Posts Tagged ‘BBFC’

Read more uk_internet_censors.htm at MelonFarmers.co.uk

av security standard analysis 2 Executive Summary

The BBFC’s Age-verification Certificate Standard (“the Standard”) for providers of age verification services, published in April 2019, fails to meet adequate standards of cyber security and data protection and is of little use for consumers reliant on these providers to access adult content online.

This document analyses the Standard and certification scheme and makes recommendations for improvement and remediation. It sub-divides generally into two types of concern: operational issues (the need for a statutory basis, problems caused by the short implementation time and the lack of value the scheme provides to consumers), and substantive issues (seven problems with the content as presently drafted).

The fact that the scheme is voluntary leaves the BBFC powerless to fine or otherwise discipline providers that fail to protect people’s data, and makes it tricky for consumers to distinguish between trustworthy and untrustworthy providers. In our view, the government must legislate without delay to place a statutory requirement on the BBFC to implement a mandatory certification scheme and to grant the BBFC powers to require reports and penalise non-compliant providers.

The Standard’s existence shows that the BBFC considers robust protection of age verification data to be of critical importance. However, in both substance and operation the Standard fails to deliver this protection. The scheme allows commercial age verification providers to write their own privacy and security frameworks, reducing the BBFC’s role to checking whether commercial entities follow their own rules rather than requiring them to work to a mandated set of common standards. The result is uncertainty for Internet users, who are inconsistently protected and have no way to tell which companies they can trust.

Even within its voluntary approach, the BBFC gives providers little guidance to providers as to what their privacy and security frameworks should contain. Guidance on security, encryption, pseudonymisation, and data retention is vague and imprecise, and often refers to generic “industry standards” without explanation. The supplementary Programme Guide, to which the Standard refers readers, remains unpublished, critically undermining the scheme’s transparency and accountability.

Recommendations

  • Grant the BBFC statutory powers:

  • The BBFC Standard should be substantively revised to set out comprehensive and concrete standards for handling highly sensitive age verification data.

  • The government should legislate to grant the BBFC statutory power to mandate compliance.

  • The government should enable the BBFC to require remedial action or apply financial penalties for non-compliance.

  • The BBFC should be given statutory powers to require annual compliance reports from providers and fine those who sign up to the certification scheme but later violate its requirements.

  • The Information Commissioner should oversee the BBFC’s age verification certification scheme

Delay implementation and enforcement:

Delay implementation and enforcement of age verification until both (a) a statutory standard of data privacy and security is in place, and (b) that standard has been implemented by providers.

Improve the scheme content:

Even if the BBFC certification scheme remains voluntary, the Standard should at least contain a definitive set of precisely delineated objectives that age verification providers must meet in order to say that they process identity data securely.

Improve communication with the public:

Where a provider’s certification is revoked, the BBFC should issue press releases and ensure consumers are individually notified at login.

The results of all penetration tests should be provided to the BBFC, which must publish details of the framework it uses to evaluate test results, and publish annual trends in results.

Strengthen data protection requirements:

Data minimisation should be an enforceable statutory requirement for all registered age verification providers.

The Standard should outline specific and very limited circumstances under which it’s acceptable to retain logs for fraud prevention purposes. It should also specify a hard limit on the length of time logs may be kept.

The Standard should set out a clear, strict and enforceable set of policies to describe exactly how providers should “pseudonymise” or “deidentify” data.

Providers that no longer meet the Standard should be required to provide the BBFC with evidence that they have destroyed all the user data they collected while supposedly compliant.

The BBFC should prepare a standardised data protection risk assessment framework against which all age verification providers will test their systems. Providers should limit bespoke risk assessments to their specific technological implementation.

Strengthen security, testing, and encryption requirements:

Providers should be required to undertake regular internal and external vulnerability scanning and a penetration test at least every six months, followed by a supervised remediation programme to correct any discovered vulnerabilities.

Providers should be required to conduct penetration tests after any significant application or infrastructure change.

Providers should be required to use a comprehensive and specific testing standard. CBEST or GBEST could serve as guides for the BBFC to develop an industry-specific framework.

The BBFC should build on already-established strong security frameworks, such as the Center for Internet Security Cyber Controls and Resources, the NIST Cyber Security Framework, or Cyber Essentials Plus.

At a bare minimum, the Standard should specify a list of cryptographic protocols which are not adequate for certification.

Advertisements
Read more bw.htm at MelonFarmers.co.uk

Red Sparrow DVD The BBFC reports on its complaints received in its annual report. And 2018 saw a bumper crop (relative to previous years. The BBFC wrote:

In 2018 we received 364 complaints covering 101 films and 67 complaints covering 24 trailers. The majority of these were from people who had attended the cinema or viewed films at home. However, we also received a number of complaints inspired by news reports, online blogs and organised campaigns.

