Information security expert Alec Muffett has posted an essay analysing the data security proposals of the BBFC with regards to Age Verification - including some damning commentary on the fact that all parties responsible for implementing AV are blithely ignoring the legal sensitivity of the data involved under the Data Protection Act:

The UK Government has passed the Data Protection Act (DPA) which guarantees sensitive “…processing of data concerning an individual’s sex life or sexual orientation” — §86.7e — and yet apparently nobody wishes to consider that if a person regularly age-verifies in order to access “ireallylikegayporn.com”, the resulting metadata trail will clearly constitute “data concerning [their] sex life or sexual orientation”. 

He explains why the April 2019 deadline for enforcement is so rushed as to preclude any sensible security consultation, and gives a good analysis of the deficiencies of the proposed data security mechanisms for AV with reference to the benchmark provided by credit card security standards.

Keep reading »