Experts warn of the dangers and difficulties of a government-instituted anti-porn app: ‘This has never been successful’

In Spain, the government is hoping that minors won’t be able to access adult content on the internet. This past Tuesday, the cabinet approved a plan to protect children and youth from online pornography. One of the proposed measures is the development and implementation of an app that will enable the confirmation of the age of users who wish to access certain webpages.

The Spanish Data Protection Agency (AEPD) presented a proposal in December of 2023 to demonstrate that there’s already technology that allows for this. “It’s a pilot project that we hope can be presented in the summer of 2024,” Minister of Education Pilar Alegría said on Tuesday, following a cabinet meeting.

Across all countries, there are fears about minors accessing pornography. This fits into the trend that wants to delay adolescents from getting their first mobile phones. France recently approved mandatory age controls for online pornography in 2020, while several US states have taken down major porn sites. The United Kingdom is also looking for a technological solution to confirm the age of those who attempt to access certain webpages. Meanwhile, Italy has imposed parental controls on minors’ mobile phones via service providers. Still, no nation has found a remedy that doesn’t cause further problems.

Experts view all these pieces of legislation with great skepticism. The technological solutions seem ideal on paper… until someone starts typing code to develop the tool. And, when the solutions are put into action, new dangers and unexpected scares suddenly appear.

This is how Minister Alegría has described the possible operation of this future app: “I’m an adult, mother of a minor. I have a mobile phone. If at any time I wanted to access some content on a page for adults, this application would help me: it would recognize [who I am] and, therefore, would give me the possibility of navigating the different pages. However, if my 10-year-old son used that same mobile phone, the application would recognize him and make it impossible for him to access it.”

This simple explanation – which would seem reasonable to any parent – sets off alarm bells for privacy experts. “While in theory there could be a technical solution that simply says ‘yes’ or ‘no’ to whether a person is of legal age based on identity documents, this is technically very complicated and requires the trust that no additional information will be shared,” warns Ella Jakubowska, a senior policy advisor for European Digital Rights, a collective of NGOs. “I’m not aware of this ever having been done successfully,” she adds.

A technological solution to a complex social problem doesn’t exist until the details are made clear. In the case of Spain, there’s nothing more than some concept papers published this past December by the AEPD, which puts the development of the tool in the hands of the Royal Mint of Spain (FNMT). When queried by EL PAÍS, neither institution wanted to provide more details about the program or its development. Representatives limited themselves to pointing out that “the FNMT technology teams are working on it.”

“It all depends on the implementation,” affirms Carmela Troncoso, a professor at the Swiss Federal Institute of Technology Lausanne. “Without details, it’s difficult to say anything. Can I ask them for the code? The specifications? A white paper? Anything?”

The AEPD has published three videos with its evidence, but the footage doesn’t clarify anything. “It’s a video with a person who puts something on a phone and a website that does something else. I don’t know what they send, what they don’t send, who sees it… there’s zero information,” Troncoso sighs.

The AEPD has already issued two fines regarding websites’ lack of safeguards surrounding age. There’s already applicable legislation in this area. The government notes that the “Audiovisual Communication Law requires providers of pornographic videos to establish age verification mechanisms.” With the new plan, it’s expected that the industry will understand that the government means business.

“The technicians I work with have seen the little data [provided by the concept papers]... they say that the plan is very green,” notes Borja Adsuara, a lawyer who specializes in digital law. “[The government] made the presentation because they wanted to send a warning to browsers. Since everyone says that there’s no such technology available, they’ve made these proofs of concept to show that [these controls] are beginning to be available,” he adds.

The request for technical details isn’t a whim of punctilious computer scientists. For a few months in 2020, various contact-tracing apps were discussed as a salvation for the pandemic. In the end, they came to nothing, despite the fact that behind the projects were two of the largest technology companies in the world: Apple and Google. Even then, the security gaps were considerable.

