I'm now a Police Officer... sort of.

As you may know the Digital Economy Act 2017 has brought Age Verification into force, this will enable the age verification regulator to force websites to force their users to use a 3rd party company to verify that their users are over 18 before accessing their website.

This is not the first time the Government has passed such a law.

For the purposes of this example I’d like you to look at the Police Act 1996 and the Violent Crime Reduction Act 2006.

These laws made it illegal for people to possess or sell certain equipment (imitation firearms, Police batons, Police badges / uniforms etc), of course there are exceptions with one such exception being for the film/tv industry.

In response to these laws the industry created organisations such as the UK Film and TV Registration Scheme, this enabled film/tv companies (with the assistance of the Metropolitan Police) prove they could purchase said equipment, wear it, move it about, store it etc etc.

Why does this pertain to Age Verification? Well. If go back and visit the UK Film and TV Registration Scheme website and click on the Agencies link you’ll see an entry for this website (Reel Cops UK).

The company in question legitimately wound up in March 2018 and the website subsequently expired.

So I bought it.

With the website purchased I started receiving the email for the website; email.png

If we check the Twitter account we can see that it is possible to reset the password for the account and take over that too;

twitter.png

(There is a minor problem that we need to create email addresses to catch this email, thankfully every director’s GDPR nightmare Companies House helpfully tells us the names, date of birth and address of all directors).

So, we’ve got email up and running, the Twitter account is a button click away from our control but before we go and reset our password at the UK Film and TV Registration website we might want to recreate the website to avoid any suspicion.

Luckily the WayBack Machine shows us exactly what the website looked like when the company was trading.

Now, if one were willing to risk accusations of breaching the Computer Misuse Act and the Fraud Act 2006 (never mind the afore mentioned Police Act 1996 and Violent Crime Reduction Act 2006) we could reset our password at the UK Film and TV Registration Agency Login page, login to the account and secure our ID number.

With that ID number we could then buy a Police Badge, Marked Vests , MoE Equipment and replica guns etc etc.

wut.jpeg

Age Verification

Yes, age verification.

There has been a flurry of new companies claiming to offer Age Verification solutions to website operators. The BBFC is even going to “certify” some of them.

What is going to be done about the ones that fail? The ones that close down? The ones that rebrand and change their website address?

If all it takes is registering a domain and resetting some password for me to be able to buy replica Police uniforms, guns and equipment what do you think the impact will be if a bad actor secures the domain for a company that lots of other websites still list as an option to perform age verification against?

How many people might still be emailing that domain? How many people would respond to an email from the domain they had previously used (spammers can email millions of people for very little cost).

Has the BBFC got processes in place for this eventuality?

Does the ICO?

Time will tell.