A British law that forces porn site owners to check visitors’ ages could lead to a global database of viewing habits ripe for hacking, say digital rights activists.

The Digital Economy Act of 2017, passed into law on April 27, is expected to require websites to check user ages using a regulator-approved verification method starting in May 2018.

Privacy advocates are fearful that MindGeek, which has over 100 million daily visitors to its sites that include PornHub and Brazzers, could create a database of adult viewing habits on a scale never seen before. MindGeek is “the largest adult entertainment operator globally,” according to the porn industry press.

So, if MindGeek’s contents ever leaked or were hacked, it would make the Ashley Madison hacks seem minuscule.

The bill, first introduced to parliament in July 2016, makes a raft of changes to the way people use the internet, enforcing tough measures against file sharers and requiring a new age verification system. It follows the Investigatory Powers Bill that was passed in November, which grants the government the power to store the top-level history of any web browser in the country for up to a year and force private companies to give up their products’ encryption secrets. An election has been called for June 8, but without a change of government, these changes and the verification system are almost certain to come into force.

Here’s how MindGeek’s solution to the British law’s demand — titled AgeID — will work: when a user visits a supported site, they will be prompted to create an account. The user then gets a choice of verification options, like using a passport or mobile phone to confirm their age. AgeID passes the user onto a third-party regulator-approved service to verify their age, and the service sends back a simple yes or no as to whether the user passed the check. An AgeID account allows the user to bypass the check.

“You can imagine how much data that is going to give MindGeek, if they’re going to have stats on what people click on, what porn sites people click on, what they pay for,” Pandora Blake, a sexual liberties campaigner and pornographic website owner, told an Open Rights Group meeting in London last month. “Once you’ve got a MindGeek login, you’re going to be giving them your entire web browsing history, because they’re going to be able to track every time you log in to anything.”

This is not just about MindGeek checking a user’s age in the UK. The system is scalable, so if another country introduces a similar law, the company can adapt the system and introduce it to the local marketplace. It could happen in the United States: legislators have tried before to enact similar laws, like the Child Online Protection Act or Louisiana’s H.B. 153, but these prior attempts have been struck down for violating the first amendment of the constitution.

AgeID will also allow other websites to participate.

story continues below
Pandora Blake and Myles Jackman at the Open Rights Group meeting.
Pandora Blake and Myles Jackman at the Open Rights Group meeting.

There’s good reason to believe websites will take up MindGeek’s offer. Blake explained that the economics behind age verification will hit small businesses hard. MindGeek, Blake said, will charge £0.05 ($0.07) to age-verify each visitor, where cell carriers will charge £0.10 ($0.13) per visitor. Her website receives around 3,000 visitors per day, and around 0.01 percent of those are paying customers. She makes around £1,000 ($1,298) per month from the website, but age verification through the cell carrier will cost £300 ($389) per day.

“A MindGeek representative at the porn demos of the [age verification] solutions said that they expected 20 to 25 million adults in the UK to sign up in the first month,” Myles Jackman, a civil liberties lawyer and the Open Rights Group’s legal director, said at the meeting. Overall, an estimated 10 to 16 percent of British internet users regularly watch pornography.

MindGeek claims it has built in many security features to the AgeID system to help prevent fraudulent use, account sharing, and hacking. But from the very first day of its operation, the system will represent a golden prize in hacking circles: an unfathomably large database of pornography users.

MindGeek denies that its system will store the sort of information that Blake claims it will.

“In order to achieve the child protection goals of the government, it is essential that all adult companies comply or are enforced against in a very short timeframe from the date of enforcement,” a MindGeek spokesperson tells Inverse. “A level playing field is vital, non-compliance cannot be seen as advantageous, and if sites are left non-compliant, the law will fail in protecting children to a greater degree than the status quo.”

“AgeID cannot see, let alone store any data used during the age verification process,” a spokesperson tells Inverse. “AgeID’s only concern is whether a visitor is age verified.”

story continues below

Despite the company’s insistence that the system won’t store much information, it’s hard to escape the fact that AgeID represents a dramatic shift in the way users will access pornographic content.

Photos via Mike Brown/Inverse