The top films attracting complaints were:

Red Sparrow

Red Sparrow attracted 64 complaints. All correspondents felt that we should have classified the film at 18 instead of 15 because of elements of violence and sexual violence in the film.

Peter Rabbit

Fifty people contacted us about Peter Rabbit, a film featuring animated rabbits and based on the stories of Beatrix Potter. Four people complained about violence and upsetting scenes but the majority complained about a scene in which the rabbits pelt their adversary, an adult man, with fruit in order to defend themselves from his attack and provoke an allergic reaction. Complainants felt that this was unacceptable at PG because it might be emulated by children.

We received complaints about the allergic reaction before the film was released in the UK in response to press coverage that started in the US. We received no complaints about this scene after the film was released.

A Northern Soul

We classified the film 15 because of around 20 uses of strong language. While the language in the film is not used aggressively or sexually, our research suggests that a significant proportion of parents are concerned about the normalisation of such language in films. The language in A Northern Soul, is used casually in conversations, across a relatively short feature (75 minutes), with no particular justification.

Three people wrote to us complaining about the 15 rating for A Northern Soul feeling a 12A would be more appropriate. We received 45 postcards protesting the 15 rating; however, these had been created and handed out to cinema goers by the filmmakers at screenings and do not provide an accurate representation of broad public opinion.

Kaala

Kaala is a Tamil-language drama which we classified 12A. 43 people emailed us to complain about the film’s release. The complaints were not about the rating of the film itself but seemed to object to the actions of the film makers. They were all worded identically and were clearly part of an organised online campaign.

Show Dogs

A police Rottweiler goes undercover at a dog show. As part of the operation he is required to let the judges inspect his genitals in a manner that is not uncommon in dog shows. The character is reluctant but is encouraged to go to his happy place to get through the experience.

Thirty-one people wrote in to us echoing claims made in blogs that the scene might lower children’s resistance to predators who wish to inappropriately touch them.

However, the scene is comic, innocent and non-sexual in nature and occurs within the fantastical context of a film about anthropomorphised canines.

In a similar vein to Peter Rabbit the complaints regarding Show Dogs predominantly stopped once the film had been released in cinemas.

Love Simon trailer

We received 18 complaints about a PG-rated trailer for the film Love, Simon. The trailer covers teenage relationships and features some implied kissing and references to being in love. All complainants took issue with the discussion of sex and teenage relationships in the trailer but 11 took particular issue with the fact that the character is gay, believing the depiction of gay relationships to be inappropriate at the PG level.

Ready Player One

Ready Player One received ten complaints with correspondents focusing on infrequent strong language at 12A and some moments of horror.

Jurassic World: Fallen Kingdom

Jurassic World: Fallen Kingdom received six complaints, chiefly regarding very young children being brought to the 12A screenings.

Venom

Six people complained about Venom, which is rated 15. Complainants were disappointed they or their children would be unable to see the film.

Read more bw.htm at MelonFarmers.co.uk

bbfc annual report 2018 BBFC releases Annual Report 2018

  • Over the past year, the BBFC has received a 65% rise in content for distribution online.

  • Video on demand (VoD) continues to receive more BBFC age ratings than any other format

  • Ratings given to Cinema have risen 62% since 2008.

  • Once again, 15 was the most common classification given for UK cinema goers

The BBFC has released its Annual Report for 2018 a year that showed another significant increase in age ratings given to online content.

Over the last year the BBFC gave 5,751 age ratings to online content. This represents a 65% over 2017’s figure.

Although output from Video on Demand (VoD) providers constituted the majority of content classified by the BBFC, theatrical films still featured strongly. Since 2008 age ratings given to cinema releases have risen 62% from 639 in 2017 to 1,036 in 2018.

15 remained the most common age rating, with 392 theatrical films receiving this classification.

David Austin, BBFC Chief Executive, said:

“In a fast evolving media landscape, the BBFC’s core mission continues to be to help families and young people choose films, videos and websites that are right for them. Whenever, wherever, and however they view them. In 2018 we carried out significant research – with more than 10,000 people to help us update our classification standards. This work ensures that our standards continue to stay in line with what people across the UK consider suitable, and we found that 97% of the public believe audiences benefit from having age ratings in place.

“In 2019 we will continue to make a significant contribution to the Government’s objective of making the UK the safest place for children to be online. We look forward to the introduction of Age-verification in July which will improve child protection from exposure to pornography online.”

In addition to providing the latest age rating information on our websites, social media accounts and free app, the BBFC in 2018 continued to provide resources for children, teachers and older learners including a regular podcast, a children’s website ( cbbfc.co.uk ), case studies, classroom resources and posters.

