Your secret identity is safe with me Carlos the Jackal...I mean Mr Philip Holland!

Going to be a no from me too. It's a bit sad as I've been around in some form or another in the internet messy scene since well before the UMD existed. I wonder if this will finally be the thing that moves UMD over from the central (and in some ways only), game in town for messy fetish stuff to other forums that don't revolve quite so much around production and sales, which because of the necessity of the credit card processors led to some of the more confusing rules here over the last few years. That wouldn't be a bad thing, afaic.

I love that the people trying to sell us on how safe this is focus on how UMD never gets your ID information. The age verification service knows your real life credentials and knows you asked to be verified on UMD. Having that information in one place is a liability. The argument that they'll be careful and won't get hacked is wishful thinking. Banks are careful and get hacked. Health insurance companies are careful and get hacked. Governments are careful and get hacked. The only sensible option is to not hand over pictures of yourself and scans of your government ID to some company.

Just use a VPN y'all.

I don't think any UMD user is trying to "frame" this as anything other than annoying. You were asking how this will stop children accessing the site and a couple of people have tried answering.

No one asked for this, and yes it's bullshit, but it's the law. Maybe it won't stop children viewing the site, it obviously won't stop paedophile priests, but it's something this site needs to have to operate in the UK. That's something I very much want to continue.

What would you rather? MM breaks the law or disregards over half of this site's user base just because you don't like the idea behind this law?

That is a good question, I'll flag your post for MM's attention so he can give a difinitive answer.

But I suspect it'll most likely be because the new laws require that everyone granted access to R and X material must have been age-verified by the new systems, with no exceptions for "had my account more than 18 years".

Out of curiosity I had ChatGPT analyse the requirements of the UK's Online Safety Act in this regard, and it states based on the actual legislation and Ofcom's documentation of it, that no, an account having existed for more than 18, 20, or 25 years does not comply with the act's requirements, anyone who can access adult material must be proved over-18 by one of the approved methods. I'm not going to post the whole chat as it's long - I first had the AI familiarise itself wih the Act and it's requirements related to adult content access, and then asked it the specific question about account ages (this is how you get the best from an AI, first "put it in the mindset" so it already has a non-biased view of the thing you're researching, and then ask the question). But it's summary was:


Note the OSA uses "age assurance" rather than "age verification" to refer to the new systems, as they are intended to assure that all accessing users are proved to be over-age.

I'd guess the various US and other country laws probably have similar requirements.

True, that was just meant as a quick look - proper detail would need to check everything required by all the individual US state ones at least (UMD being based in the US). But the Ofcom guidance (as the UK regulator charged with enforcing it) appears to rule out anything that doesn't include a "robust and dependable check" that positively identifies the current users as over 18. Given the anonymous nature of UMD accounts, I suspect account age would fail on that measure.

https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/age-assurance

But taking a wider view, this has all been inevitable for years, the original UK push was the result of a Daily Mail campaign way back when David Cameron was PM. The first attempts crashed and burned in Parliament but it was clear even then it was just a matter of time. The world is changing, fast. And as for privacy on line, that ship sailed years ago and isn't coming back.

Yes, but if UMD doesn't comply with the UK requirements then ultimately it gets blocked in the UK. Those of us tech-savvy will fairly easily get round that but lots of people won't, and the UK is fully a third of the global WAM marketplace, so losing UK access would have a big impact.

Then there are all the individual US state laws, which are all different - I'm sure MM will have looked into all of this in great detail.

And before everyone says "but VPNs" bear in mind there are politicians who want to extend proof of age requirements to VPN services. So that isn't a magic bullet, at best it buys a few years. They went after porn first because that's an easy target, very few if any people are going to stand up in public and defend the porn industry. But this is the begining, not the end. Gambling is probably next, and after that, who knows.

And just to be clear, I hate all of this and don't think it'll solve the "problem". But I'm also realistic enough to realise that opposing it is pointless, it's coming, whether we like it or not. MM is trying to do the best he can to implement what's legally needed without exposing a single byte more data than is required to make it compliant. And the privacy ship sailed long ago, so personally I'd no objection to verifying, given the number of companies and government agencies worldwide that already have my details from years of on-line purchases and international travel, one more makes no realistic difference. And now I can use Yoti to verify I'm over-18 on all other sites that accept it, without needing to do the ID check again, just the account on my phone is enough.

