU websites to be blocked in the UK). Although the main Digital Economy Act was submitted to the EU, extra bolt on laws added since, have not been submitted. Wright explained:

In autumn last year, we laid three instruments before the House for approval. One of them204the guidance on age verification arrangements204sets out standards that companies need to comply with. That should have been notified to the European Commission, in line with the technical standards and regulations directive, and it was not. Upon learning of that administrative oversight, I instructed my Department to notify this guidance to the EU and re-lay the guidance in Parliament as soon as possible. However, I expect that that will result in a delay in the region of six months.

Perhaps it would help if I explained why I think that six months is roughly the appropriate time. Let me set out what has to happen now: we need to go back to the European Commission, and the rules under the relevant directive say that there must be a three-month standstill period after we have properly notified the regulations to the Commission. If it wishes to look into this in more detail204I hope that it will not204there could be a further month of standstill before we can take matters further, so that is four months. We will then need to re-lay the regulations before the House. As she knows, under the negative procedure, which is what these will be subject to, there is a period during which they can be prayed against, which accounts for roughly another 40 days. If we add all that together, we come to roughly six months.

Wright apologised profusely to supporters of the scheme:

I recognise that many Members of the House and many people beyond it have campaigned passionately for age verification to come into force as soon as possible to ensure that children are protected from pornographic material they should not see. I apologise to them all for the fact that a mistake has been made that means these measures will not be brought into force as soon as they and I would like.

However the law has not been received well by porn users. Parliament has generally shown no interest in the privacy and safety of porn users. In fact much of the delay has been down belatedly realising that the scheme might not get off the ground at all unless they at least pay a little lip service to the safety of porn users.

Even now Wright decided to dismiss people’s privacy fears and concerns as if they were all just deplorables bent on opposing child safety. He said:

However, there are also those who do not want these measures to be brought in at all, so let me make it clear that my statement is an apology for delay, not a change of policy or a lessening of this Government’s determination to bring these changes about. Age verification for online pornography needs to happen. I believe that it is the clear will of the House and those we represent that it should happen, and that it is in the clear interests of our children that it must.

Wright compounded his point by simply not acknowledging that if, given a choice people, would prefer not to hand over their ID. Voluntarily complying websites would have to take a major hit from customers who would prefer to seek out the safety of non-complying sites. Wright said:

I see no reason why, in most cases, they [websites] cannot begin to comply voluntarily. They had expected to be compelled to do this from 15 July, so they should be in a position to comply. There seems to be no reason why they should not.

In passing Wright also mentioned how the government is trying to counter encrypted DNS which reduces.  the capabilities of ISPs to block websites. Instead the Government will try and press the browser companies into doing their censorship dirty work for them instead:

It is important to understand changes in technology and the additional challenges they throw up, and she is right to say that the so-called D over H changes will present additional challenges. We are working through those now and speaking to the browsers, which is where we must focus our attention. As the hon. Lady rightly says, the use of these protocols will make it more difficult, if not impossible, for ISPs to do what we ask, but it is possible for browsers to do that. We are therefore talking to browsers about how that might practically be done, and the Minister and I will continue those conversations to ensure that these provisions can continue to be effective.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

information commissioners office logo Elizabeth Denham, Information Commissioner Information Commissioner’s Office,

Dear Commissioner Denham,

Re: The Draft Age Appropriate Design Code for Online Services

We write to you as civil society organisations who work to promote human rights, both offline and online. As such, we are taking a keen interest in the ICO’s Age Appropriate Design Code. We are also engaging with the Government in its White Paper on Online Harms, and note the connection between these initiatives.

Whilst we recognise and support the ICO’s aims of protecting and upholding children’s rights online, we have severe concerns that as currently drafted the Code will not achieve these objectives. There is a real risk that implementation of the Code will result in widespread age verification across websites, apps and other online services, which will lead to increased data profiling of both children and adults, and restrictions on their freedom of expression and access to information.

The ICO contends that age verification is not a silver bullet for compliance with the Code, but it is difficult to conceive how online service providers could realistically fulfil the requirement to be age-appropriate without implementing some form of onboarding age verification process. The practical impact of the Code as it stands is that either all users will have to access online services via a sorting age-gate or adult users will have to access the lowest common denominator version of services with an option to age-gate up. This creates a de facto compulsory requirement for age-verification, which in turn puts in place a de facto restriction for both children and adults on access to online content.

Requiring all adults to verify they are over 18 in order to access everyday online services is a disproportionate response to the aim of protecting children online and violates fundamental rights. It carries significant risks of tracking, data breach and fraud. It creates digital exclusion for individuals unable to meet requirements to show formal identification documents. Where age-gating also applies to under-18s, this violation and exclusion is magnified. It will put an onerous burden on small-to-medium enterprises, which will ultimately entrench the market dominance of large tech companies and lessen choice and agency for both children and adults — this outcome would be the antithesis of encouraging diversity and innovation.

In its response to the June 2018 Call for Views on the Code, the ICO recognised that there are complexities surrounding age verification, yet the draft Code text fails to engage with any of these. It would be a poor outcome for fundamental rights and a poor message to children about the intrinsic value of these for all if children’s safeguarding was to come at the expense of free expression and equal privacy protection for adults, including adults in vulnerable positions for whom such protections have particular importance.

Mass age-gating will not solve the issues the ICO wishes to address with the Code and will instead create further problems. We urge you to drop this dangerous idea.

Yours sincerely,

Open Rights Group
Index on Censorship
Article19
Big Brother Watch
Global Partners Digital

Read more uk_internet_censors.htm at MelonFarmers.co.uk

firefox logo Age verification for porn is pushing internet users into areas of the internet that provide more privacy, security and resistance to censorship.I’d have thought that security services would prefer that internet users to remain in the more open areas of the internet for easier snooping.

So I wonder if it protecting kids from stumbling across porn is worth the increased difficulty in monitoring terrorists and the like? Or perhaps GCHQ can already see through the encrypted internet.

RQ12: Privacy & Security for Firefox

Mozilla has an interest in potentially integrating more of Tor into Firefox, for the purposes of providing a Super Private Browsing (SPB) mode for our users.

Tor offers privacy and anonymity on the Web, features which are sorely needed in the modern era of mass surveillance, tracking and fingerprinting. However, enabling a large number of additional users to make use of the Tor network requires solving for inefficiencies currently present in Tor so as to make the protocol optimal to deploy at scale. Academic research is just getting started with regards to investigating alternative protocol architectures and route selection protocols, such as Tor-over-QUIC, employing DTLS, and Walking Onions.

What alternative protocol architectures and route selection protocols would offer acceptable gains in Tor performance? And would they preserve Tor properties? Is it truly possible to deploy Tor at scale? And what would the full integration of Tor and Firefox look like?