The BBFC's green checkmark logo.

Report cited by:

This week, the Open Rights Group released a new report co-authored by myself which analyses the BBFC’s recently-published Age-verification Certificate (AVC) standard. The voluntary standard is intended to help inform consumers by granting a green “AV” checkmark to age verification platforms which supposedly go the extra mile to ensure the security of their data. After some analysis, however, we have concluded that the effort is functionally useless and, even worse, may actually mislead consumers.

Consider for yourself whether, if you lived in Tokyo, you would want to live in a building designed and blueprinted by amateurs, but where they crashed cars into it occasionally to see if it is “safe enough”.

Alec Muffett

Some highlights from the report:

  • Enrolment into the standard is voluntary. For sensitive age verification data, why is it not the case that all providers are bound by these higher standards of data security?
  • Today, with exactly one month left before age verification is rolled out across the country, the standard still relies heavily on as-yet-unpublished documentation.
  • The scheme offers no information about what recourse (if any) is available if a provider fails to meet the required standard.
  • The standard is broadly drafted and vague to the point that it effectively amounts to allowing providers to write their own policies, and just verify that they are following them. (See quote from Alec Muffett above.)
  • The vagueness of the standard makes the green “AV” checkmark issued by the BBFC functionally useless for consumers and, at worst, misleading.

When taken together, the issues amount to a standard which is of minimal use to consumers and urgently needs to be redrafted to add more specific rules and penalties for noncompliance. As we head rapidly towards the implementation date for age verification (only one month away, on 15 July 2019), the BBFC must appeal to the Government to urgently halt the rollout of age verification until the AVC standard has been re-drafted and age verification providers have been given enough time to fully implement it. MindGeek (owners of many large pornographic streaming sites) estimate that 20-25 million UK adults will sign up to their AgeID verification tool within the first month. This means that if the BBFC’s age verification standard is to properly protect consumers, providers must be assessed before launch.

Additionally, if (as the BBFC have clearly identified) age verification data requires a higher standard of caretaking than regular data protection laws demand, then the Government must recognise this and ensure that such standards are backed by statutory requirements before proceeding with implementing age verification as planned. If age verification data is so sensitive, why is a voluntary standard considered sufficient?

There is simply not enough time, nor enough incentive, for providers to implement the BBFC’s AVC standard before 15 July. Even if they do, the vague nature of the standard coupled with the missing documentation makes the green AV checkmark functionally useless for consumers. The BBFC and DCMS must recognise that there needs to be an urgent re-think before age verification is rolled out to consumers. The clock is ticking.

The full unabridged report can be downloaded here from the Open Rights Group site.