"this is the foundation of the non-statutory, voluntary age-verification certification scheme (the Scheme)"
"Only age-verification providers that meet the requirements of the Standard…will receive certification"
What happens to the ones that don't?
In case I miss it, let me know if they've got this covered?
Bit of a difference, there.
How is that ethical of them? Do they want to put people in harm's way?
Don't get me wrong - this is the laudable ISO27001 & BSI approach towards security, but what they _actually_ ought to be doing is the PCI/DSS approach towards security.
Explanation coming up:
This is what's being proposed. It's not enough.
Such is the PCI/DSS approach: "the Internet is an information security earthquake zone"
This takes time, and the @BBFC have not _got_ time, so they have attempted to bodge it:
«We can't build an earthquake-proof information security spec in time, so we'll let people build whatever they want, require them to document it fully, and then we'll go shake the buildings every so often to see if anything bad happens?…»
I AM SURE THERE ARE SOME SITES WHICH WILL PUT THEIR HANDS UP FOR IT, BUT WHY BOTHER?
WHAT'S THE WIN?
AND THEN WHAT? TO WHAT END? WOULD CRAYON BE SUFFICIENT, OR DO WE NEED VISIO? WHO NEEDS THEM? HOW FAST?
…ok, so how will the "fraud prevention and detection" stuff work? I believe this LITERALLY negates the point of AV.
There are no standard pseudonymisation techniques; where deployed, pseudonymisation must be tuned to the information available in each environment.
"Age-verification providers shall only share the result of an age-verification check (pass or fail) with the requesting website."
But should say:
"…shall only share, AND SHARE ONLY the result of an age-verification check…with the requesting website."
"Secure programming guides from industry recognised sources shall be utilised for each coding language in use and applied to any information system implementation efforts."
Utilised and applied how? And to what extent? With what exceptions?
"Age-verification providers shall protect requests, responses and / or transactions that pass over the internet from interception, manipulation, alteration, re-use and unauthorised disclosure."
Disclosure? Like in a public ledger?
"Only industry standard pseudonymisation techniques…shall be implemented" - but will they be an effective choice for the specific deployment?
Or, at least, it would be smart if it weren't voluntary.
§8.7.4 "[AV] providers and third parties who can impact, or who are responsible for maintaining, security and privacy controls shall clearly document each party’s responsibility in implementing and maintaining the relevant controls of this Standard."
And then what?
we would all be secure. 🤦♂️
No GIF on this one.
This is too terrible; but there's more:
How long are "non-critical risks" given to be fixed, then?
It's better than #PAS1296, but it's still not fit for purpose.
>Roles and responsibilities associated with information security, data protection and operational activities shall be clearly defined and documented by zombies.
This is a good technique for identifying some of the weaknesses.