UK age assurance guidance for porn sites gives thumbs up to AI age checks, digital ID wallets and more


The U.K.’s Internet regulator has set out draft guidance for how porn sites will need to meet a newly introduced hard legal requirement to prevent children accessing adult content. So, yep, those years-in-the-making British age checks for porn sites are finally on the way. The watchdog intends this kind of bared flesh to be safety tucked away behind the child-safe age gates it wants to see greeting U.K. users on the landing pages of adult websites in the future.

Today’s guidance from Ofcom, the regulator tasked with enforcing the country’s new Internet rulebook, puts some meat on the bones of what it will mean in practice when the British system for age-gating porn is up and running in the coming years. But it has wider significance for U.K. web users as the law in question puts similar requirements on social media platforms to conduct age checks to safeguard minors — so these requirements are likely to prefigure guidelines for user-to-user services Ofcom is expecting to put out early next year.

The government has said it wants the U.K. to be the safest place to go online in the world — and age assurance tech (aka age verification, age estimation or a combination of both) are what it’s betting the policy pledge on.

Ofcom’s draft guidance to porn sites suggests age checks could take the form of asking punters to sign into Open Banking to prove they’re not a minor; upload a copy of their passport and have a live selfie taken to check the photos match; or submit their naked visage to webcam assessment in order that an AI can make a calculation of whether they look legit old enough to view adult material, according to Ofcom.

Other age assurance technologies the regulator is giving a preliminary thumbs up to include credit card checks — meaning an adult intending to view porn could verify they’re over 18 by handing their card details to the site so a payment processor can send a request to check the card is valid to the issuing bank, with approval by the bank being deemed evidence of age (albeit kids have been known to nick off with their parents’ credit cards so this method might have a pretty major loophole).

Asked about circumvention risks, such as the credit card example cited above, an Ofcom spokesman told us these differ across the different age assurance methods it’s putting in contention, adding: “We welcome suggestions of practical steps that service providers can take to mitigate these risks.

“There may be a concern, for example, that certain forms of age assurance could be particularly vulnerable to misuse if it is easy for a child to obtain access by using an adult’s personal details or forms of identification or otherwise impersonating them. We are therefore seeking input on the evidence available on the circumvention risks for different age assurance methods, and what practical steps may be appropriate to manage these risks.”

There is a prospect of layered forms of age assurance potentially being unfurled on users, say for example depending on how baby-faced vs careworn the porn punter looks that day, as Ofcom’s draft guidance includes the suggestion of a “challenge age” being set. (“This could mean where the technology estimates the users’ age to be under 25, for example, that user would undergo a second age-check via an alternative method,” it notes on that.)

Elsewhere on the list, Ofcom is also giving a seal of approval to the use of digital identity wallets that can securely store a user’s age — which could then be shared with a porn site to verify the user is not a minor.

Draft data reform legislation includes a framework for the use of “trusted and secure digital verification services” which the government has said it wants to allow people to quickly and easily prove their identity online using “certified digital identities” —  which ministers likely intend to dovetail with age assurance requirements in the Online Safety Act.

Additionally it’s suggesting all U.K. mobile providers could automatically apply a default content restriction that prevents children from accessing age-restricted websites. “Users can remove this restriction by proving to their mobile provider that they are an adult, and this confirmation is then shared with the online pornography service,” it suggests, advocating content filtering by default on mobile devices — a suggestion that’s sure to be controversial.

Ofcom notes its initial list of effective age assurance is “non-exhaustive”, meaning more methods could be added in the future — while listed methods are also only those it currently considers “could be highly effective”, as it puts it.

On the flip side, “weak” measures — such as porn sites asking users to self declare their age; or agree to some general terms/read a disclaimer — will not suffice to comply with the new legal duties to conduct robust age checks, per Ofcom. Online payment methods that lack verification the user is older than 18 are also out.

Under the U.K.’s Online Safety Act, which was passed by parliament in September and received royal assent, becoming law, in October, providers of pornographic content with a “significant” number of U.K. users, or who are targeting users in the U.K., must comply with a legal duty to ensure minors do not encounter adult material by carrying out what the law couches as “highly effective” age checks. The age checks requirement is explicitly attached to porn sites that distribute visual porn (so text-based erotica gets a pass, including as many rude emojis as you please).

While this specific bit of guidance from Ofcom is not addressed at social media websites (or other types of “user-to-user” services) it’s important to note that non-porn sites will also be required to apply “highly effective” age assurance to prevent children accessing pornographic content under the law — at least if they allow such content on their service. There has therefore been widespread concern the U.K. law could push age verification onto much of the web given the threat of major fines for services that fail to protect kids from the risk of seeing porn (or else weed out user generated porn).

Under the Online Safety Act Ofcom is empowered to fine companies in breach of the regime up to 10% of their global annual turnover so this is not the kind of regulatory risk the average business can just ignore.

“To prevent minors from accessing ‘harmful’ content, sites will have to verify the age of visitors, either by asking for government-issued documents or using biometric data, such as face scans, to estimate their age,” warned the EFF in September. “This will result in an enormous shift in the availability of information online, and pose a serious threat to the privacy of UK internet users. It will make it much more difficult for all users to access content privately and anonymously, and it will make many of the most popular websites and platforms liable if they do not block, or heavily filter, content for anyone who does not verify their age.”

Commenting on the draft guidance for porn sides in a statement, Dame Melanie Dawes, Ofcom’s chief executive, essentially makes the same point — writing: “Regardless of their approach, we expect all services to offer robust protection to children from stumbling across pornography.” (And for “robust protection” read “highly effective age assurance”.)

