3aIT Blog

Stop signThe government has announced that they plan to require "verification" from users to prove that they are 18 every time they try and access adult content online. Those websites that don't comply with this check will get blocked at internet service provider level so that no users can access it.

This blog is not about whether this plan is a good thing or not in and of itself. The answer to this is entirely subjective. Instead, we'll take a look at the technical reasons that this is almost certainly a bad idea.

Although it hasn't been stated explicitly, the expectation is that this verification check will take the form of a credit card number, as this is a universally verifiable source that is only available to people that are over 18. There isn't really anything else that falls into this category. Therefore, we'll proceed under the assumption that this will be how the idea is implemented.

This brings us to the first massive issue with this plan. Not only will you have to submit your card number to these sites, but you'll also need to supply your name and address so that the details can be verified with the bank. While the biggest suppliers of this material will probably have the resources to handle this data properly, the smaller companies will not. This means that they will be holding onto databases of people's data alongside, by necessary implication, the potentially embarrasing fact that that person had been accessing the site in question.

WatchedThis covers the sites that are above board, or at least trying to be. Then we reach the sites that aren't (which isn't hard to imagine in this realm). The potential for scamming here is massive. After years of the IT world trying to condition people to be hugely wary about who they provide their details to, this plan undoes this completely. It reconditions people to expect this check before being allowed access to these sites. As soon as people are used to this process, scammers will exploit this and start creating sites that are just designed to steal these details. People will enter them unquestioningly, as they know to expect to have to enter their card details and address before access is allowed. Not only do these scammers now have this info, there's also the blackmail potential of being able to threaten these scam victims with telling friends and family about what they were trying to access.

So that covers the biggest issues with the plan itself. However, now we come onto the other half of the problem - it won't even work. Bypassing this system will be trivial with a VPN. All one would need is to set up a VPN that terminates in a country outside the UK (there's loads of companies that will provide this service), and it will then appear to these sites that you're not a UK user, so you won't be presented by the verification check.

CCTVPossibly the most worrying aspect is the group of people that either don't want, or don't know how to set up a VPN, but are still wary enough to refuse to enter their details into these sites. The issue here lies in the blacklists that the ISPs will have to manually maintain. This means when a site is identified as being non-compliant (ie freely allowing UK citizens to access the content without a check), the government will ask for it to be added to a blacklist. This will mean a permanent game of whack-a-mole as these sites pop up on new web addresses and then disappear as they get blocked. The danger here lies in the people searching for these ever shifting sites accidentally ending up on the shadiest areas of the internet with content far worse than they were originally searching for, not to mention hugely increasing the chance that these small unscrupulous sites will try and infect your machine with malware.

The only thing that this will almost certainly achieve is to kill off providers of this content that are based within the UK, as these are the only companies that the government will be able to directly pursue for non-compliance. Regardless of your view of this sort of material, it is legal (removing any material that isn't legal is beyond the scope of this blog, and combatting it presents different technical challenges). Therefore, the only real impact this law has ultimately is job losses within the UK.

Apart from those huge fundamental flaws, it's all technically sound!