So there is the November / version 4 of this report, as linked on the HMG website.
But there is also a September / version 2 of this report, as found in an S3 Bucket, linked from a project that I found called “The Government Says”, and when you compare the two files, as I did at draftable.com, aside from a couple of formatting differences there is only one significant difference:
Somehow between September and November we went from “a roundtable” to “a series of roundtables”; and frankly it seems odd to me that we’ve gone from “one in the past three months” to “a series”, which latter makes it sound awfully more credible than it perhaps is?
Perhaps the stakeholders would like to share a little more about their consultation process, because looking at the rest of the document, VoCO seems to owe quite a lot of its content to the discredited, PAS1296:2018-centric, approach to Age Verification:
For more on PAS1296:2018 and the flaws in it, check out this Twitter thread:
And this one:
And this Medium posting: Response to draft Guidance on Age-Verification Arrangements and draft Guidance on Ancillary Service Providers:
- …
- PCI-DSS also defines what portion of payment-card data (if any) is visible to the vendor who is selling to a customer.
- “BSI PAS 1296” covers none of this; again, its primary focus is upon the process of age-checking (and, eg:, assuring that the customer cannot bypass an age check) rather than to protect the fact of age checking.
- Further: there is no mention of performing criminal records (CRB) checks on staff, nor of checking whether ones’ new employee might previously have worked at some Sunday tabloid.
- There is no definition of “adequacy” for protection of different aspects of age-verification data (viz: “Jane Doe”, her address, or which of several websites she has age-verified with).
- In short: PAS 1296 is wholly insufficient for the purpose of defining protection of “sensitive age-verification data”.
- …
It’s sad to see that we’re going around in big circles.
Leave a Reply