The part that's missing is what Yoti (or other age verification service) then does with the data once the age verification confirmation has been passed to UMD. From what I can gather from their terms and conditions (which I found to be opaque, so I could be wrong), the data is retained indefinitely. This is likely to be a prime target for hackers and I also cannot understand how this would be compliant with GDPR which requires data to be retained for only as long as is necessary. It is not even clear whether personal data could be retained after an account has been deleted, which makes it even worse.

In the past 12 months I have been the victim of data breaches at four different organisations: three blue chip companies (two well-known retailers and a premium car brand) and a trade union. The latter included leaking two types of special category data that potentially puts my personal safety at risk and the former resulted in me having to change my personal bank account and all my credit cards, involving significant inconvenience. Yet, it seems, I cannot sue any of these organisations unless there has been actual financial loss or a catastrophic level of psychological harm. All of these data breaches have occurred at well-known organisations that should have known better, yet now I'm expected to supply my personal data to age verification companies I've never heard of and have somewhat mixed reviews.

Quick response: As I said, I flagged this to MM, and he's said he'll reply to everyone's points in a few days (he's letting questions accumulate so can answer them all in one go), but also said I can share this bit: This is because a site's internal dating of user profiles means absolutely nothing to the law--site operator could just fudge that and lie. If things go wrong, the site will need to prove that the user was verified through an outside 3rd party service that has some systemic ability to actually check ID.

TBH I should have thought of that myself, but basically anyone with database access (here, that's MM, on a bigger site, anyone with root access to the SQL server) can just type "update users set date_signup='1895-10-31' where username='MasterSplosher23'" and all of a sudden our theoretical user signed up in the 19th century and is now at least 140 years old, even though in fact they joined yesterday on their 18th birthday. So basically that data has no legal standing, and neither does the user number as that could also be reset or changed to one from a long-deleted user if an operator wanted to do so. Hence why everyone, even those of us here since the start, have to age-verify.

This site is hosted in the states and should not be bound by UK Law. I am interested in how the UK would prevent the UMD from operating. How would the UK do anything about the site without MM agreeing to. The UK just like the US have no means to prevent its citizens from accessing this site. There is no governance in place for this.

Read the thread again, starting at the top with MM's big post and going down, paying particular attention to DungeonMasterOne's replies. If your questions haven't been answered, maybe you could could Google them?

If you're in a jurisdiction that doesn't require age verification then you don't need to do anything.

This entire site is MM's own personal work. No dev team, no managers. It's literally one of the very last of the independents from the days when anyone with a good idea and some coding skills could build and run their own Internet business and website. It's a truly amazing piece of work, and yes, all one person's doing.


You're talking about huge corporate environments with large teams of developers and DBAs and sysadmins. This place isn't like that. It's one man's lifetimes work.


Very simple. Ofcom orders all UK ISPs to block their users from accessing the site. Said ISPs block the domain and null-route the IP address(es). Any ISP that refuses to comply is breaking the law, and can be prosecuted.


It doesn't require governance, it just requires technical measures - the same ones that are already deployed by ISPs on behalf of the Internet Watch Foundation to block access to known CSAM material anywhere in the world from being accessed in the UK.

Hay DM 1 what do you know about the laws in Canada? Any yes this can all be avoided by using a VPN set to a country with no laws, can't be 100% sure but should work.

Phil

It's very clear that not everyone is as defeatist as you are. Plenty of people are not willing to roll over to the whims of big tech, especially when it is as risky as this. Just because you've given up doesn't mean this is inevitable. The metaverse was "inevitable" but nobody ever used it.

