Agcom’s rules requiring minimum age verification that apply to all sites and platforms that distribute pornographic content have been in effect since November 12. Can these controls be avoided? Although the ideal operating model is theoretical, technological measures and procedural fraud tricks exist, actual evaluation of control effectiveness will depend on material technical implementation and security testing. We talked about it with 2 experts: Giorgio Giacinto, professor at the University of Cagliari and coordinator of the SERICS Foundation 3 dedicated to “attack and defense” and Alessandro Armando, professor at the University of Genoa, director of the national cyber security laboratory CINI and Coordinator of the SERICS Speak 4 dedicated to the security of operating systems and virtualization.
Possible evasion of age control
Giorgio Giacinto describes several possible techniques to avoid restraint. «Primarily, the connection can be exploited with Virtual Private Network (VPN) services or proxy systems, which are capable of masking the origin of access requests from non-European or non-Italian countries. Age verification, in this case, may not be necessary.” In the case of using applications that identify the user, but only provide proof of age against pornographic sites, the possibility of evasion may depend on many factors: “the application is theoretically safe – explains the guru – but only accurate security tests can provide certainty about the absence of exploitable vulnerabilities in the code”. The reference refers to the potential disruption of applications that are not implemented following OWASP mobile security measures. Tampering is capable of altering the legitimate functioning of the application, resulting in disruption of authentication and configuration manipulation, which can lead to identity theft (person adults): there is a mobile Jailbreak, which actually allows direct circumvention; application-level privilege escalation to enter developer mode; But for example, without encryption in data transmission, a ‘Man-in-the-middle’ attack will allow the age attribute to be changed to ‘change’ the identity using advanced filters, confusing facial morphology and in the case of poor image/video accuracy, a few ‘touches’ on the filter will be enough to get a change in recognition.” Finally, there are procedural ways to circumvent the controls: “the involvement of an adult friend who lends his face to access the service may result in the display of prohibited content for the minor in front of the monitor”. Or «if a parent using a pornographic service with a device already configured for access, leaves his or her device unattended, a situation of evasion of control may arise for a curious minor; but here – specify guru – it also depends on how the service connection session inactivity/standby is configured”.
There is therefore some possibility of fraud, but to prevent technological fraud, it is important to establish technical controls of the code in advance, both in system design, in data flow analysis, and in protocol selection. “The true level of success of these elusive practices can only be precisely measured by specific vulnerability tests on software that implement age checks in web systems and platforms between pornographic service managers/suppliers and third-party verifiers/certifiers,” the professor emphasized. A. Armando.
Age verification model requirements
Agcom’s technical regulations provide for ‘double anonymity’, so that the person verifying the age (or authorizing it) does not need to know for which service he is providing this check or whether this check is repeated. In essence, this is a memoryless age checking process. This control is divided into a three-phase theoretical and procedural model, in two cases: an age verification system via an online browser or through the use of an application installed on the user’s device. Agcom, when contacted about this, confirmed the proposed model, was based on theoretical principles with no previous inspiring prototype and that Agcom was selected by the European Commission, within a small group of Digital Services Coordinators, to test the age verification application prototype. A prototype that, if validated, could be adopted in practice by adult service providers. Whatever the final solution each subject chooses, Agcom confirms its commitment to timely checks on dual anonymity and security.
Agcom Standard
Agcom’s regulation called the Caivano Decision introduced a ban on access to pornographic content for minors. These rules apply from November 12 to adult service providers who are required to implement age control systems, while respecting the minimum collection of personal data for this purpose and guaranteeing a level of digital security commensurate with the risks. Confirmed violations will be subject to a twenty-day warning and subsequent site/platform blocking, until the control criteria are properly implemented. The first list of subjects affected by these guidelines was published by Agcom on 31 October.
