What? First, that has nothing to do with anything. Second, it's not true: most auditing has an in-person component, and many stings don't. Do you actually know what an audit is? Hint: a "pen test" isn't an audit and isn't much like an audit. Neither is a code review.
> Why does auditing always come up with this topic?
1. All security controls need to be audited.
2. There is a 100 percent chance that many of the organizations advocating for these laws, most of which would actually prefer for porn to be outlawed completely, will grab any chance they can to accuse sites of not complying. They'll either try to get sympathetic law enforcement agencies to take up those accusations, or, if they can find a legal avenue, they'll bring lawsuits themselves. They will undoubtedly find anecdotes of system failures, since any large-scale system will fail sometimes. They will claim that as evidence that the rules aren't being followed. Evidence, no matter how flimsy, has to be countered with other evidence, especially if you're in a "preponderance of the evidence" situation. It's pretty hard to show that what you're doing is reasonable or effective if you don't have at least a sample of records.
Do you know what an audit is? Have you ever worked somewhere with record keeping requirements? At a financial company I worked at, we recorded every customer interaction and every decision made for accounts (including "nothing to do now") along with the inputs to those decisions. Auditors would ask to see details of random accounts to show we were keeping those records and executing the correct logic. Your grocery store or liquor store aren't getting their shipments and sales audited for id checks. You can tell because they don't even always card you if you look old enough, or might accept being flashed an id. The way the law is enforced in person is that an underage person buys something they're not allowed to as part of a sting. You get in trouble for actually providing service to a minor. This is different from e.g. firearms dealers who do have to keep records.
Like I said, I've seen no laws requiring any audits or record keeping, and actually every law I've seen explicitly makes such records illegal. I don't see why the evidence that sites aren't doing their job wouldn't be the same as in person: the police have someone access the site without valid id, and the site didn't have a commercially reasonable system in place as a defense. If they're not doing their job, it will be easy for police to demonstrate it, and the site will actually be in the wrong.
That's not an "anecdote", just like selling cigarettes to a 16 year old without an id is not an "anecdote". That is breaking the law. It's on companies to follow the law every time.
What? First, that has nothing to do with anything. Second, it's not true: most auditing has an in-person component, and many stings don't. Do you actually know what an audit is? Hint: a "pen test" isn't an audit and isn't much like an audit. Neither is a code review.
> Why does auditing always come up with this topic?
1. All security controls need to be audited.
2. There is a 100 percent chance that many of the organizations advocating for these laws, most of which would actually prefer for porn to be outlawed completely, will grab any chance they can to accuse sites of not complying. They'll either try to get sympathetic law enforcement agencies to take up those accusations, or, if they can find a legal avenue, they'll bring lawsuits themselves. They will undoubtedly find anecdotes of system failures, since any large-scale system will fail sometimes. They will claim that as evidence that the rules aren't being followed. Evidence, no matter how flimsy, has to be countered with other evidence, especially if you're in a "preponderance of the evidence" situation. It's pretty hard to show that what you're doing is reasonable or effective if you don't have at least a sample of records.