Every film classified by the BBFC comes with detailed ratings info to help people view what’s right for themselves and their family. Ratings info is available on bbfc.co.uk and the BBFC’s free apps for tablet and mobile devices.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

bbfc age verification standard Starting with a little background into the authorship of the document under review. AVSecure CMO Steve Winyard told XBIZ:

The accreditation plan appears to have very strict rules and was crafted with significant input from various governmental bodies, including the DCMS (Department for Culture, Media & Sport), NCC Group plc (an expert security and audit firm), GCHQ (U.K. Intelligence and Security Agency), ICO (Information Commissioner’s Office) and of course the BBFC.

But computer security expert Alec Muffett writes:

This is the document which is being proffered to protect the facts & details of _YOUR_ online #Porn viewing. Let’s read it together!

What could possibly go wrong?

….

This document’s approach to data protection is fundamentally flawed.

The (considerably) safer approach – one easier to certificate/validate/police – would be to say everything is forbidden except for upon for ; you would then allow vendors to appeal for exceptions under review.

It makes a few passes at pretending that this is what it’s doing, but with subjective holes (green) that you can drive a truck through:

Data unprotected in the name of fraud detection

What we have here is a rehash of quite a lot of reasonable physical/operational security, business continuity & personnel security management thinking — with digital stuff almost entirely punted.

It’s better than #PAS1296 , but it’s still not fit for purpose.

Read the full thread

Read more uk_internet_censors.htm at MelonFarmers.co.uk

bbfc age verification standard The BBFC has published a detailed standard for age verifiers to get tested against to obtain a green AV kite mark aiming to convince users that their identity data and porn browsing history is safe.I have read through the document and conclude that it is indeed a rigorous standard that I guess will be pretty tough for companies to obtain. I would say it would be almost impossible for a small or even medium size website to achieve the standard and more or less means that using an age verification service is mandatory.

The standard has lots of good stuff about physical security of data and vetting of staff access to the data.

Age verifier AVSecure commented:

We received the final documents and terms for the BBFC certification scheme for age verification providers last Friday. This has had significant input from various Government bodies including DCMS (Dept for Culture, Media & Sport), NCC Group plc (expert security and audit firm), GCHQ (UK Intelligence & Security Agency) ICO (Information Commissioner’s Office) and of course the BBFC (the regulator).

The scheme appears to have very strict rules.

It is a multi-disciplined scheme which includes penetration testing, full and detailed audits, operational procedures over and above GDPR and the DPA 2018 (Data Protection Act). There are onerous reporting obligations with inspection rights attached. It is also a very costly scheme when compared to other quality standard schemes, again perhaps designed to deter the faint of heart or shallow of pocket.

Consumers will likely be advised against using any systems or methods where the prominent green AV accreditation kitemark symbol is not displayed.

 

But will the age verifier be logging your ID data and browsing history?

neblairl And the answer is very hard to pin down from the document. At first read it suggests that minimal data will be retained, but a more sceptical read, connecting a few paragraphs together suggests that the verifier will be required to keep extensive records about the users porn activity.

Maybe this is a reflection of a recent change of heart. Comments from AVSecure suggested that the BBFC/Government originally mandated a log of user activity but recently decided that keeping a log or not is down to the age verifier.

As an example of the rather evasive requirements:

8.5.9 Physical Location

Personal data relating to the physical location of a user shall not be collected as part of the age-verification process unless required for fraud prevention and detection. Personal data relating to the physical location of a user shall only be retained for as long as required for fraud prevention and detection.

Here it sounds like keeping tabs on location is optional, but another paragraph suggest otherwise:

8.4.14 Fraud Prevention and Detection

Real-time intelligent monitoring and fraud prevention and detection systems shall be used for age-verification checks completed by the age-verification provider.

Now it seems that the fraud prevention is mandatory, and so a location record is mandatory after all.

Also the use off the phrase only be retained for as long as required for fraud prevention and detection. seems a little misleading too, as in reality fraud prevention will be required for as long as the customer keeps on using it. This may as well be forever.

There are other statements that sound good at first read, but don’t really offer anything substantial:

8.5.6 Data Minimisation

Only the minimum amount of personal data required to verify a user’s age shall be collected.

But if the minimum is to provide name and address + eg a drivers licence number or a credit card number then the minimum is actually pretty much all of it. In fact there are only the porn pass methods that offer any scope for ‘truely minimal’ data collection. Perhaps the minimal data also applies to the verified mobile phone method as although the phone company probably knows your identity, then maybe they won’t need to pass it on to the age verifier.

 

What does the porn site get to know

pornhub logo The rare unequivocal and reassuring statement is

8.5.8 Sharing Results

Age-verification providers shall only share the result of an age-verification check (pass or fail) with the requesting website.

