The DCMS have prepared some draft guidance for the regulator defining what exactly is meant in the Digital Economy Act by "providing pornography on a commercial basis". This is much needed, as there are real concerns about the scope of age verification and the unintended impact it might have on the livelihoods and safety of independent sex workers who post adult content to advertise online, and the freedom of expression of lifestyle sex bloggers.
In our meeting they seemed to hear these concerns, and thanked me for bringing them up. They claim they are keen to avoid "unintended consequences" of age verification, and seemed to suggest that this might apply particularly in the case of sex workers. They offered to send me a copy of the draft regulations and get my feedback - which they have done, albeit a week later after an email reminder. Disappointingly, the draft regulations do nothing to limit the scope of the policy. EDIT: I can confirm that the draft regulations they sent me (which I am asked not to share) are substantially unchanged from the previously published draft, which is available here.
If these regulations are instantiated, independent sex workers and lifestyle sex bloggers who earn any income via their blog will have to comply with age verification. I shall certainly be sending my feedback.
When we met, I asked whether they were intending to set a minimum threshold to protect sole traders and small businesses: they replied that they aren't. Apparently the standard way that a policy might set such a threshold is to exclude any business with fewer than 50 employees, and since almost no porn companies (apart perhaps from MindGeek) have more then 50 employees, this would exclude everyone, so they aren't going to do it. I did suggest that perhaps they might use some other metric, such as number of web visitors per month or total revenue, but they didn't seem interested.
I was able to find out more about the proposed timescale. The DCMS told me they were intending to present a proposal to Parliament before Christmas recommending that the BBFC be designated as the new age verification regulator: this has now been done. This proposal now needs to be debated in Parliament, and the debates in the House of Commons and House of Lords will take place in the New Year. That means that assuming the BBFC are designated (if not, the process might have to start again from scratch) it may not be until late January or February.
At that point, I'm told that the regulator will hold an "open consultation" - I'm not sure what about exactly, but if they'll be consulting the public on how they should enforce age verification, it will be a chance for us to have our say. Regardless, that will also take time. They will then produce their own guidance about what will be considered compliant.
Given the DCMS have taken seven months to produce their guidance, which they started before the Digital Economy Act was passed, it seems a little cheeky to expect the BBFC to turn their guidance around instantaneously.
Nonetheless, enforcement is meant to begin on 27 April 2018, by which point the regulator needs to have been designated, held a consultation, and produced guidance. The chances of site owners having any time at all to actually implement age verification by the time all this has happened seem vanishingly slim.
If the BBFC have finished their own process by then it will have been a rush job, without taking sufficient time to make age verification workable and robust. Our best hope at this stage is for the April deadline to be put back to allow time for things to be done properly.
I told the DCMS that most websites are run by one or two people who aren't IT specialists and certainly don't have a dedicated IT department. Moreover, many sites rely on the same IT contractors to manage the technical aspects of their websites, and those professionals are going to be swamped with requests to install age verification software the moment the regulator finally tell people how to comply with the law. In this environment it's unrealistic to expect fast turnarounds - and with web blocking looming as a sanction for non-compliance, it's also deeply unjust.
Pressuring sites to implement age verification under a tight deadline, without time to consider the pros and cons of the various services, is another way in which this policy threatens our privacy and security - and penalises small businesses.
The DCMS had a remarkably facile answer to these concerns. They claims that age verification suppliers should be the ones giving technical support to site owners "if they want customers". This speaks of the deep naiveté of the DCMS, and their refusal to take responsibility for producing a workable policy, or supporting people who want to try to comply with it. Instead they are expecting age verification companies to take up the slack - another example of their blind faith that "the market will sort out" their badly formulated policy, and the ways in which they are seeking to avoid being accountable for the age verification market they have created.