I have used Proton VPN for 5 plus years, it works well, throughput is good, so very little overhead and you can set it to any country/location of your choice. I use it on Linux, but is just as good on Windows 10 and OSX

Phil

Hey again! I'm happy that this thread didn't fall apart People mostly seem to understand the reasons why we have to do age verification, though we're all completely justified to be cynical about their effectiveness or the motives behind them. The concerns about hacking and irresponsible data handling are extremely valid, but new regulations are coming at us from every angle worldwide and noncompliance can mean getting fined, shut down, or blocked right at the ISP level.

We all need to get better at writing our representatives and showing up to vote for more sensible laws, but meanwhile these laws do have teeth as explained by DM1 and others. We can't ignore them just because we disagree with them, and throwing our hands up in despair doesn't accomplish much. It makes sense to focus our energy on what we can actually do to stay legal while maintaining as much independence as possible.

Based on recent questions and comments I've been getting, I've been updating our User Verification FAQ. Here is some of the info I've added:


Having an older account at this site unfortunately cannot exclude you from the age verification requirement. That's because a site's internal record of the user's signup date or account age has no legal bearing; The site must be able to prove that it got the confirmation from a separate age verification service that has the ability to check photo ID.


Having made a purchase on our stores using a credit card doesn't qualify as age verification. Intuitive as that might be, governments at large only recognize photo ID as valid proof of age. Also, billing companies are set up to process sales, not to function as age verification systems or to explicitly communicate age status via API.


Age verification is not identify verification, so it is not used try to determine a person's actual identity beyond proving they are of legal age, which is all the law requires. For this reason, we can rely on the verification service's determination that the visitor is of age without us needing to know any of their personal information.


You can use Veriff with just a computer or an older cell phone, just as long as you have a way to snap a photo of your ID and your face.


I'll stay agnostic about how people connect to the site, as compliance is based on point of access, not intent. But I do need to be careful about hosting guidance right on this site about how to bypass your local laws. So going forward, please don't make posts explaining how to use a VPN in the context of getting around age verification blocks.

About the level of blocking: I have published a list of countries and U.S. states that require age verification, but I didn't publish which would get partial blocking vs. full blocking. The laws on this are so vague that for now I'm only going to implement partial/granular blocking where any blocking is required. I will turn on full-page blocking for an area if I become aware of a law that makes it clear that it's required there. For now, nobody will experience full-page blocking.

I appreciate the folks who are truly helping to bring more signal to the noise instead of just FUD. Navigating through this stuff isn't acquiescence or defeatist, and it's not "rolling over." We will resist in every way that we can while staying legal in every way required.

so each of our pics now needs to be marked R, or X? thats gonna be tough to get through each pic, what happens if not marked, does the album rating take precedent or will the website delete pics if not marked?
is it ok to just mark X rated on each pic that is obvioulsy X rated?

do i need to reg my age separate from being verified if living in CA?

Some excellent questions here


If you have a ton of pics that need to be gone through, let me know and I can help. I can go through them myself and help mark them manually, and I have some other tricks up my sleeve too.


I actually neglected to mention that if the gallery or forum pics aren't labeled, they'll infer their labels from the album or post. So if the nature of the pics matches the album or forum's labeling, there would be no need to mark the images individually. I'll try to be more clear about that that for now on.

I should also clarify that instead of saying "tags" I'm using "labels" to refer to things such as gender, explicit, synthetic, and off-topic.


Yes. The x-rated tag is for any masturbation, sex, oral, etc.


No. For now, California isn't a state that is requiring age verification.

Thank you for your long responses and updates to the FAQ MM. I also understand the need to stay neutral with the VPN talk as things evolve with the folks pushing this legislation, there is a chance that taking an opinion on it will get you in trouble.

For folks who are not tech savvy there are a lot of YouTube content creators out there that cover a lot of IT related topics that have come up on this site from time to time, things like latency connecting to the site. Some of those content creators are sponsored by companies that you might get benefit from. I would look for content creators that have over 100k followers and at least 80% of that in views on their videos before trusting their advice.

This. As numerous people have already mentioned, the best data security in the world doesn't seem to have stopped hackers from successfully breaching it and stealing data. The added incentive of being able to blackmail millions of people will surely make these services the number one target for hackers. And unlike a bank or car company, you can bet people would be far more reluctant to take action because it might 'out' them.

