Does blocking porn sites for minors work? Here is the opinion of cybersecurity experts

The Agcom rule requiring minimum age verification for all sites and platforms disseminating pornographic content has been in force since 12 November. Can the control be circumvented? Although the ideal operating model is theoretical, there are technological expedients and procedural tricks of deception, but the actual assessment of the effectiveness of the controls will depend on the material technical implementation and security tests. We spoke about this with 2 experts: Giorgio Giacinto, professor at the University of Cagliari and coordinator of SERICS Foundation spoke 3 dedicated to 'attack and defence' and Alessandro Armando, professor at the University of Genoa, director of the CINI national cybersecurity laboratory and coordinator of SERICS spoke 4 dedicated to the security of operating systems and virtualisation.

Giorgio Giacinto describes some of the possible ways of control deception techniques. "Primarily, one can exploit connections with Virtual Private Network (VPN) services or proxy systems, capable of disguising the origin of the access request, from a non-European or non-Italian country. Age verification, in these cases, may not be required'. In the case of the use of an app that identifies the user, but only issues proof of age to the pornographic site, possible circumvention may depend on many factors: 'an app is theoretically safe,' the professor clarifies, 'but only accurate security tests can give certainty about the absence of exploitable vulnerabilities in the code. The reference is related to potential tampering with apps that are not made following OWASP's mobile security measures. Tampering capable of altering the lawful operation of the app, resulting in broken authentication and configuration manipulation, which can lead to identity theft (of an adult): there is the mobile jailbreak, which would allow direct circumvention of the fact; escalation of privileges at the app level to access developer mode; But for example, without encryption in data transmissions, the 'man-in-the-middle' attack would allow the age attribute to be altered. If, on the other hand, age verification were to take place by means of a camera image, the lecturer notes that, 'modern AI engines can 'morph' identities by means of advanced filters, mystifying facial morphology, and in the case of poor image/video accuracy, a few filter 'tweaks' would be enough to achieve altered recognition'. Lastly, there are procedural ways of circumventing the controls: 'the complicity of an adult friend who lends his or her face to access the service can result in the viewing of forbidden content for the minor who is in front of the monitor'. Or 'if a parent who makes use of pornographic services with the device already configured for access, leaves his device unattended, for a curious minor a situation of circumvention of the controls could be configured; but here,' the lecturer points out, 'it also depends on how the inactivity/stand by session of connection to the service is configured'.

Thus, there are several possible deceptions, but to prevent technological ones, it is essential to establish technical code checks in advance, both in system design, data flow analysis, and choice of protocols. "The actual success rate of these elusive practices can only be accurately measured with specific vulnerability tests on the software that implements the age checks in web systems and platforms between the operators/providers of pornographic services and the third party verifiers/certifiers," confirms Prof. A. Armando.

Agcom's technical rules provide for 'double anonymity', whereby the person verifying age (or certifying it) does not have to know for which service he or she is carrying out this check or whether such checks are repeated. In essence, it is an age-checking process without memory. The control is articulated in a three-stage theoretical and procedural model, based on two cases: age verification systems via an online browser or through the use of applications installed on the user device. Agcom, consulted on the matter, confirmed the proposed model, based on the theoretical principle without the existence of a prior inspiring prototype, and that Agcom was chosen by the European Commission, in a restricted group of Digital Services Coordinators, to test a prototype age verification app. A prototype that, if validated, could be adopted in practice by adult service providers. Whatever the final solution chosen by each subject will be, Agcom confirms its commitment to timely verification of double anonymity and security.

The Agcom regulation of the so-called Caivano Decree introduced a ban on access to pornographic content for minors. The regulation takes effect on 12 November on adult service providers who are required to implement age control systems, at the same time respecting the minimum collection of personal data for this purpose and guaranteeing digital security levels appropriate to the risks. An ascertained violation leads to a warning for twenty days and then to the blocking of the site/platform until the control criterion is correctly implemented. An initial list of subjects affected by the guidelines was published by Agcom on 31 October.