'Cybersecurity specialists express concerns over UK's age verification regulation'
The recently enacted Online Safety Act in the U.K., designed to safeguard children and vulnerable internet users from explicit content, has sparked a debate among cybersecurity experts. They see the age verification law as an online privacy nightmare, riddled with cybersecurity risks.
The Act mandates age verification checks on certain websites, which can be carried out through photo ID, credit card checks, or AI facial scanning. However, experts argue that these checks can be easily bypassed by users employing Virtual Private Networks (VPNs) to spoof their location, undermining the core goal of protecting children online.
Critics also worry about the potential for increased surveillance. The age verification mechanisms could be exploited by intelligence agencies to access users' data more broadly under the guise of safety. Past intelligence programs, such as GCHQ's "Mastering The Internet," reflect governmental interest in gaining more online access, raising alarms about privacy.
Implementing robust age verification methods consistently and securely is technically challenging. Approved methods include email cross-referencing, mobile network operator authentication, and facial age estimation without data storage. However, simpler methods like self-declaration or basic payment verification are not acceptable.
The deployment of biometric data or mobile operator authentication introduces cybersecurity risks around data protection, storage, and potential misuse or breaches. Ensuring these methods are both reliable and respect user privacy while preventing fraud or circumvention is complex.
Denis Vyazovoy, Chief Product Officer at AdGuard VPN, supports a safer internet for everyone but emphasises that privacy and freedom of access matter too. Hendry Parsons, Director of Communications at the Mozilla Foundation, shares this sentiment, calling for improved public education and greater transparency around age verification systems.
In response to these concerns, IPVanish suggests exploring less harmful options such as anonymous age tokens and device-level parental controls. Mullvad VPN CEO Jan Jonsson believes identification should be issued by the state and wants digital systems to offer a minimal, privacy-respecting interaction for age checks.
The surge in VPN usage in the U.K. since the Online Safety Act's introduction reflects people's caution about handing over sensitive personal data to third parties. Leading providers like NordVPN and Proton VPN have seen a significant increase in sign-ups.
Dr Ilia Kolochenko, CEO of security company ImmuniWeb, suggests that we may have to accept "some compromise of our privacy" as the "new normal" in many countries. However, Jonsson encourages a broader reflection on the underlying issues of age verification and how to balance safety, privacy, and freedom online.
In conclusion, while the intention to protect children online is commendable, the UK’s age verification law faces significant concerns regarding circumvention, privacy erosion, potential surveillance expansion, and technical feasibility of secure and fair implementation. The debate highlights the importance of striking a balance between child protection, user privacy, and security in the digital age.
References:
[1] Ofcom (2021). Age-verification requirements for online pornographic material: Statutory code. Retrieved from https://www.ofcom.org.uk/__data/assets/pdf_file/0027/1288232/age-verification-code-of-practice-statutory-code.pdf
[2] The Guardian (2021). Age verification for porn sites: what are the risks? Retrieved from https://www.theguardian.com/technology/2021/jul/16/age-verification-for-porn-sites-what-are-the-risks
[3] The Register (2021). Online Safety Bill: UK government refuses to budge on age verification. Retrieved from https://www.theregister.com/2021/07/22/online_safety_bill_age_verification/
- Cybersecurity experts fear that the age verification mechanisms employed by the Online Safety Act could pose significant cybersecurity risks, as users may exploit Virtual Private Networks (VPNs) to bypass checks and undermine the protection of children online.
- Advocates for privacy see the deployment of biometric data or mobile operator authentication as introducing cybersecurity risks around data protection, storage, and potential misuse or breaches, making it complex to ensure these methods are both reliable and respect user privacy while preventing fraud or circumvention.
