The Online Safety Act has become law in the UK. Or, as the UK government’s soundbite-filled press release put it: “world-leading bill becomes law”. This will make the UK “the safest place in the world to be online”.

This controversial Act requires the removal of illegal content from the web. It also requires the removal of content that is legal but harmful to children and which they are likely to access. The principles are sound.

In its role of enforcing this Act, Ofcom is proposing several measures to prevent children from accessing porn online. Along with the usual suggestions of bank and credit card checks, it is also proposing problematic measures:

• Photo identification matching which users uploading their driving licence or passport. This will then be compared to an image of the user to verify that they are the same person.
• Facial age estimation. The features of a user’s face will be analysed to estimate their age. Additionally, where the user is estimated to be under 25, they would have to undergo a second age check.

Here’s where the fun begins

Will the websites keep a record of these individuals so they don’t have to verify their age each time? Imagine, if you will, a world where adult websites contain not just login details, but detailed personal and biometric data about their users. What could possibly go wrong?

Well, in 2015, marital affairs dating site Ashley Madison was hacked. “Life is short. Have an affair” said former Ashley Madison CEO, Noel Biderman. Those hackers released 33 million records. These contained names and identifying details of people who had used the website for secret affairs. In 2016, security researchers hacked into Pornhub, one of the largest adult websites, although that was part of a bug bounty programme so they’re likely more secure now.

All of this sounds like a hacker’s dream come true and a personal data nightmare. If those photos are released online with data about their origin, how long before they form part of an upload to a facial recognition site?

We can expect to hear much more about this in the future, not least from the ICO!

If you need advice, contact me f.jennings@teacherstern.com or +44 (0) 20 7611 2338.