One of the most confusing things about the Digital Economy Act is that it exempts "On-Demand Programme Services" from complying with age verification. This topic is a bit acronym soup, so before I start unpacking it, here's a quick briefing:
The DCMS confirmed that they intend to run both regulatory frameworks - Ofcom regulating on-demand programme services under the AVMS, and the BBFC regulating all other "commercial pornography providers" under the Digital Economy Act - in parallel for a while, and kinda see how it goes. This creates a clear double standard, as well as being a shockingly inconsistent and hard-to-understand regulatory mishmash. They aren't putting any effort whatsoever into making it easier to understand - there are no public resources about the ODPS exception on the DCMS website.
They did mention that they are considering a review of the definitions (including the BBFC R18 classification guidelines) after 12-18 months. This is good news, but frankly it's scandalous that they've left it so long, particularly after it was established by the Digital Minister Matt Hancock during the Lords debates on the Digital Economy Act that the R18 guidelines were not fit for purpose. A review cannot come soon enough.
The DIgital Economy Act creates audio as a new category of pornographic material, with no legal precedent. The BBFC has never classified audio before, and there are no guidelines available about what audio will be considered "pornographic" for the purposes of the act. How will audio publishers know whether they are expected to comply with age verification?
This is highly relevant to people like Girl on the Net and myself who are publishing audio porn, which is an accessible form of pornography. Its inclusion in the Digital Economy Act seems ableist when you consider that it might potentially cover screen readers used by the visually impaired. Unfortunately the DCMS weren't about to offer anything helpful here: they simply said "You'll need to ask the BBFC how they intend to classify audio".
Finally we talked about privacy. The DCMS were eager to assure me that their guidance to the regulator does cover privacy, and will empower the regulator to rule that age verification suppliers who don't meet these minimum privacy requirements are non-compliant. This sounds like a good start, but the proof will be in the pudding. If the "commercial basis" regulations are anything to go by, the actual document will be far less robust than they claim.
If their claims are correct, and the guidance to the regulator does indeed include privacy requirements, this will mean that the BBFC aren't entirely toothless. They can notify ISPs to block a website using a non-compliant age verification solution, which creates a commercial incentive for age verification suppliers to meet the privacy requirements if they want anyone to use their service.
Unfortunately I fear that these privacy requirements are unlikely to be sufficient. It sounds like the DCMS guidance will require age verification suppliers to merely comply with the General Data Protection Regulation (GDPR) and with ICO guidance.
I need to research this more closely, but I suspect that in the case of age verification, these privacy standards mostly refer to data shown by the viewer to verify their age. They won't create any requirements around the retention of browsing data, which is what might result in 25 million UK internet users having their sexual preferences leaked online, if AgeID establish a monopoly over age verification. I told the DCMS about this, and they largely seemed to think that it wasn't their problem. Their only suggestion was that I personally use a more privacy-respecting age verification solution than AgeID on my website - they weren't interested in talking about the bigger picture.
I asked the DCMS to clarify an uncertainty raised by correspondence revealed between the DCMS and MindGeek. An FOI request showed that the porn giant was urging the government to block 4 million adult websites by default, and whitelist individual sites only once it was established that they were compliant. This would have created a censorship crisis. The DCMS assured me that individual sites will be blocked only once the BBFC has found them to be non-compliant.
I asked them to explain more about the process, and they told me that they envisage a system whereby websites are notified that they are non-compliant, and given time to comply before they are blocked. Other than that, however, they weren't able to shed much light on the enforcement process; they intend to give the regulator a free hand, and so we will need to talk to the BBFC (once they have been designated) to find out what the process will be.
So there you have it: age verification is a disastrous policy, spear-headed by a government department who refuse to take responsibility for sorting out the shambolic regulatory framework that is emerging, riddled with uncertainties and problem areas (such as browsing data) which are entirely ignored. These problems are entirely avoidable: the information has been available to the DCMS since their initial public consultation on age verification back in April 2016, but they are choosing to plough on regardless.
Become a Patron to get early access to posts like this!