Whilst it seems hard to defend stopping minors from seeing p0rn and violence, you might want to consider that these laws also result in the blanket blocking of non-sexual webpages because they are deemed related to such things, for example to offer advice and counselling to questioning LGBT and other vulnerable young people.

Something that doesn't seem to get talked about it who owns and controls the data verification companies and what happens when inevitably they get sold or taken over. Also I can't believe that some of them aren't owned by big tech or finance and lobbied governments to enact this legislation in the first place for profit. If the AV services used on this site are free for us to use, what is their business model? Are the site owners paying them? Government? Are there loopholes which allow them to sell our data?

Lex iniusta non est lex.

I understand this is about just following the law, etc. I don't have age verification laws in my state, but if I did or when, I'm not giving them scans. Not to get too political, but everything this government has done last year has been with the intention to scam. If anyone doesn't see that at this point, I feel sorry for you. This will eventually be used for blackmail or classification with upcoming authoritarian laws.

To be clear, I am not saying the people who are comfortable with taking this risk are defeatist or are rolling over.
I'm saying DM1, who has done nothing but misrepresent the worries of others and post misinformation to make it seem like there's no risk at all, is rolling over to big tech. (This is also a really bad look for a moderator, imho). His insistence that "this ship sailed years ago" and this has "been inevitable for years" is defeatist, and echoes his many attempts to justify using genAI in his content.

If someone is comfortable having their real identity tied to UMD, that's great! But I know we're not all at that point, and it really sucks to be treated as problematic for having legitimate concerns about this.

I think you're reading too much into his replies. A man's allowed an opinion that differs from yours, and if his replies don't alleviate your concerns, that doesn't mean he's trying to misrepresent them. If your concerns are founded on a misunderstanding of the facts, he's not wrong to try to correct that misunderstanding.

Your real identity, or at least that of whoever pays your broadband bill, is already tied to UMD. The cops can already get a court order to go to your ISP and see your browsing history.

ID verification does require uploading your ID, so everyone understands that there is a risk of a data breach. If that data gets leaked, then personally I'm not too worried that "man looks at porn" could be used to blackmail me, but that's just my privilege, I guess.

The one thing everyone seems to agree on is that no one asked for this and it's a pain in the arse.

We either have ID verification or don't have UMD in the UK. Which would you prefer?

That is the thing. If the company gets compromised and the data stolen, your ID is out there and its ties to any website associated with that ID are right there. No logs to dig through etc. If the company chooses to give the information to the government that is a different story. I can tell you that a lot of ISP's do not keep records going back very far of your browsing history. To get that, the government needs probable cause and a warrant.

I think that the concern about any company being compromised is a very real concern. Almost all of the compromises that have happened are human caused. Most times a human clicks a link or gets social engineered etc and that gets the hackers in. I have no reason to trust any of these companies to keep that information safe. For me, there is no picture of me on the internet that is tied to any identifiable information.

I haven't misrepresented anyone. And I fail to see what big tech has to do with it, they dislike having to comply with extra laws just as much as any of the rest of us do. You're also mixing things up:

The ship that sailed years ago is the idea of there being any privacy on-line. Anyone who doesn't think that the American NSA, UK's GCHQ, Russian FSB and SVR, China's SSF, and indeed every other major government spy agency in the world, doesn't already have full details of all their on-line activities going back years, is deluding themselves. Using encerypted connections might slow them down a little, but the bare fact is, there is no privacy on-line. Trying to pretend thers is, is kidding yourself. This has been the reality for at least the last 20 years. Mostly it doesn't matter because they don't care. Joe Bloggs from Little Piddling Upon The Marsh is into some fully legal fetish activities - no big deal. And those places are mostly secure so there's little risk of the data they hold leaking. But they do store it, and will eventually process it, most liklely using AI.

On the other hand the thing that was inevitable was UK government attempting to regulate on-line porn - that's more recent. The first serious moves came from Cameron's government after the 2015 election, in response to a Daily Mail "think of the children!" campaign. The early attempts crashed and burned for various reasons. But it was inevitable that eventually something would pass and laws would change. And of course other governments did similar things, which is why we are where we are now.


