DCMS pass the buck on age verification
 
I recently met the DCMS to talk to them about age verification, and try and get some answers out of them. Here's what I learned.

Who will have to comply?

The DCMS have prepared some draft guidance for the regulator defining what exactly is meant in the Digital Economy Act by "providing pornography on a commercial basis". This is much needed, as there are real concerns about the scope of age verification and the unintended impact it might have on the livelihoods and safety of independent sex workers who post adult content to advertise online, and the freedom of expression of lifestyle sex bloggers. 

In our meeting they seemed to hear these concerns, and thanked me for bringing them up. They claim they are keen to avoid "unintended consequences" of age verification, and seemed to suggest that this might apply particularly in the case of sex workers. They offered to send me a copy of the draft regulations and get my feedback - which they have done, albeit a week later after an email reminder. Disappointingly, the draft regulations do nothing to limit the scope of the policy. EDIT: I can confirm that the draft regulations they sent me (which I am asked not to share) are substantially unchanged from the previously published draft, which is available here.

If these regulations are instantiated, independent sex workers and lifestyle sex bloggers who earn any income via their blog will have to comply with age verification. I shall certainly be sending my feedback.

When we met, I asked whether they were intending to set a minimum threshold to protect sole traders and small businesses: they replied that they aren't. Apparently the standard way that a policy might set such a threshold is to exclude any business with fewer than 50 employees, and since almost no porn companies (apart perhaps from MindGeek) have more then 50 employees, this would exclude everyone, so they aren't going to do it. I did suggest that perhaps they might use some other metric, such as number of web visitors per month or total revenue, but they didn't seem interested.

When will the regulator be designated?

I was able to find out more about the proposed timescale. The DCMS told me they were intending to present a proposal to Parliament before Christmas recommending that the BBFC be designated as the new age verification regulator: this has now been done. This proposal now needs to be debated in Parliament, and the debates in the House of Commons and House of Lords will take place in the New Year. That means that assuming the BBFC are designated (if not, the process might have to start again from scratch) it may not be until late January or February.

At that point, I'm told that the regulator will hold an "open consultation" - I'm not sure what about exactly, but if they'll be consulting the public on how they should enforce age verification, it will be a chance for us to have our say. Regardless, that will also take time. They will then produce their own guidance about what will be considered compliant. 

Given the DCMS have taken seven months to produce their guidance, which they started before the Digital Economy Act was passed, it seems a little cheeky to expect the BBFC to turn their guidance around instantaneously. 

Nonetheless, enforcement is meant to begin on 27 April 2018, by which point the regulator needs to have been designated, held a consultation, and produced guidance. The chances of site owners having any time at all to actually implement age verification by the time all this has happened seem vanishingly slim. 

If the BBFC have finished their own process by then it will have been a rush job, without taking sufficient time to make age verification workable and robust. Our best hope at this stage is for the April deadline to be put back to allow time for things to be done properly.

I told the DCMS that most websites are run by one or two people who aren't IT specialists and certainly don't have a dedicated IT department. Moreover, many sites rely on the same IT contractors to manage the technical aspects of their websites, and those professionals are going to be swamped with requests to install age verification software the moment the regulator finally tell people how to comply with the law. In this environment it's unrealistic to expect fast turnarounds - and with web blocking looming as a sanction for non-compliance, it's also deeply unjust. 

Pressuring sites to implement age verification under a tight deadline, without time to consider the pros and cons of the various services, is another way in which this policy threatens our privacy and security - and penalises small businesses.

The DCMS had a remarkably facile answer to these concerns. They claims that age verification suppliers should be the ones giving technical support to site owners "if they want customers". This speaks of the deep naiveté of the DCMS, and their refusal to take responsibility for producing a workable policy, or supporting people who want to try to comply with it. Instead they are expecting age verification companies to take up the slack - another example of their blind faith that "the market will sort out" their badly formulated policy, and the ways in which they are seeking to avoid being accountable for the age verification market they have created.

Regulatory confusion

One of the most confusing things about the Digital Economy Act is that it exempts "On-Demand Programme Services" from complying with age verification. This topic is a bit acronym soup, so before I start unpacking it, here's a quick briefing:

  • AVMS:  The AudioVisual Media Services (AVMS) regulations 2014, a statutory instrument brought in by the DCMS and banning various forms of online porn.
  • ATVOD: The Authority for TV On Demand, the online porn regulator 2010-2015, tasked with enforcing the AVMS. (They unjustly forced my website offline for nearly a year and near destroyed my business.)
  • ODPS: On-Demand Programme Services, a category of website defined in the AVMS - it refers to "TV-like" online services where viewers can stream video "on demand".
  • Since ATVOD were folded in disgrace in January 2016, its parent body Ofcom have taken on responsibility for enforcing the AVMS regulations. However I haven't heard of them initiating any investigations into adult websites for breach of the AVMS rules. The AVMS regulations are still legally in force, but enforcement appears to be unofficially on hold.
  • The AVMS regulations ban any online content which would be refused classification by the BBFC. The BBFC classification guidelines are out of date with the case law on the Obscene Publications Act, and long overdue for review. On this basis we successfully got an amendment to the Digital Economy Act through in the Lords. The Act originally reinforced the ban on content that would be refused BBFC classification; after the amendment, the prohibited content section refers to "extreme pornography", a narrower category than the BBFC guidelines. The AVMS regulations are much more strict on prohibited content than the Digital Economy Act.
  • Section 3 14.6 of the Digital Economy Act states that "For the purposes of this Part, making material available on the internet does not include making the content of an on-demand programme service available on the internet in the course of providing such a service." This means that ODPS will not have to comply with the Digital Economy Act, and will not have to age verify users.
  • ODPS was initially meant to be "TV-like" services like BBC iPlayer, thereby replicating the content rules for TV online and offline. However ATVOD took this one step further and decided that porn membership websites were ODPS, and investigated and fined many site owners on that basis, including mine. 
  • I, however, won my appeal to Ofcom by successfully arguing that I'm not an ODPS. So if you run a porn membership website you probably don't have to comply with Digital Economy Act. Unless you're me. What a tangled web we weave!

