The UK is once again trying to impose stricter restrictions on pornographic websites, implementing AI age checks, digital identity authentication, etc.

British telecoms regulator Ofcom has set out rules for how porn sites can verify the age of users under the newly passed Cybersecurity Bill. While the law stipulates that websites can choose how to block access to underage users, the regulator published a list of compliance measures that websites can take. These include asking the bank or mobile network to confirm that the user is at least 18 years old (with the user's consent), or requiring the user to provide valid details of a credit card that is only available to users over 18 years of age.

The regulator is starting a consultation on the guidance today and hopes to finalize its formal guidance in about a year's time.

The measures are likely to be controversial and come a little more than four years after the British government abandoned its last attempt to introduce age verification for pornography. Critics raised numerous privacy and technical concerns about the previous approach, and the plan was ultimately shelved in the hope that the Online Safety Bill (then known as the Online Harms White Paper) would provide a better direction. Now, we have to see if this is true, or if the UK government is just kicking the bucket.

Gill Whitehead, Ofcom's head of cyber security, said in an interview: "Our research shows that children are now easily exposed to pornography online, with children as young as eight and nine years old accessing pornographic sites. Most of this is discovered online accidentally. Ofcom's press release cited research showing that nearly eight in 10 children have seen "violent pornography depicting coercive, degrading or painful sexual behavior" before the age of 18.

Ofcom sets out six age verification methods in today's draft guidance. In addition to turning to banks, mobile networks and credit cards, other suggested measures include requiring users to upload a photo ID, such as a driver's license or passport, or having websites use "facial age estimation" technology to analyze a person's face to determine whether they are over 18. Simply requiring website visitors to state that they are adults is not strict enough.

Once the duty comes into effect, porn sites will be able to choose from Ofcom's approach or implement their own age verification measures, as long as they are deemed to meet the "highly effective" standard required by the Online Safety Act. The watchdog will work directly with large sites and track smaller sites by listening to complaints, monitoring media coverage and working with frontline services. Websites that fail to comply with the Online Safety Act will be fined up to £18 million (approximately $22.7 million) or 10% of global revenue (whichever is greater).

"Age verification technology for pornographic content risks sensitive personal data being leaked, collected, shared or sold"

The guidelines announced today will eventually apply to porn sites large and small, as long as their content is "published or displayed on an online service by a service provider." In other words, they're designed for professionally produced porn, rather than the user-generated content found on sites like OnlyFans. The two categories are often juxtaposed on the biggest porn sites, so the distinction can be tricky. But Ofcom will consult on rules for user-generated content, search engines and social media sites in the new year, and Whitehead believes both sets of rules will come into effect at the same time.

"In practice, conduit sites may choose to treat them all equally," she said. "If they have both professional porn and user-generated porn, then from a practical perspective they may want to apply this approach to all content. Porn that consists solely of text is not covered by today's guidelines."

The main reason for the UK's last attempt at age verification for pornography was privacy concerns. Despite Whitehead's assurances that Ofcom worked with the UK's data protection regulator, the Information Commissioner's Office, to develop the guidance, digital rights campaigners at the Open Rights Group (ORG) were unconvinced.

Abigail Burke, project manager at Open Rights, said in a statement: "It is extremely worrying that Ofcom relies solely on the Data Protection Act and the Information Commissioner's Office to ensure privacy is protected. The Data Protection and Digital Information Bill before Parliament will seriously weaken our current data protection laws, which are in no way adequate to deal with such an intrusive scheme."

"Age verification technology used in pornography carries the risk of sensitive personal data being leaked, collected, shared or sold." Burke said: "The potential consequences of a data breach are catastrophic and could include blackmail, fraud, relationship damage, and exposure of people's sexual orientation in very vulnerable situations." He called on Ofcom to develop clearer standards for user data protection.

Additionally, any age verification implemented has the potential to eventually be bypassed by anyone with access to the VPN. Whitehead acknowledged that there is no "silver bullet" when it comes to cybersecurity. "However, if these measures can help prevent children from accidentally being exposed to adult content, then they are still worthwhile," she said. "I think the responsibility of the law and technology companies to keep users safe is part of a wider set of measures, including education, including conversations between parents and children, all of which can work together to really help keep children safe online."

What remains to be seen is the extent to which sex service providers will participate in the UK's age verification measures. Although Pornhub owner Aylo (then known as MindGeek) complied with a Louisiana law requiring users to verify their age with a government ID in January, it later completely blocked access to its service for users in other states with similar rules, including Mississippi, Virginia, Utah and Arkansas.