Monday, 7 August 2017

UK Porn

This post is not about USB drives or booting but it is about internet porn!


The UK government is trying to prevent children below 18 years of age from accessing porn on the internet by introducing some legislation that will force those websites to verify that the user is over 18 by making it mandatory for them to enter their credit card details. See here.

As Barry Collins said in today's Web User magazine, this is a stupid idea because it will allow 1000's of untrustworthy sites to gather your credit card details.

These sites can then sell those card numbers to criminals who can then use the details to blackmail you or simply use your credit card illegally.

I can also foresee that many of the more 'legitimate' porn sites will be tempted to include some small print such as 'After 1 month you will be charged $2 a month subscription' - so after a few months you may notice that you are paying $2 to some dodgy sites which appeared to be free - but are you going to complain to the law about a porn site that you subscribed to or just write it off?

I know that we can ask our own internet provider to block such sites, or we can run blocking software, turn on safe search in Google, etc. However, internet access is available on many different devices which are not always under our direct control (smart TVs, friends PCs\notebooks\smart phones\phablets\tablets, etc.).

I have two suggestions:

1. All adult sites must request username+password

All sites which carry pornographic material should require a user login+password to prevent accidental access.

What this means is that when an 5 year old girl does a Google search for a 'Snow White' video she does not immediately start to view a porn video (as can happen today)!

All ISPs (not just UK ISPs) should block any porn site that does not require a login+password. This would prevent pornographic material from being viewed by accident. In the UK, newsagents must keep all soft porn 'men's magazines' on the top shelf and out of children's reach, so why is it OK for children to have unfettered access to hard porn on the internet?

2. A government 'Check18' website

We must not make it mandatory for dodgy adult sites to request credit card details. This would lead to a whole host of ID and card fraud issues. Teenage kids will be 'borrowing' their parents cards all over the country!

To block under-age access, maybe the UK government should set up an official gov.uk 'check18' webpage that accepts credit card details + name + DOB + National Insurance number?? (i.e. adult checkable credentials) and then it would supply the user with a one-time complex passcode+username which they can then use to obtain a user account on adult sites. The adult site would use an API which would verify that the passcode+username is valid by sending those two details to the government web server. Once the user is validated, he/she will just need a user name + password to create an account and log in to the adult site.

For example:

www.gov.uk/check18 - user enters a randomly chosen username + credit card + other credentials.

If OK, the website displays a user username + passcode combination:

e.g.
username=freddythefox    passcode=asdsad9si3845tmdkfsdf9s030304ksfkdsf9944459545934

www.adultsite.com - users specifies their chosen username (freddythefox or whatever) and copies and pastes the passcode.

The adult site then sends this info to www.gov.uk server using an API - if 'OK' is returned by the government server, the user can choose a password and create an account.

The one-time passcode that is supplied should be time limited (2 hours?) and should not contain any information about the user except the chosen username, nor should any record be kept by the trusted government website server of the details entered by the user. The passcode is essentially just a highly-encrypted message containing the time+date+username.

Because the code is time limited, the same passcode cannot be used by others. Also, the username is embedded within the passcode, so only that username can be used. Only the government website should be able to generate the passcodes (otherwise 'fake' verification sites will pop-up which just generate passcodes), so very secure encryption and encryption keys must be used.

Any adult site which does not follow this process should be blocked/blacklisted by UK ISPs.

Q. Should they also block proxy websites too?
Q. What if 'phishing' sites spring up which pretend to be the gov.uk site?

Blocking by ISPs

Whatever scheme is devised by the UK government, all UK ISPs will need a 'blacklist'  of non-conforming adult sites. This leaves us with some questions...
  • Who decides if a site should be blocked because of unsuitable content (who maintains the blacklist) - the BBFC? and if so, do they have the resources to constantly monitor all sites and investigate all reports of any sites which should be blacklisted?
  • Will this slow down internet access for all UK users (similar to the 'Great Firewall of China')?
  • What about social media sites such as Twitter, Reddit, etc. where content is uncontrolled to a large extent?
  • The government Bill will also'target suppliers of content and 'ancillary services', which include card payment providers and advertising'. UK ISPs and the sites themselves will be fined if they fail to block 'bad' sites - oh yeah... good luck trying to fine a Russian porn site then!

Summary

The proposed requirement for all adult sites to have a username+password login would be simple to implement and enforce, and would prevent accidental access (by both 5 year old children and 80 year old grandmothers). This would be a big improvement over the crazy one we have at the moment and it carries no increased ID/fraud risk.

Making a new law that ensures all adult sites must request your credit card details, carries with it a huge risk of dramatically increasing the amount of ID theft, credit card fraud and even blackmail.

Even if a UK government 'check18' service was set up, there is still a significant risk from phishing of the 'check18' site and from key loggers, etc. being used to gain your confidential details when you use the site.

Do you have any thoughts? Leave a comment below and let me know...