The debate surrounding mandatory identification on adult websites has always sparked concerns about privacy. Many countries have introduced or are considering measures requiring age verification to access adult content, often mandating that users share personal information like IDs or credit cards to prove they are of legal age. This system, while aimed at protecting minors, raises significant privacy and security issues.
The Online Safety Act in UK
In the UK, in the wake of online age checks that introduced on July 25 as part of the UK’s Online Safety Act, several issues became immediately visible:
- ProtonVPN reported a more than 1,400 percent increase in sign-ups in the UK after age verification requirements took effect.
- Wikipedia will be required to identify its users too.
- Some content of Spotify will be affected.
- Some of the protections could be bypassed using a videogame.
- The most tattooed man could not be identified.
- Smaller adult websites simply did not comply.
The list of issues is growing every day with users reporting that their app is now blocked or that the websites offering help to abused children cannot be accessed by children anymore.
Everything went quickly from “this will never work” to “I told you so.”
An alternative
What if there were a way to enforce parental controls and age restrictions without forcing users to disclose personal details?
The HTTP header Content-Type could solve the problem. The header is used to specify the type of content (if a file is text, video, or an image) and it can contain optional flags to make it more valuable. A typical example is Content-Type: text/html; charset=utf-16 that specifies that the content is a webpage with a specific set of characters.
Something like Content-Type: image/jpeg; adult-content=true could be enforced by law to let websites tag explicit content while maintaining the privacy. When a website serves content, it would simply add adult-content=true to the file’s response headers when the content is not child-friendly. Client side, a parental control system could simply block those contents.
This solution would also make it possible to protect portions of a website. Imagine the CNN: the large picture from a warzone in the first page could be flagged adult-content=true, some articles could be flagged as well, and most of the website could remain accessible to anyone while still hiding violent content to children.
A solution based on Content-Type does not reinvent the wheel and requires small technical changes that could be rolled out easily. It is certainly easier than identifying the whole population and create services with biometric and identification data that will be a target for cybercrime.