And this is why I recommend using fake details & IDs when signing up to sensitive services like this. Not an ideal situation and I'm not blaming the victims here, just stating what I would do if I had no choice but to sign up for such a site. Given the life-changing consequences of a leak and the risk of harm (stalkers showing up at home, or being an LGBT performer in a location where the government doesn't approve of that) the consequences of being caught with a fake ID are tame in comparison.
Ideally there should be a way for the websites to fulfil their legal obligations regarding age verification without actually handling any ID data themselves. Maybe a government-provided oAuth style service where you are redirected there, authenticate with the government (no extra risk there, they already have the data) and then they return a signed blob to the website asserting that you are of legal age without actually disclosing any details.
That's may be the overt motivation, but the record keeping requirements include things unrelated to that purpose that make the records more dangerous (including every name, nickname, and alias the performer has ever used). Combined with the extension of the rules to
“secondary producers” (redistributors) who are permitted to get copies from primary distributors, the law assures that a treasure trove of easily abusable information about adult performers is widely dispersed.
Would an ID with everything redacted but the picture and birthdate pass? It should be sufficient to fulfil the site's legal requirements while mitigating risk of the data leaking - you can't leak what you can't have.
> Would an ID with everything redacted but the picture and birthdate pass? It should be sufficient to fulfil the site's legal requirements
No, it would not. ”...the records shall also include a legible hard copy or legible digitally scanned or other electronic copy of a hard copy of the identification document examined and, if that document does not contain a recent and recognizable picture of the performer, a legible hard copy of a picture identification card.” 28 CFR 75.2(a)(1); and there's a lot more besides, see https://www.law.cornell.edu/cfr/text/28/75.2 and 28 CFR 75 generally, as well as 18 USC § 2257.
Would a site be willing to take the risk on accepting a blatantly doctored ID? The consequences for allowing an underage performer on the site are extremely severe. Decades in jail labeled as a pedophile and spending the rest of your life on the sex offender registry.
It's no surprise at all that the sites demand an extraordinary amount of PII about the performers before they are allowed to post a single image.
Shame the punishments for leaking PII are nowhere near as severe.
I've seen a lot of cases where the potential penalties of not checking IDs or blatant financial crime are severe, and yet the jobs are outsourced to people not paid enough to care, not given the right tools to investigate inconsistencies, or encouraged by management to "look the other way" so I wouldn't be surprised if the same happens here.
Asking for a lot of PII is one thing, actually checking that PII to be accurate is another thing. The latter can be exploited to regain a slight bit of privacy.
The moral, legal and technical imperative to protect this data is 100% on the company storing this data. Even if the onus of protecting sensitive personal information were passed on to the performers making a living from this site, they would still need to show their full legal name on a redacted ID (which makes finding the address trivial).
The owners of this site should be ordered to pay restitution for the damages it has caused to all the performers impacted by this leak. If there are no consequences for things like this, companies will continue to be poor custodians of sensitive data that we entrust to them. The most vulnerable people in society will, as usual, suffer the greatest harm.
I agree, but both the Equifax case and the lack of enforcement of the GDPR (still no sign of the million-dollar fines or even investigations) shows that the powers that be clearly have no incentive to actually enforce this (well at least until some high-profile politician's dirty laundry gets leaked).
(1) ascertain, by examination of an identification document containing such information, the performer’s name and date of birth, and require the performer to provide such other indicia of his or her identity as may be prescribed by regulations;
(2) ascertain any name, other than the performer’s present and correct name, ever used by the performer including maiden name, alias, nickname, stage, or professional name; and
(3) record in the records required by subsection (a) the information required by paragraphs (1) and (2) of this subsection and such other identifying information as may be prescribed by regulation.
In a situation like this the consequences of being caught for fake IDs are less damaging than this data breach, especially if you're an LGBT performer in certain locations.
I don't, but if I had no other choice and needed to sign up to such a site I'd consider making one (or trying a real one with sensitive info redacted and see if that passes), along with other anonymity precautions.
The law is IMO the least of your concerns here (you are not stealing or causing harm to anyone, so very little incentive for someone to look into it), the fallout when your real ID leaks like what happened here would be a much bigger concern especially for LGBT performers in certain regions.
Regarding credit cards, using a prepaid one or a service such a Privacy.com is enough so no fakery needed there.
Credit cards: prepaid can be detected and blocked, same as the privacy.com ones - especially when the credit card is being used to validate something. Look at any major fraud prevention software, these things are trivial.
In the real world, if you want to make money, you need to show and prove ID with matching banking details. Any inconsistencies and you don't get paid. This isn't something you can outsmart. People smarter than you and I have been thinking very long and hard about these points, much more so than the two minutes you took to think up your post. The idea is like those videos of 'primitive underground dwellings with a swimming hole on top'. Cute, creative, but terribly impractical and useless in any real world situation.
Yes that is correct. I am thankful I have other means of income meaning I don't need to model for a cam site.
> Creating a fake ID = super illegal.
Agreed. But if I'm at the desperate stage where I have no choice but to sign up to a cam site, I would prefer taking that risk than having such PII leak many years in the future and affect my career prospects (the article mentions some of the data being up to 20 years old - most of these people now have no doubt left the scene but their new life can now be screwed up by this data leaking). Neither is a good solution, but IMO the risks of the latter outweigh those of the former.
Regarding prepaid cards, yes I know they can be detected and blocked, but is there any incentive to do so? It makes sense for a performer to want to protect their privacy, so I don't see why the site would block these cards?
It's actually not always illegal to create or possess a fake ID. It depends on the state and what you do with it. Some states it's illegal always. In California though as an example here's the law:
> 470b. Every person who displays or causes or permits to be displayed or has in his or her possession any driver’s license or identification card of the type enumerated in Section 470a with the intent that the driver’s license or identification card be used to facilitate the commission of any forgery, is punishable by imprisonment in a county jail for not more than one year, or by imprisonment pursuant to subdivision (h) of Section 1170.
You have to have the intent to commit a forgery. This is defined elsewhere but means to use the id to commit fraud.
So you have a novelty id that says your name is Mickey Mouse and you are 100 years old. You show it to your friends. Or maybe you get one as a gag gift for a friend. Not illegal in California. Using a fake id to misrepresent your age for legal purposes such as buying alcohol, tobacco, firearms, voting, acting in porn? Very illegal.
Ideally there should be a way for the websites to fulfil their legal obligations regarding age verification without actually handling any ID data themselves. Maybe a government-provided oAuth style service where you are redirected there, authenticate with the government (no extra risk there, they already have the data) and then they return a signed blob to the website asserting that you are of legal age without actually disclosing any details.