The Australian government has proposed using facial recognition to verify the age of people wanting to access pornography online.
Unlike in the U.S., Australian law actually doesn’t prohibit minors from visiting adult sites, so the facial-recognition measure would be part of changing this policy. Much like the UK’s “porn pass” system, which was quickly shelved amidst mounting pressure from privacy groups, strong age verification would be required of the user requesting access to view pornography – in this case, via a facial scan.
Ray Walsh, digital privacy advocate at ProPrivacy, noted that this is a situation where both cybersecurity and privacy concerns are at play.
“The kind of database this proposal would create is really quite terrifying, considering the Australian authorities’ track record when it comes to securing sensitive consumer data,” he said via email. “We have already seen breaches occur at agencies such as the Australian Federal Police, the Department of Immigration and Border Protection and the Australian Bureau of Statistics – proving that Australia’s government is ill-equipped to secure citizen’s data.”
And, the human ramifications of a hack or other breach could be significant.
“I can imagine a potential scenario akin to 2015’s Ashley Madison breach, which resulted in the user data for the extramarital affairs website being leaked to the public,” Harrison Van Riper, strategy and research analyst at Digital Shadows, told Threatpost. “Reactions from embarrassed users varied, though some resulted to taking their own lives due to the knowledge of their online activity being broadcast.”
Lecio de Paula Jr., data privacy director at KnowBe4, pointed out that the devil is in the details; the proposal doesn’t say whether the facial recognition will be implemented in accordance to data privacy best practices.
“Any proposal such as this one brings up a lot of questions,” he told Threatpost. “What type of AI model will be used? What data will be stored on potential minors, if any (think location data)? Will they then place a tracking cookie and have the ability to begin profiling minors who attempt to enter these sites? Who will have access to the data?”
Also, he noted that a key tenant of data privacy is to see if there are other less intrusive privacy methods to solve a problem; in this case, to verify someone’s age upon entering the site.
“Seeing that facial recognition is still relatively unreliable and there are other methods to verify age, privacy advocate groups are right in determining that there is no reason this should be implemented anytime in the near future,” he said.
Van Riper also pointed out that cybercriminals making off with biometric data is a concern.
“The controls around this data must be substantial to operate in the space of adult content and websites which frequently host malware or other malicious intent which could harvest not only user credentials but could be used to gather biometric data as well in this situation,” he said. “Compared to biometrics, such as a face or fingerprint, credentials are an easy thing to change if they are exposed publicly. However, your biometrics are yours for life.”
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.
