Profile picture
Alec Muffett @AlecMuffett
, 27 tweets, 17 min read Read on Twitter
THREAD: QUESTION FOR ALL SECURITY PEOPLE — in this day and age, would you buy a single-vendor IT security solution which advertised itself as "the gold standard" for data security protection?

Would you give that claim any credence whatsoever?
The infosec world has a long-established term for such glib claims: "Snake Oil" - this terminology goes back to the 1990s or earlier, for vendors who were selling sub-par cryptography as "military-grade" or other supposed but meaningless description…
Particularly telling for "Snake Oil" are the words and phrases that are used to describe the security solution, process, or tool, its development, mechanism, or vendor:

* "Trust Us, We Know What We're Doing"
* "Unbreakability"
* "Military Grade"…
Why is this relevant? Because this is EXACTLY what Lord Ashton of Hyde, on behalf of HM Government, has pitched to the House of Lords, as the mechanism for protection of #AgeVerification processes and (impt) metadata:…
Let's spell this out: the UK Government, in pursuit of rapidly enabling the @BBFC to get stuck into #AgeVerification (AV), are resorting to snake-oil salesmanship in order to sidestep their egregious irresponsibility in not addressing data protection during the development of AV.
These are the notes from the Lords' discussions earlier this week; there is much to criticise (even somewhat the noble lord, Lord Paddick, who made the least-bad of the contributions) - but especially this, from Lord Ashton of Hyde:…
What this refers to is that the #AgeVerification regulator — the British Board of Film Classification — have acknowledged that they "know porn when they see it" but also that they are entirely clueless about information security… so they've brought a consultancy in. In private.
The @OpenRightsGroup have been pursuing this matter for two years now, that the mandated deployment of #AgeVerification ("it's voluntary, but in an involuntary kind of way") will bring about @ashleymadison-type data breaches of metadata…
This is not a trivial matter: breaches of matters concerning the sex life or sexual orientation of ordinary people — let alone celebrities — can and have led to relationship breakup, even suicide.…
And how do such breaches occur? Because of simple security errors — stuff like: bad access management, bad operational security, leaks of metadata, excessive/permanent logging of metadata, not installing patches.

In short: "Good Housekeeping".…
But if you read the discussion relating to "data protection" and #AgeVerification, you'll see — somewhat understandably — some misdirection. Most of the discussion of AV Data Protection is focused upon the MEANS of Age Verification. Little is about "what happens after":
Thus we see #AgeVerification vendors who pitch themselves as "secure and anonymous" because they use (e.g.) a #blockchain as part of their AV process. That sounds sexy &cool, but it does not mean that the backend database instance is not directly connected to the internet:
Aside: That MongoDB, incidentally, is run by the @BBFC and was discovered by Gareth Llewellyn at Ablative Hosting; tweet below. I wonder if its presence on the internet is in line with a "gold standard" on security? (ans: probably not)
So: where we are is that the @BBFC have recognised that there is a potential suicide risk over leaks of private data held by #AgeVerification providers, and have brought in private consultants to develop a "security standard" which will be "voluntary" for AV Providers to adopt.
I wrote an entire essay[1] about the risk, earlier this week, but here's the punchline:

* We need public input into the #AgeVerification Data Protection Standard

* We need it to be mandatory

The Government & the @BBFC hate the idea of "mandatory" security requirements for protection of #AgeVerification data, because they cannot enforce mandatory data protection regimes cross-borders (e.g.: the USA) and see mandatory security as an impediment to the adoption of AV.
But (per above) if you accept that #AgeVerification metadata — that you repeatedly/weekly/daily age-verify to a gay-porn site, for instance — IF that is data which "concerns a person's sex life or sexual orientation"— then it is even called-out for special treatment in the DPA:
Civil Society have spent YEARS trying to get solid protection for metadata; all of the regulators (notably @ICOnews / the Information Commissioner) have made reams of regulation about it, including #GDPR
…but it seems that if you throw a blockchain or app on the front of it, and say "we're protecting children" then everyone stops caring & you can do whatever you like with zero consideration from Government… until the last minute, until organisations like @OpenRightsGroup object
And it's hard to object when you are arguing with people who genuinely are trying to do what they think is the right thing for kids … but who have no clue about how technology works, or else are being lobbied by startups who see opportunities for regulatory capture:
Because don't be fooled: on the surface this is all about protecting children, but just underneath this is all about making huge amounts of money with the whip hand of Government backing you up. It's protecting children in one sense, and it's a protection racket in another.
Aside: If you're interested in a long read on how the whole edifice of #AgeVerification can go wrong, here's an article from about 2 years ago, of which only the details of some of the actors & front-end technologies have significantly changed:…
Conclusion: #AgeVerification data and metadata is too valuable to be left protected by a (snake-oil) "gold standard" which is developed in-private and then thrown over the wall to industry, which then MAY adopt it on a voluntary basis.
Apart from any other reason: with #AgeVerification data breaches, the *general public* carry the burden of risk; yes the GDPR means that fines can be levied upon companies which fail to protect… but once the information leaks, it's gone ("outed"?) forever.
Again, there is precedent for the impossibility of putting sexual data back into the data protection bottle: the Moseley case; the fact that there's a Wikipedia page at all, is an exemplar:…
The @OpenRightsGroup has been leading this matter, raising these concerns for 2 years now. The nearest anyone has gotten to *actually* addressing the risk is the @BBFC getting some big-name consultancy in, which will not suffice as above. The people who will lose, are the public.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Alec Muffett
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!