The Open Rights Group says it fears a data breach is “inevitable” as the deadline approaches for a controversial change in the way people in the UK access online pornography.
Details of an age verification tool developed by a major porn site owner were revealed at the weekend.
From April 2018, porn site visitors in the UK will have to prove they are aged 18 or over to access adult material.
The regulation is designed to protect children from explicit content.
It is part of the UK government’s Digital Economy Act.
MindGeek, which runs sites including PornHub, YouPorn and RedTube, said its AgeID age verification tool had been in use in Germany since 2015.
It said its software would use “third-party age-verification companies” to authenticate the age of those signing in.
AgeID spokesman James Clark told the BBC there were multiple verification methods that could be used – including credit card, mobile SMS, passport and driving licence – but that it was not yet clear which would be compliant with the law.
AgeID would be made commercially available to all porn sites accessible within the UK, MindGeek said, and would be offered free to independent UK studios, producers and bloggers.
Once registered, users would be able to access multiple sites across multiple devices without logging in again, it said.
MindGeek also said it would not store any data itself.
“We have created a tool to comply with the impending UK legislation, which both protects children from stumbling across adult content, and enables those of legal age to securely and privately access adult websites through a one-time verification process,” said Mr Clark.
However, the tool will be effective only for those who go directly to porn sites rather than use search engines or follow social media hashtags that include pornographic content.
These could be blocked by the parental controls offered by most internet service providers.
Mr Clark said the scope of the regulations were a matter for the regulator, the British Board of Film Classification (BBFC), but that AgeID would work across MindGeek’s network and all others that signed up to use it.
Treasure trove
Myles Jackman, legal director of the Open Rights Group, said while MindGeek had said it would not hold or store data, it was not clear who would – and by signing in people would be revealing their sexual preferences.
“If the age verification process continues in its current fashion, it’s a once-in-a-lifetime treasure trove of private information,” he said.
“If it gets hacked, can British citizens ever trust the government again with their data?
“The big issues here are privacy and security.”
Mr Jackman said it would drive more people to use virtual private networks (VPNs) – which mask a device’s geographical location to circumvent local restrictions – or the anonymous web browser Tor.
“It is brutally ironic that when the government is trying to break all encryption in order to combat extremism, it is now forcing people to turn towards the dark web,” he said.
The chief executive of the BBFC, David Austin, said age verification was already in place for other services, including some video-on-demand sites.
“This is not about stopping adults from watching pornography that is legal; it is about making the internet a safer place for children,” he said.
“There are a range of methods for verifying whether someone is 18 or over, and we expect to see a number of solutions offered by providers to give people different ways to verify their age.”