The DCMS confirmed that they intend to run both regulatory frameworks - Ofcom regulating on-demand programme services under the AVMS, and the BBFC regulating all other "commercial pornography providers" under the Digital Economy Act - in parallel for a while, and kinda see how it goes. This creates a clear double standard, as well as being a shockingly inconsistent and hard-to-understand regulatory mishmash. They aren't putting any effort whatsoever into making it easier to understand - there are no public resources about the ODPS exception on the DCMS website. 

They did mention that they are considering a review of the definitions (including the BBFC R18 classification guidelines) after 12-18 months. This is good news, but frankly it's scandalous that they've left it so long, particularly after it was established by the Digital Minister Matt Hancock during the Lords debates on the Digital Economy Act that the R18 guidelines were not fit for purpose. A review cannot come soon enough.

How will the BBFC classify audio?

The DIgital Economy Act creates audio as a new category of pornographic material, with no legal precedent. The BBFC has never classified audio before, and there are no guidelines available about what audio will be considered "pornographic" for the purposes of the act. How will audio publishers know whether they are expected to comply with age verification?

This is highly relevant to people like Girl on the Net and myself who are publishing audio porn, which is an accessible form of pornography. Its inclusion in the Digital Economy Act seems ableist when you consider that it might potentially cover screen readers used by the visually impaired. Unfortunately the DCMS weren't about to offer anything helpful here: they simply said "You'll need to ask the BBFC how they intend to classify audio".

Privacy

Finally we talked about privacy. The DCMS were eager to assure me that their guidance to the regulator does cover privacy, and will empower the regulator to rule that age verification suppliers who don't meet these minimum privacy requirements are non-compliant. This sounds like a good start, but the proof will be in the pudding. If the "commercial basis" regulations are anything to go by, the actual document will be far less robust than they claim.

If their claims are correct, and the guidance to the regulator does indeed include privacy requirements, this will mean that the BBFC aren't entirely toothless. They can notify ISPs to block a website using a non-compliant age verification solution, which creates a commercial incentive for age verification suppliers to meet the privacy requirements if they want anyone to use their service. 

Unfortunately I fear that these privacy requirements are unlikely to be sufficient. It sounds like the DCMS guidance will require age verification suppliers to merely comply with the General Data Protection Regulation (GDPR) and with ICO guidance

I need to research this more closely, but I suspect that in the case of age verification, these privacy standards mostly refer to data shown by the viewer to verify their age. They won't create any requirements around the retention of browsing data, which is what might result in 25 million UK internet users having their sexual preferences leaked online, if AgeID establish a monopoly over age verification. I told the DCMS about this, and they largely seemed to think that it wasn't their problem. Their only suggestion was that I personally use a more privacy-respecting age verification solution than AgeID on my website - they weren't interested in talking about the bigger picture.

Enforcement

I asked the DCMS to clarify an uncertainty raised by correspondence revealed between the DCMS and MindGeek. An FOI request showed that the porn giant was urging the government to block 4 million adult websites by default, and whitelist individual sites only once it was established that they were compliant. This would have created a censorship crisis. The DCMS assured me that individual sites will be blocked only once the BBFC has found them to be non-compliant

I asked them to explain more about the process, and they told me that they envisage a system whereby websites are notified that they are non-compliant, and given time to comply before they are blocked. Other than that, however, they weren't able to shed much light on the enforcement process; they intend to give the regulator a free hand, and so we will need to talk to the BBFC (once they have been designated) to find out what the process will be.

Summary


  • The DCMS are taking disappointingly little responsibility for creating a secure and robust  age verification system. They are passing the buck to site owners, age verification companies and the regulator, and simply crossing their fingers and hoping that together we can make it work in practice. However, without a clear regulatory framework that sets strong requirements for privacy, this is unlikely.
  • It is a good start that the regulator will be given power to make sure that age verification software meets basic privacy requirements, but I fear that these requirements will be insufficient.
  • The DCMS draft commercial basis regulations do little to limit the scope of the Act in a sensible way; when it comes to proportionality they they are passing the buck to the BBFC.
  • The ODPS exception creates a confusing double standard, with no guidance available on which sites count as ODPS, and don't have to comply with the Digital Economy Act. 
  • The chances of even the BBFC meeting the 27 April deadline, never mind anyone else, sound increasingly laughable.

So there you have it: age verification is a disastrous policy, spear-headed by a government department who refuse to take responsibility for sorting out the shambolic regulatory framework that is emerging, riddled with uncertainties and problem areas (such as browsing data) which are entirely ignored. These problems are entirely avoidable: the information has been available to the DCMS since their initial public consultation on age verification back in April 2016, but they are choosing to plough on regardless. 

Become a Patron to get early access to posts like this!