So it seems that identity details won’t be passed to the websites themselves.

However the converse is not so clear:

8.5.6 Data Minimisation

Information about the requesting website that the user has visited shall not be collected against the user’s activity.

Why add the phrase, against the user’s activity. This is worded such that information about the requesting website could indeed be collected for another reason, fraud detection maybe.

Maybe the scope for an age verifier to maintain a complete log of porn viewing is limited more by the practical requirement for a website to record a successful age verification in a cookie such that the age verifier only gets to see one interaction with each website.

No doubt we shall soon find out whether the government wants a detailed log of porn viewed, as it  will be easy to spot if a website queries the age verifier for every film you watch.
Fraud Detection

And what about all this reference to fraud detection. Presumably the BBFC/Government is a little worried that passwords and accounts will be shared by enterprising kids. But on the other hand it may make life tricky for those using shared devices, or perhaps those who suddenly move from London to New York in an instant, when in fact this is totally normal for someone using a VPN on a PC.
Wrap up

The BBFC/Government have moved on a long way from the early days when the lawmakers created the law without any real protection for porn users and the BBFC first proposed that this could be rectified by asking porn companies to voluntarilyfollow ‘best practice’ in keeping people’s data safe.

A definite improvement now, but I think I will stick to my VPN.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

is it safe The Interrogator :

Is it safe?

The BBFC (on its Age Verification website)…err…no!…:

An assessment and accreditation under the AVC is not a guarantee that the age-verification provider and its solution (including its third party companies) comply with the relevant legislation and standards, or that all data is safe from malicious or criminal interference.

Accordingly the BBFC shall not be responsible for any losses, damages, liabilities or claims of whatever nature, direct or indirect, suffered by any age-verification provider, pornography services or consumers/ users of age-verification provider’s services or pornography services or any other person as a result of their reliance on the fact that an age-verification provider has been assessed under the scheme and has obtained an Age-verification Certificate or otherwise in connection with the scheme.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

arms of the british governmentjpg logo The Government has been very secretive about its progress towards the starting of internet censorship for porn in the UK. Meanwhile the appointed internet porn censor, the BBFC, has withdrawn into its shell to hide from the flak. It has uttered hardy a helpful word on the subject in the last six months, just at a time when newspapers have been printing uniformed news items based on old guesstimates of when the scheme will start.The last target date was specified months ago when DCMS minister Margot James suggested that it was intended to get the scheme going around Easter of 2019. This date was not achieved but the newspapers seem to have jumped to the conclusion that the scheme would start on 1st April 2019. The only official response to this false news is that the DCMS will now be announcing the start date shortly.

So what has been going on?

Well it seems that maybe the government realised that asking porn websites and age verification services to demand that porn users identify themselves without any real legal protection on how that data can be used is perhaps not the wisest thing to do. Jim Killock of Open Rights Group explains that the delays are due to serious concerns about privacy and data collection:

When they consulted about the shape of age verification last summer they were surprised to find that nearly everyone who wrote back to them in that consultation said this was a privacy disaster and they need to make sure people’s data doesn’t get leaked out.

Because if it does it could be that people are outed, have their relationships break down, their careers could be damaged, even for looking at legal material.

The delays have been very much to do with the fact that privacy has been considered at the last minute and they’re having to try to find some way to make these services a bit safer. It’s introduced a policy to certify some of the products as better for privacy (than others) but it’s not compulsory and anybody who chooses one of those products might find they (the companies behind the sites) opt out of the privacy scheme at some point in the future.

And there are huge commercial pressures to do this because as we know with Facebook and Google user data is extremely valuable, it tells you lots about what somebody likes or dislikes or might want or not want.

So those commercial pressures will kick in and they’ll try to start to monetise that data and all of that data if it leaked out would be very damaging to people so it should simply never be collected.

So the government has been working on a voluntary kite mark scheme to approve age verifiers that can demonstrate to an auditor they will keep user data safe. This scheme seems to be in its early stages as the audit policy was first outlines to age verifiers on 13th March 2019. AvSecure reported on Twitter:

Friday saw several AV companies meet with the BBFC & the accreditation firm, who presented the framework & details of the proposed scheme.

Whilst the scheme itself seems very deep & comprehensive, there were several questions asked that we are all awaiting answers on.

The Register reports that AgeID has already commissioned a data security audit using the information security company, the NCC Group. Perhaps that company can therefore be rapidly approved by the official auditor, whose identity seems to being kept secret.

So the implementation schedule must presumably be that the age verifiers get audited over the next couple of months and then after that the government can give websites the official 3 months notice required to give websites time to implement the now accredited age verification schemes.

The commencement date will perhaps be about 5 or 6 months from now.