As of July 25 2025, people in the UK accessing web services with pornographic content will have to prove they are over 18 years of age. This development has been in the works for a while. It was proposed in 2014 by the video-on-demand regulator, and legislated for introduction in 2019 through the British Board of Film Classification.
It is of course important to stop children from accessing inappropriate material online. But, as often with technological solutions to societal problems, all available methods of age checking come with significant downsides in terms of privacy, security and human rights.
A strict separation between sites that do or do not have pornography means the definition of pornography, (not in itself illegal in the UK, becomes crucial. Tech companies are likely to use conservative algorithms (“overblocking”) in response. Historically this has affected sex education online, making it harder for young people to find sexual health advice or explore LGBT+ identities.
The failure to implement the law in 2019 was blamed on an administrative error, but the problems with technological solutions also played a role. Technology in this area has barely progressed, but nevertheless the regulator Ofcom ghas now said that several methods are capable of being highly effective.
The methods Ofcom suggests now come into two categories, which I will describe here as direct and indirect.
With direct methods, visitors will have to prove to the website that they are over 18. The most obvious way is by sharing both photo ID, such as a passport, and then also a selfie as proof that the passport belongs to them (in cybersecurity terminology, the passport is a “credential” and the selfie serves to “bind” the credential to the user).
Most people would obviously object to submitting these to a porn site. Part of the reason for this is that this would fully identify users, and allow the site to associate their identity to their preferences in browsing.
Anonymity on the internet may have got a bad name because of online “trolls”, but it has a serious positive human rights dimension, particularly also for children. Freedom of expression and association can be exercised much more safely if online anonymity is an option.
Anonymous access to any sites relating to sex can be viewed as liberating people to exercise their right to a sex life without interference or shame. Most age verification methods undermine anonymity to some extent, even if not as obviously and completely as passports and selfies do.
Indirect methods use an intermediary organisation to verify the person’s age. There are lobby groups associated with these organisations that have been influential in policy making for UK online safety for the last decade. Another strong influence has been politicians’ belief in the economic potential of the UK “safety tech” sector.
Users prove their age once with the intermediary, leading to a credential that may be used – typically multiple times – on the website without providing personal data. This looks like a nice clean solution, requiring trust in the intermediary but not in the “porn site”, until you consider “binding” – how do you know it’s the same user?
Borrowing or stealing of such credentials may be minor risks, but a black market in them could provide ways for teenagers to circumvent age restrictions (alongside virtual private networks VPNs, an encryption method which stop a user’s internet traffic from being intercepted by third parties).
Any method to “detect abuse” would involve surveillance, such as tracking IP addresses or using information about the person’s electronic device). This raises further challenges about fairness.
Intermediaries do all promise to delete or protect the information used for the proof of age, after varying periods. This limits the associated security and hence privacy risks, but does not eliminate them.
There are also incidental indirect methods, where an existing third party happens to know we are over 18. This includes banks (the “open banking” verification method), credit cards (not allowed under 18 in the UK), or mobile phone companies that can confirm a person has been able to get their porn filter removed, proving they must be over 18.
All indirect methods have so-called “linkability” privacy issues. The credential becomes an identifier, which allows the website, the intermediary, or both to link different visits to the same site or to other sites, and build up a picture like a browsing history that will become more individual and more intrusive over time.
Age estimation
Finally there are methods that do not actually verify your age but only estimate it. One way is via your email address and detecting how much “adult behaviour”, such as buying insurance, it has been involved with.
For most of us who do not use throw-away email addresses, it drives home the extent to which our main email address forms the key to mass online surveillance of everything we do. Maybe we would rather not be reminded. It certainly seems excessive for proving our age.
A lot of commercial effort has also gone into face-based age estimation technology. As with human age checking for alcohol in supermarkets, it is very approximate and unfair on people who do not look their age. In both cases, another verification method needs to be added as a backup.
To make the online world safer for kids, technological measures have had adverse effect on freedom that go beyond just removing porn. As a result, additional online surveillance gets put in place for many of us. Creating additional sensitive databases of information also sets up targets for cybercriminals.
Even more seriously, the “database state” offers potential for the kind of repressive mass surveillance that privacy activists have been warning of for decades. In that context, can we really afford to add to internet surveillance?
Get your news from actual experts, straight to your inbox. Sign up to our daily newsletter to receive all The Conversation UK’s latest coverage of news and research, from politics and business to the arts and sciences.
Eerke Boiten has in the past received funding from various research funding organisations, none of it relating to the topic of this article.