Ofcom’s spokesman confirmed that while user-generated content is outside the scope of the “Part 5 duties” it’s providing draft guidance for today (which the law states apply to providers of “certain pornographic content”), social media sites will face the same requirement of applying robust age checks to prevent kids from accessing adult content. “That will be subject to the child protection duties in Part 3 of the Act, on which we expect to consult in Spring 2024,” he told us. “Under the Part 3 duties, user-to-user services will have to use highly effective age assurance to prevent children accessing pornographic content if they allow it on their service.”

The upshot? What Ofcom is suggesting porn sites do to comply with child protection duties probably won’t look a million miles away from the guidance it will, soon enough, be coming with for social media and user-to-user services. So the likes of TikTok, Instagram, Snap and X should take note of the age assurance techs it’s rating as robust (vs those it’s not — especially given the enduring popularity of self declared age checks for some social services popular with kids).

While U.K. lawmakers are busy patting themselves on the back about giving birth to an age-gated “safer” Internet, web users might be rather less pleased about the prospect of their free and anonymous access to online information being drastically throttled just because kids somewhere might see something they shouldn’t.

There is also the not so tiny issue of privacy (and data security). Are porn site punters going to be happy about whipping out an ID before they get any sniff of adult content? Or will the law lead to a massive uptick in use of VPNs so Brits can keep accessing porn anonymously? (At least unless/until policymakers crack down on those tools too?)

On privacy, Ofcom’s draft guidance to porn sites includes a reminder that all age assurance methods are subject to the U.K.’s privacy laws, such as the Data Protection Act 2018. “These are overseen and enforced by the Information Commissioner’s Office (ICO), which has assisted us in developing our guidance,” it writes in a press release, adding: “Under the Online Safety Act, online pornography services are required to keep written records explaining how they protect users from a breach of these laws. Our guidance offers practical ways of how they might go about this — including, for example, by conducting a data protection impact assessment (DPIA), and providing users with privacy information such as how their personal data will be processed, how long it will be retained, and if it will be shared with anyone else.”

Thing is, the U.K. government is in the process of diluting domestic protections for people’s data — via a post-Brexit reform bill introduced earlier this year. The draft legislation’s push to deregulate domestic privacy rules includes an explicit de-emphasizing of DPIAs, which ministers have suggested should be limited to processing activities that are likely to pose high risks to individual’s rights and freedoms.

Does that mean age checks by porn sites? Ofcom seems to think so — but Ofcom is not in charge of privacy oversight. It will be up to the ICO to set the line there. And to police any breaches of the rules. (The same ICO whose political independence the government’s data protection reform risks undermining, legal experts also warn.)

U.K. users of porn sites are thus faced with the prospect of having to trust their personal data to, er, porn sites — and/or the third party age assurance companies those sites engage — and trust these entities to keep safe any personal data linked to verifying they are old enough to look at adult material. (To call such data a hackers’ honeypot probably undersells the appeal; let’s say this stuff looks more like hackers’ Angel Delight.)

If porn sites and/or their third party age assurance providers fail to keep punters’ info safe the ICO is technically empowered to issues fines of up to 4% of global annual turnover for breaches of data protection law. But the regulator has never issued a fine anywhere near that level. (Perhaps the closest it came was a proposed $123 million fine for a Marriott hotels security breach back in July 2029 which was reported to be around 3% of its annual revenue at the time — however the ICO later hacked the size of the final fine down to just $23.8 million.) And it’s fair to say the ICO has since dialled up its reputation for managing down expectations on penalties (or even action) for plenty of privacy breaches. (Indeed, if the watchdog had done a better job policing social media platforms’ rampant tracking and profiling of users by enforcing existing U.K. privacy laws on them we might not have even have this sprawling new Internet regulation on the statue books)

So porn punters hoping that the existence of a soon-to-be-even-less-toothy U.K. privacy regulator will, in and of itself, prove deterrent enough to keep their kinks under wraps may be in for a rude awakening.

Ofcom’s guidance also pays lip service to the need for porn sites’ use of age assurance tech to ensure adults are “not unduly prevented from accessing legal content”, as its press release carefully puts it, before adding: “Our draft guidance also sets out important principles that age assurance should be easy to use and work for all users, regardless of their characteristics or whether they are members of a certain group.”

But, frankly, it’s clear that accessing porn in Britain is going to become a ball-ache for all except those in the age assurance business — for whom this sweeping regulatory intervention represents an unprecedented profit-making opportunity-cum-payday. (And let’s not forget the latter category includes porn companies themselves.)

So how far out is the Great British porn wrapping age-gate happening, if we can put it like that? 2025 looks to be the earliest for all the pieces to be in place for the child safeguarding system to be up and running on porn companies that submit themselves to being regulated under the Online Safety Act, as Ofcom says it expects to publish its final guidance on this area in “early 2025”, after working with porn companies to finalize the advice. After which the government will need to bring the duties into force (which would depend on parliamentary time and priorities for what could then be a Labour-led government as it will be after the next General Election).

One more potential knock-on impact of this particular bit of the tome-sized Online Safety Act: Foreign porn websites far outside the jurisdiction of U.K. authorities might find themselves inundated with British punters seeking to circumvent age gate frustrations. (Albeit, that might just get such sites added to an Ofcom block list if they get too popular since the regulator has the power to geoblock services that threaten the safety of U.K. web users.)



Source link