Unshakeable Salt

On the 11thJanuary 2019, the ‘Porn Law’ was passed and we took another step closer to the dystopian future of 1984. Parliament has only just returned and whilst they should be sorting out the mess that is Brexit, instead they’re chucking out ill-conceived laws. The Porn Law came down to if you want to look at websites from the UK that have more than 1/3 of content of adult content, you have to supply a credit card to prove that you’re over 18.

Whilst in concept Mary Whitehouse would rejoice from her grave, this had some far more sinister connotations and will have more collateral damage than just stopping a 17-year-old from seeing some boobies.  

This article was first published on in January 2019. The text above was updated in November 2019, changing the tense. Now deemed un-enforceable, you’re free to look at boobies again without providing your credit card details.

Porn Law (Digital Economy Act 2017)

First of all, we need to understand what the ‘Adult’ content is. Different countries have different morality standards. For our American cousins, even different states have different laws about sexual activity. What is deemed acceptable in one geographic region is highly illegal when viewed after traversing a drawn line upon a map. For the UK Film industry, the morality code has historically been governed by the British Board of Film Classification (BBFC). 

The BBFC has set up a website for its age verification roles. If websites don’t have age verification systems in place the BBFC can take enforcement action against them. The body says it will start checking websites for age checking processes when the law begins and will check the biggest websites first – based on the number of visitors they receive – and then work towards smaller websites.

The purpose of this law is to ‘restrict to an age’, but to do that we need to identify the user. Only when the user is fully identified are we going to allow them see people in certain states of undress. Unlike Estonia, the UK doesn’t have a unified digital citizen identify scheme. Instead we through together adhoc government identity and access management systems all over the place. 

Identity and Access Management

Identity and Access Management (abbreviated to IdAM or IAM) is the combination of technical systems, policies and processes that create, define, and govern the use and safeguarding of identity information. It is used to manage the relationship between an entity, and the resources to which access is needed. It can be divided into three fundamental capabilities: Manage Digital Identities, Authenticate Users, andsAuthorise Access to Resources.

The UK public sector has got better at IdAM, thanks to the work of Government Digital Systems (GDS). There used to be thousands in use, but this is now down to hundreds.  In fact, the NHS has just rolled out their new consolidated NHS Identity solution, helping to reduce numbers further. 

The problem comes when you tie a digital identity to an actual person. How do you bind that link between the physical and the virtual?  What non-repudiation exists to prove that each use of the virtual is always the physical identity performing an action? 

This is hard and probably why this law is choosing to go on an ‘half assed’ approach.  “Got a credit card number – yep, you must be 18!”.  It also refers to digital only, as there isn’t any insistence that should a person go into a sex shop that you have to pay by card. It’s okay to assume the customer is 18 and they can pay by cash.  It’s as if there was another motive for having this law. 

Misuse Cases

Now that all the porn sites are collecting credit card numbers, let’s talk about the misuse cases. In order to watch porn, if you are in the UK you’re going to have to log into the website with an account.  That account will be tied to your credit card and hold your age verification, as well as your name and first part of your postcode.  Good bye privacy. 

You now have a porn website collecting the viewing habits (ie sexual persuasion, deviancies, et al) of an individual. Now I have no doubt there are many reputable porn sites out there but sorry guys, you just aren’t as rigorous as banks. How many smut providers are going to be full ISO 27001 and be PCI-DSS compliant to hold all that card data? 

Remember the Ashley Madisson breach? The first time one of these sites gets ‘taken’  it won’t be just names and email addresses,  it will be real blackmail material. Extortionware phishing emails are currently limited to ‘I turned your webcam on and saw you XXXXXX to some porn’.  The next wave will be able to be customised to your exact viewing habits. If you had doubt if that extortion email was real before,  you might now be tempted to pay up

Typical extortionware email
Typical extortionware email, I get dozens a day.

Now I swear the GDPR was supposed to protect us from this sort of profiling and mis-use,  but lets continue 

Control

You can only control what you monitor, or “if you can see it,  you can influence it”. Mainstream porn (what this affects) is visible and therefore can be controlled. This is trying to stop it becoming visible to under 18’s, but in doing so this will drive porn underground. 

I used to work in the abuse department for a major ISP (Netcom,  if your memory goes back that far). Some of the ‘stuff’ I had to investigate was downright ‘bad’.  It was hidden, away from search engines and shared amongst people who are hopefully now serving at Her Majesties Pleasure. This sort of activity occurred back then, it will continue to operate even with this law.  If we drive more access into Porn through this model, then there will be more money in this darker seedier side of the internet.  It becomes more profitable for the sickos.  It puts more money into the generation of that content, as well as funding the criminal industries attached to it.  If nothing else, this is the part of the law I just think has been ignored. 

How to get around it

The law is pointless and will take minimal effort to by-pass. The majority of people will just use a VPN or the TOR network to have their internet connection not appear to be in the UK. This happens a lot already, as people use these techniques to view content such as iPlayer or Netflix in other countries. If you don’t know how to do this, go ask a 15 or 16-year-old to set it up for you. 

The porn companies will also work around it too. Remember, it’s only 1/3 or more content of porn that has to implement this draconian rule?  Well there is a lot of porn on the internet, but there is also a hell of a lot of fluffy kitten and dog videos too. All porn providers have to do is store 2/3 of non-porn content (including content like 1 hour of black screen and silence video) and guess what, they’re out of scope.

So, in conclusion who would have thought that the UK government are trying to implement something 

  • ill-conceived
  • misguided
  • negotiated to level of being pointless
  • against the will and instruction of the people

It’s almost as it there was a pre-defined model of how to implement the porn law.   Brexit anyone?

Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post