Porn is a serious issue, and so is identity

We’d all, I’m sure, prefer a world in which children did not have access to corrosive and nauseating material that undermines our civilised society. But how can we stop children from seeing MTV and the Daily Mail? The government has given up on this, I’m afraid, and has instead decided to try to stop them from seeing porn.

Porn is a problem. Let’s not beat about the bush. None of us want kids watching inappropriate sexual content on the web, not even the stuff they’ve created themselves. And I would like to practical ways to achieve this goal, which is why I’ve been along to a couple of events about safety on the internet and such like, looking for a win-win whereby our clients can use their technology to help.

The main discussion that I was interested in was led by Helen Goodman MP (the Shadow Minister for Culture, Media and Sport) and Claire Perry MP, who is the Prime Minister’s special advisor on preventing the sexualisation and commercialisation of childhood.

[From Identity and authentication technologies can make the Internet safer]

Ms. Perry, a former McKinsey consultant, attracted a certain amount of notoriety in web circles last year when she made some public statements that seemed to indicate that she didn’t completely understand how the internet worked, despite being Prime Minister’s advisor on such things. As I said at the time, I don’t understand why government doesn’t ask people who understand how things work (e.g., me) for advice and instead seem to evolve policy by listening to PR flacks, mates in the City, management experts and political lifers who have never had a real job of any kind. But let’s put that to one side.

The British Government’s Department of Culture, Media and Sport (DCMS) is reportedly drawing up plans to force porn sites to verify the age of visitors. Since the UK has no identity infrastructure (the government scrapped the controversial identity card scheme years ago and has yet to commission a study from Consult Hyperion on the viable alternative, the National Entitlement Scheme, NES) there is no way of doing this properly, so they are casting around for proxies.

As reported by the Sunday Times, this includes bank-approved software and credit cards, which can only be issued to those 18-years-old or above.

[From Porn and weapons websites may need to verify age of those using services – Gadgets and Tech – Life and Style – The Independent]

I liked this credit card example, because it shows how little the politicians understand about identity. Forcing people to give their credit card details out willy-nilly will inevitably leading to an explosion in card fraud, since there is no way that the punter can tell whether they are looking at the real “Honourable Members” or an Eastern European rid-off created solely for the purpose of harvesting valuable personal information. The example also feeds one of my pet bugbears, which is trying to use the payment system as a policeman instead of using real policeman.

The payments systems, which will be overseen by Economic Secretary to the Treasury and MP for South Northamptonshire Andrea Leadsom, will utilise UK-approved companies such as PayPal and Visa.

[From Porn and weapons websites may need to verify age of those using services – Gadgets and Tech – Life and Style – The Independent]

Andrea Leadsom read Political Science and comes from the investment banking and hedge fund world so I imagine she is very familiar with know-your-customer legislation, multi-factor authentication and such like. However, I would like to point out that there is a crucial difference between logging in to a hedge fund account and logging in to a porn account. I want the hedge fund to know who I am, but I don’t want the porn account to know who I am. Which is not to say I want to be (or should be allowed to be) anonymous, just that there is no reason for the operators of the web site “Ministers without Portfolios” to know who I really am.

What we need is a working identity infrastructure that allows for strongly-authenticated pseudonyms

[From Identity and authentication technologies can make the Internet safer]

We have to come up with something that will work for the porn sites so that they want to implement it because it makes their lives easier. But it has to be something that will protect the privacy of individuals who are doing nothing illegal by checking out the Black Rod’s Garden Gate. Oh wait, that’s real…

Better choose another example. It has to be something that will protect the privacy of individuals who are doing nothing illegal by snapchatting their junk to attractive  opposite persons of the contradictory gender (who may or may not be real).

Brooks Newmark quit as the minister for civil society after he apparently sent a picture of his genitals, taken while he was wearing paisley pyjamas, to an undercover reporter who was posing as a “Tory PR girl”.

[From Brooks Newmark Quits As MP: ‘Sexting’ Scandal Places ‘Intolerable Burden’ On Family]

Actually, my idea wouldn’t have helped the Minister in this instance, because it’s not about identifying people, it’s about protecting their identities. (That’s enough examples, Ed.)

The protection of privacy must be by a trusted intermediary. A bank, for example. Here’s a free idea for the DCMS to consider. I go to log in to “Home Secretaries in Heels” or whatever my favourite fetish site of the day is. It asks me to create an account. As part of the account creation process it asks for my bank. I tell it Barclays. At that point, I am bounced to the Barclays web site and asked to log in. I do this using my dongle (**). Once I am authenticated, Barclays generates a one-off service provider ID (maybe by hashing my account number and the DNS name of the requesting site). I am then bounced back to the porn site to continue browsing, logged in using the bank-provided pseudonym. The porn site gets a digitally-signed message from Barclays that says “this person is over 18 and known to us” together with the service provider ID. Now they have a unique identifier for me that cannot be traced back to me because it is the output of a cryptographic one-way function. What’s more, the service provider ID will be different for each site where I create an account: “Bigger Ben” cannot collude with “Dispatch Fox” to determine that I am the same person.

Now, you may think that I am being slightly flippant about this serious topic, but I am not. Taking active steps to create digital identity services that have privacy as an integral element of the customer proposition means that banks can establish a clear, responsible, customer-centric position in the emerging value network. The payment system isn’t a policeman, but banks might be privacy providers.

(*) Sincere apologies for appalling but irresistible puns throughout.

(**) The two-factor authentication device that I use to access my Barclays bank account.