How not to build a data security system

Information security expert Alec Muffett has posted an essay analysing the data security proposals of the BBFC with regards to Age Verification - including some damning commentary on the fact that all parties responsible for implementing AV are blithely ignoring the legal sensitivity of the data involved under the Data Protection Act:

The UK Government has passed the Data Protection Act (DPA) which guarantees sensitive “…processing of data concerning an individual’s sex life or sexual orientation” — §86.7e — and yet apparently nobody wishes to consider that if a person regularly age-verifies in order to access “ireallylikegayporn.com”, the resulting metadata trail will clearly constitute “data concerning [their] sex life or sexual orientation”. 

He explains why the April 2019 deadline for enforcement is so rushed as to preclude any sensible security consultation, and gives a good analysis of the deficiencies of the proposed data security mechanisms for AV with reference to the benchmark provided by credit card security standards.

In conclusion:

All of this AV “information protection” is being authored and decided by people who are divorced from the risk, who do not have “skin in the game” of data protection other than to enable the “fast-moving” AV business. By comparison the PCI DSS standards were written by the organisations (banks, cards) which literally bore the losses of fraud, but the person who loses-out from a leak of AV data concerning sex life or sexual orientation is/are the members of the general public — from call-centre workers to Members of Parliament — potentially en-masse and at scales of millions of people. 

The whole essay is worth a read.