That is bullshit.

I have never used any form of AI in my content. Other than editing clips together and cutting out anywhere my voice is on the soundtrack, I do zero post-processing, if you buy one of my scenes what you get is what the camera saw, nothing more, nothing less. I do not use any form of AI, generative or otherwise, in my content.

In fact I'm in the process of rewording my model releases (will post more on this in Non-WAM when ready) to specifically exclude any form of AI usage of the images and video, to protect my people. I have a friend who's a mainstream fashion model. They recently discovered that a clothing company they'd worked for, who paid for one shoot, have used those images to generate AI versions of them in dozens of dfifferent outfits, all with no payment or permission - a complete rip-off. I want to make sure my heirs, successors, or anyone I may ever sell the business to, can't do that with my models' likenesses.


Your real-world identity already is tied to every website you visit, and if you care about privacy it's important to know and understand that. Your internet provider has your bank details and knows exactly how much data you sent and the exact time, to a thousandth of a second, thet every byte was sent, even if it went over an encrypted VPN. VPNs have exit points, data can be matched up. Yes using a VPN endpoint in a country that doesn't have any porn restrictions will mean that you can still see R and X content here (and on many other sites) without doing the age verify thing, because the system here just looks to see what public IP you're coming from. Great. But don't think that means you have any kind of privacy shield, because it does not. And quantum computing is coming, which will render all current forms of encryption about as secure as ROT13.

I do get that people have concerns about what happens if Yoti and friends get hacked. Personaly I think the biggest risk would be the data being used for ID fraud, the fact that Joe Bloggs once visited UMD, which is a completely legal website, is of very little interest to anyone. And bear in mind that connection only exists once, when you do the validaton, it's not like every visit to UMD is tied back to Yoit, once the "over18" flag is set on your acocunt it's permanent and not re-checked.

Reading Yoti's privacy notice, it seems to say they delete your ID data after 28 days - they just keep track of the fact you have proven you're over 18 - though it's a bit confusing. Details here: https://www.yoti.com/privacy/identity-verification/ So even if they did get hacked, the hacker would only actually get ID documents for most recent users, for anyone else it's just be Joe Bloggs proved he's over 18 using a passport on yyyy-mm-dd.

Just to return to the main point of this thread: the intention is that anything that isn't X or R rated will still be viewable even without age verification, correct? I have no desire to see such things so am fine to not use AV.
If this changed and there was some legislation which required the entire site to be under a blanket AV barrier, would it be possible to create a version which strictly excluded anything NSFW or perhaps did not allow uploading of images or something similar?

Now that age verification is here, what's the point of producer verification? Can't it be rolled into one? As per the FAQ:


I just want to post explicit stuff without having my ID stored on some random guys hard drive (sorry MM). Is that too much to ask?

It'll depend on the laws wherever you happen to be accessing from. The way MM's built it, it can be very granular - with some settings you can still see pages with X and only the X images are blocked - with others still being visble. Or it can block all images on a page that contains an X image. But it all depends on the requiremenrts of the local laws where you are - some will be happy with the granular approach, others will want all access to the entire site restricted to over 18 only.


Two entirely different things. The age verification is to comply with new laws that just coming in now across the world that require adult content to be age-gated. The producer verification is to comply with existing billing company rules that anyone posting explicit content must be identifiable and not anonymous.


Sadly it is, and the reason is the people who kept endlessly and anonymously uploading the same rape videos of children over and over again to large tube sites, and those sites refusing to do anything effective to put a stop to it, until MasterCard pulled the financial plug out from under them.

After that the entire payment industry united in "no explicit uploads unless from an ID verified account", in order to put an end to the abuse.

So the producer verification (green tick) and the age verification are two entirely different things, producer verification applies globally, age verification applies to different degrees and levels depending on the local laws where you are.

Personally, I trust my ID rather more on MM's hard drive than some huge anonymous company. I trust MM, an unknown organisation with hundreds or thousands of staff, less so.