Last summer, the British government passed the Digital Economy Act of 2017, which updated laws and regulations around broadband service generally and addressed telecommunications policy and infrastructure issues. One provision was designed to prevent young people from accessing pornography; it required visitors to porn sites to prove they are over 18 years old. Parliament was trying to enact a child safety measure, but at the same time, it created a big target for hackers looking to obtain information that could be used for blackmail.
Under the new law, online porn sites are threatened with a fine of £250,000 ($335,000) or 5 percent of their annual profits if they are caught failing to verify the age of any of their users. Various options for confirming the age of their visitors are being considered. They could ask credit card companies to validate birthdates, for example, or contract with a third-party company to follow an individual’s social-media feed and determine his or her age from that information. Phone companies could be asked to create a text-verification process using birthdates, or porn companies could require users to upload ID cards or passports.
But here’s what worries cybersecurity experts: All these options would create a permanent record indicating that a user had visited a porn site. They could possibly even record the porn that the visitor had watched.
Matt Tait, a cybersecurity expert formerly of the GCHQ (the United Kingdom’s equivalent of the National Security Agency) who now teaches at the University of Texas, notes that any registration system could be a “monumental national security risk.” He adds, “It’s beyond insane they’re even considering it.”
The Digital Economy Act of 2017 was passed last summer in order to update British laws related to broadband policy and customer rights. The law included provisions to widen access to broadband service and updated ways of dealing with digital intellectual property, among many other things. Many of the law’s priorities were based on the 2015 Conservative Party Manifesto, which pledged to “take steps to protect the vulnerable and give people confidence to use the internet without fear of abuse, criminality or exposure to horrific content.” The pledge promised to “work with industry to introduce new protections for minors, from images of pornography, violence, and other age-inappropriate content.”
There are several examples of how data of this sort can be exploited and weaponized. In July 2015, Ashley Madison, a site created to facilitate extramarital affairs, was hacked, and 37 million user profiles were stolen. When the data was dumped, embarrassment was the least of it. One Louisiana pastor on the list committed suicide, marriages were fractured, and those claiming the moral high ground had a field day. Tait, for one, imagines Russian hackers breaking into databases of porn-watchers in search of embarrassing information in persons of interest.
“Sorry Prime Minister, Russia now knows what porn every MP, civil servant and clearance holder watches and when, and we don’t know how much of it they’ve given to Wikileaks” <– soon.
— Pwn ██ ██ ███ 1.4(C) – Declassified in Part (@pwnallthethings) November 26, 2017
Brad Moss, a Washington, DC-based lawyer who works on national security cases, says Tait’s take is “spot on.” But Moss points out that the main concern is not only that a person in a sensitive position could be blackmailed or fired if someone got their hands on his or her porn data. Rather, he says, the main issue is securing the data once it’s been collected because the broader social repercussions of it being released could be dire. “The Brits are going to have to ensure numerous redundancies are built in,” Moss says, “so that a single Snowden-type person can’t run off with all the data.”
Massive data breaches have become commonplace. Earlier this month, Uber was forced to admit that 57 million user accounts were stolen. In September, Equifax, one of the United States’ big three credit reporting agencies, announced that 145 million people had their data stolen. And in June 2015, the Office of Personnel Management announced that 22 million people had their highly sensitive government background check data stolen.
If porn consumers in the United Kingdom are the losers, Tait suggests there is a potential winner: Vladimir Putin.
So anyway. Good job guys. Not sure you've really thought this through. But we know how it ends if it becomes law. pic.twitter.com/FJPDcw5lvV
— Pwn All The Things (@pwnallthethings) November 26, 2017