olly - Fotolia
Online age verification is back on the agenda after a pre-election pledge from the Conservatives to introduce some form of control for websites hosting adult content.
During the cut and thrust of the election hustings, many promises were made, but now that things have settled, what are the realistic prospects for age verification? Before anything is proposed – whether that’s standards, industry schemes, codes of conduct or legislation – the various interest groups need to clarify the drivers and methods available for age verification.
What are the drivers for age verification?
Age verification can be an extremely emotive topic. Pleas to “think of the children” often cloud the opinions of those trying to determine the best approach. While verification touches on child protection, its introduction will ultimately come down to risk and commerce, and what level of control that a product, service or content provider will implement that mitigates the risk of prosecution under the prevailing legislation.
The product owner needs to determine whether there are viable benefits from offering age-restricted services online. If the provider operates on a global basis, then this is a multifaceted issue with numerous local regulatory considerations.
This issue highlights a significant gap in shared understanding among merchants and content providers. What controls will mitigate the risk of prosecution from an under-age person gaining access online to age-restricted goods and services but will also still enable a smooth transaction?
What are the viable methods of age verification?
After the Conservatives made their pre-election statement about age verification there was some speculation they might use the Gov.uk Verify system currently under development to provide identity assurance for digital government services. While linking a prospective government policy with an existing government service may appear logical, it conflates two related yet separate activities: identity assurance and age verification.
In its simplest form age verification answers one basic question: is this person the correct age to access this service? It is therefore an issue of eligibility rather than identity. Identity assurance, by contrast, asks the question: is this person who they claim to be?
While it is correct to assume that a medium-trust identity assurance process such as Gov.uk Verify could provide the attributes for age verification, in truth it would be neither proportionate nor commercially viable to use such a comprehensive process for the majority of age-restricted goods and services.
Read more about online identity assurance
- European Union cybersecurity agency Enisa has called on service providers and end-users to work together to protect online identities
- The Government Digital Service has debuted its Gov.UK Verify system to prove users’ identities when using public services online
- Identity and access management is increasingly important, but also increasingly complex and set to get worse, says Gartner
Age verification is an age or date of birth attribute check to determine service eligibility. The complexity arises when assuring the asserted date of birth. The asserted evidence containing the date of birth, such as a passport, may need to be validated by the issuing authority.
As data owners look to monetise their assets, more data sets should become available for attribute checking, and these need only return a simple yes/no response rather than share data. However, the minimal digital footprint for under-18s often makes it difficult to resolve lower age restrictions.
One significant weakness with validating asserted evidence is that a child could assert another eligible subject’s evidence, such as a parent’s passport. A verified link between the subject asserting the evidence and the asserted evidence is required. This can be done by comparing a photo of the person asserting the evidence with the photo on the document. There are now smartphone apps that can perform such comparisons, which can also undertake checks to determine that the document is genuine by checking known security features or accessing information from a chip on the document via an NFC reader.
Another approach for age verification is implicit trust. For example, if the subject can assert a credit card as evidence of age, it is assumed that they must be over 18. However, this assertion does not bind the card owner to the subject undertaking the transaction. Where, then, does this leave us?
A key priority for those wishing to grant online access to age-restricted goods or services is compliance with regulation. Legislation rarely stipulates how compliance should be achieved. In reality low-impact, low-trust assurance processes may well achieve the desired outcomes.
Internet commerce now needs to consider eligibility to purchase as well as ability to pay, and merchants face the challenges of a global internet and an increasingly technically savvy under-age audience.
While government and online merchants will focus on how to achieve compliance and mitigate risk, it should not solely be their responsibility to protect children from accessing restricted goods and services online.
We need to invest in education, awareness and parental control to shift public attitudes away from simply blaming ‘the internet’ to one of joint responsibility where all parties have an important role to play.
David Black was until recently a product manager on the UK government’s Gov.uk Verify identity assurance programme. He has worked on government identity projects since 2003.
An event to discuss the implications of age verification is being held in London on 22 September 2015