The AEPD pilot test foresees that an external entity – in this case, the Royal Mint of Spain –

will verify the age of a user and only share this piece of data with the adult content page. This would prevent the page from learning the precise identity of the user – it wouldn’t have access to their government-issued ID, for instance. The EU, meanwhile, is preparing a regulation called eIDAS2 – a single European ID and digital wallet – that has generated considerable debate among privacy experts about how much personal information is being revealed.

“The verifying authority could infer the user’s browsing history,” warns Narseo Vallina-Rodríguez, a researcher at the IMDEA Networks Institute. “There’s no completely secure software… that’s why it’s important to carry out a cautious risk analysis and demand that a full audit of these systems be allowed, so as to avoid debacles like those that occurred with contact-tracing against COVID.” In the UK, it has been established that platforms can use biometric verification – examining facial features – to determine the age of potential browsers.

The intervention of other entities – which are neither the user nor the platform – adds complexity and opportunities to bypass checks and balances. “Many solutions use third-party services that need to know the user’s identity. They could thus link it to the content they access, which is unacceptable,” emphasizes Juan Tapiador, a professor at Carlos III University of Madrid. “It’s also a [potential] solution in which many elements are involved: the device and its operating system, the age verification app or service, one or more third parties that provide identification or certification services….”

“The content that’s accessed by someone has to be flagged as inappropriate. That chain most certainly has one or several weak links where it can break,” Tapiador adds.

If age verification requires the intervention of third parties, it’s difficult to think that they would dedicate their resources without receiving anything in return, whether they’re companies or other types of organization.

“A particular concern is how much the industry is pushing this agenda, which is worth billions [of dollars] around the world,” Jakubowska points out. “They say it’s all for the safety of children, but we’re rushing towards a child-proof internet without stopping to consider whether that’s what we really want and whether we can trust those who sell these solutions. Lawmakers need to take time and consider the risks involved with age verification.”

If anyone believes that these measures won’t provoke multiple and varied user strategies in response, it’s because they don’t know much about how things develop on the internet: Tor, VPN or proxies are widespread solutions to access pages that are restricted for one reason or another. “In our research, we’ve found that all age verification methods are susceptible to being deceived or circumvented,” Jakubowska affirms.

Also, depending on the solution, it’s easy to imagine the creation of a black market for verification, or for browsers using third-party devices. “I think the first thing that will emerge is going to be a black market for certificates,” Troncoso opines.

There’s a popular rule on the internet known as “rule 34″ – if it exists, there’s a porn video of it. There are pages that are explicitly pornographic and whose limitation is easy. But what would happen to Reddit, Tumblr, or X (Twitter), which also contain porn, along with other content? Or the thousands of vague pages that hide degrading porn? Will there be a label that marks all the adult content in the world? And who will classify what’s pornographic, or what’s violent?

“Some sites – especially the less scrupulous ones – would ignore regulations and make their content available to anyone,” says Steven Murdoch, a professor at University College London. “Countries could try to block these sites, but people will find an easy way around [the restrictions].”

A modification to internet access would necessarily entail another type of network. “The idea of moving towards an internet where certain attributes must be accredited to access content generates distrust, because that same technology could be used for secondary purposes,” Tapiador says.

It’s evident that third-party verifiers could access the identities of users and share them. “It’s a digital certification system for any personality attribute,” Adsuara points out. “Age is one… the pseudonym [that someone is using], for example, is another. If a judge were investigating a crime, he could ask the trusted third party who’s behind a pseudonym.” The danger of leaks or hacks of explicit browsing data is also inevitable.

Ultimately, the experts conclude, this solution will depend on political details, rather than on technical decisions: “If you have to prove things to browse the internet, you open the door to censorship and control and totally change how we function,” Troncoso warns. For example, the definition and scope of what porn is won’t be up to the technicians. Once this ban is passed, it can be extended to other presumably harmful aspects, such as violence or hate messages. The debate then becomes broader.

“The question of who decides at what age young people can access certain content is complicated and goes far beyond [the realm of] technology,” Jakubowska says. “Young people aren’t all the same. There’s a risk that – with governments pushing for more age control – we’ll see many [websites] begin to offer services only for adults, because it’s easier than trying to comply with the requirements when they offer services to young people.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition