An idea whose time has come: robust on-line age-checking - and not just for access to pornography

The announcement of the DCMS consultation “Child Safety Online: age checking for Pornography” is most welcome.  As yet, however, the press cover appears limited to a rehash of past arguments . The consultation document refers to the work of the Digital Policy Alliance in organising a standard for robust anonymised, on-line age checking (i.e. decoupled from personal identity). The same group is looking at how the identity checking and access management services already available might be used to help meet the likely standard. I have been able to sit in on many of the meetings. It is clear that the services already available have greatly – largely because of the pressures on the on-line financial services, transaction processing and gaming industries to protect themselves from on-line fraud and denial of service attacks while maintaining ease of use. The C Plan (issued at the start of the DPA exercise) remains well worth reading but the supporting paper on what had changed over the previous five years to make the approach viable is now dated. Anonymised age checking, as part of a data minimisation approach towards customer verification, is not only viable – it now makes good business sense (reducing the cost/risk of data breaches) – whether or not it is mandated for child protection purposes.

I recommend you read the consultation document rather than rely on the press cover. It is quite short (only 44 pages), clearly written and much more thoughtful than most of the current public debate. 

My first reaction was that I was delighted to be wrong in my New Years Eve Blog – Ofcom has NOT dropped the ATVOD ball – although we have yet to see the nature of the doubles match it will play with advertising and financial services authorities when it comes to enforcement with regard to uncharged services. The consultation raises good questions with regard to enforcement but these need to be put into wider context. For example, the London mayoral candidates have pledged action on knife crime and a member of Zac Goldsmith’s team exposed the failure of some on-line retailers to even “go through the motions” when it comes checking the ages of those purchasing controlled goods and services (i.e. not just pornography but “zombie knives”, alcohol etc.). This raises the question of what it is reasonable for such retailers to do. The same questions need to be asked of those providing “free” (including those where your details or those of your children are the “product” for sale) services – including supposedly “safe” social and educational networks.        

This led to my second reaction. You should read and re-read Figure 3, page 11 and Question 4, page 21.of the Consultation document.  Many of the “other comparable proof of account ownership …” services are now cheaper, more robust and easier to acquire, use and check than those for the Government Verify programme let alone such flawed databases as the electoral role or passport file. This is the main reason the Verify programme is now floundering, unable to attract serious interest from those (e.g. banks and on-line retailers) who need to distinguish paying customers from fraudsters without turning the former away.

We are seeing the rapid roll out and take-up of “trusted computing” technologies linked to low cost biometrics. Thus the smart phone your child might use to access an age-controlled social or educational network might use the “selfie camera” to check their image against that stored by the age checking service (Yoti is an example of the new generation of approaches to identity checking) – setting off an alarm if you were to borrow their phone to check …  In the adult world such image checking services are also being rolled out around the world by the mobile operators in support of (for example) payment systems which aim to check not only device, location, credential but user.

The main problem is therefore of process, not technology, when it comes to age checking for access to child or adult social networks, let alone age controlled products and services. Most current services wish the operator to help them collect customer data. But many retailers, faced with prospect of massive fines in the event of a data breach wish only to confirm the customer is above or below the age claimed, with no access to the school, health, credit or other records used for the checking process – and to collect or retain no record of the transaction/transmission other than for order fulfillment, billing or audit purpose. There is a consequent divide within OIX federated identity community between the “big data” and the “data minimisation/anonymisation” communities.        

In that context it is word re-reading the original ‘C Plan” and putting your responses to the consultation into the context of privacy, surveillance and big/marketing data and advertising funded services. Those on-line retailers who are serious about the privacy and security of their customers and their customer’s families should e-mail the DPA membership secretary, ask to join the Digital Policy Alliance Age Checking Group and then also exploit the opportunities for wider collaboration and better clarity of policy debate.