Can Pornhub hold the moral high ground using device-based age verification?


Pornhub has decided to use device-based verification to make sure kids can't access porn. Great, however, the law of unintended consequences may open doors for cybercriminals and underage kids alike.

Aylo, the parent company behind Pornhub and several other adult-only platforms, states that "device-based age verification can make the internet a safer space for everyone when it is done right."

Aylo states, "We support laws that protect children from age-inappropriate material online and preserve the privacy of adults without introducing unintended consequences."

The problem is that unintended consequences are all too common in the world of security. One of the most important lessons I have learned from a career in cybersecurity and digital identity is that all you can hope for is minimizing the risk of an unwanted event.

However, to add a positive note to this doomsday-esque statement, risk mitigation is something the security industry is pretty good at these days. The identity industry, however, needs to catch up.

With that in mind, let’s look at device-based age verification used by Pornhub and any security implications this measure may have.

pornhub-kentucky-notification

What does PornHub mean by device verification and how does it work?

Aylo defines age verification as being “any approach to age verification where the personal information that is used to verify the user’s age is either shared in-person at an authorized retailer inputted locally into the user’s device or stored on a network controlled by the device manufacturer or the supplier of the device’s operating system.”

The active use of the phrase “device’s operating system” is important to Aylo. The company is working to create a secure and privacy-enhanced service based on a user’s mobile device.

Device-based verification is an alternative to verification that occurs on the platform.

Aylo is keen to point out that the device-based version is privacy-respectful. Notably, age verification is also distinct from age estimation, which uses facial recognition to estimate an individual's age rather than obtain an actual age.

In the case of Aylo and Pornhub, the company states that it has begun working with the Louisiana government-approved digital wallet, LA Wallet. The wallet holds a digital driver's license. The process to access Pornhub goes something like this:

  • Individual attempts to access Pornhub.
  • Pornhub generates a code and displays this to the individual.
  • The person opens their LA Wallet and clicks a button that opens an interface to handle code entry.
  • The individual then gets asked to confirm if they wish to share information held in the wallet, e.g., “I am over 18.”
  • If the individual is shown to be over 18, they are allowed into Pornhub.

This process also confirms who is requesting the data using secure two-way sharing.

The LA Wallet website doesn't reveal the protocols used to handle data sharing, but it likely uses CIBA MODRNA, a secure protocol. However, security is about more than protocols.

Pornhub ban map
By Cybernews

Security issues in device-based verification at Pornhub

As with any technological approach, there are pros and cons.

Device-based age verification is a perfect mix of ease of use and inherent security issues. Aylo seems determined to "do the right thing" when it comes to protecting kids from illicit content, but does it stop kids from seeing porn?

Device-based age verification is a barrier, but barriers can be crossed. Like all security measures, there are ways around it, some easier than others. Here are a few for starters:

High-tech security workarounds

Deepfakes

Deepfake technology is widely available and used to generate fake identity documents.

You may argue, what kid is savvy enough to create a deepfaked driver's license? Well, it's only $15 to get one, so why not?

This deepfake technology creates believable documents: Thomson Reuters found that 95% of synthetic identities presented during KYC checks go undetected.

Fake Pornhub and phishing/sextortion

Faked Pornhub sites could open a potential security hole in Aylo’s attempt to secure Pornhub access using device-based age verification. Individual accounts are potentially at risk from hacking via a fake Pornhub site.

I asked a security architect about the feasibility of this attack, and he said it was not easy but was a potential security gap that Pornhub should address. The attack would go something like this:

  • An attacker could set up a fake Pornhub website, then use various phishing techniques to trick people into visiting the site.
  • The attacker would then use the fake Pornhub site to access the Pornhub service to request a code (this part is not as complicated as it sounds, after all, Pornhub depends on people requesting the code for access).
  • The victim would be shown the real code on the fake Pornhub site.
  • The victim would then use their digital wallet, enter the code, and go through the process to share their data with the fake Pornhub site. This data, e.g., I am over 18, would be used by the attacker to access the individual’s Pornhub account.
  • Account takeover would then occur. The result could be sextortion as well as identity theft.

It is also worth noting that Louisiana’s database has recently been hacked. So, it’s only a matter of time before a variety of LA Wallets are created using stolen driver’s license details.

The low-tech workaround

Sophisticated hacks are not the only way the Pornhub protection can be circumvented.

Good old-fashioned tactics like asking an older friend or family member to share their device will give under-18s access to Pornhub.

It’s a simple security workaround but one that has stood the test of time.

Age verification checks, standards, and Pornhub

In the meantime, as part of a rebellion against states mandating more sophisticated age checks, Pornhub has blocked individuals in those areas from accessing its content.

The laws in these states require that individuals prove their age by submitting ID documents, such as driver's licenses, directly to the web service. To be fair to Aylo, this is a risky practice and places an onus on the service to protect sensitive identifying data.

Aylo argues that maintaining the age data on the user's device is more secure. In terms of privacy, you could say the case.

Nonetheless, in terms of proving the age of an individual or the security of the process, as shown above, device-based age verification is not some golden security chalice.

The law of unintended consequences

Security and the trust instilled when designing secure systems are rarely straightforward.

Take Google's 2014 mandate to enforce HTTPS or suffer from poor search rankings. Web developers duly followed Google's security remit. The number of digital certificates issued soared, and companies worldwide ensured they could display a padlock next to their secure website.

However, the law of unintended consequences kicked in. Instead of making the internet more secure for users, cybercriminals ensured their fake sites used HTTPS.

Research from OpenText found that in 2023, the number of phishing sites using HTTPS increased to over 49%, a rise of nearly 56% on 2021 figures.

The “if this, then, unexpected that” effect is now impacting the safety of kids online.

Aylo claims that legislators in many US states have gotten it wrong when it comes to checking customers' ages.

It also claims that the consequences of hasty, ill-prepared legislation have resulted in people choosing noncompliant adult sites that don't do age verification checks. These sites, Aylo warns, are also likely to commit privacy violations.

Age verification is a thorny subject, and there is no simple answer to making the process secure, effective, or privacy-enhanced.

In Europe, the EU Commission is concerned enough to send out a request for information on illegal content and protection of minors to Pornhub and others under the Digital Services Act (DSA).

The Commission requests detailed information on the effectiveness of the measures assessing and mitigating the risks related to the protection of minors - this includes age assurance measures.

It will be of global interest to see the outcome of the commission's request.