How does AV work?
Currently, age verification checks (to the standards defined by BSI’s ‘PAS 1296:2018’) can be conducted using any of the following methods, either alone or in combination.
Different methods (or combinations) offer more or less confidence in the accuracy of the result – this is referred to as the “level of assurance”.
Hard identifiers i.e. Identity Documents (Passport, Driving Licence)
Users typically submit an image of these documents using their smartphone camera. OCR technology reads the data from the document which is validated based on known security features. The photo on the document can also be compared to a freshly taken photo of the user. Or Near Field Communication technology can be used to read the microchip in the document, and the data on the chip compared to the image of the document, and the photo of the user. These standards are defined in the electronic Identity Document Validation Technology guidance issued by the UK Cabinet Office. (https://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual/identity-proofing-and-verification-of-an-individual)
Private sector databases e.g. Credit reference agency data
Users enter their name and address, and a search is made of credit reference agency databases to confirm the details are accurate and obtain or confirm the date of birth.
Government databases e.g. passport
The UK Passport Office is piloting allowing private sector companies to check the details on a passport, confirming only if they are correct (not giving direct access to the data they hold). This is called one-way blind check. So the user would enter their name, address and data of birth, and the AV provider can check with the passport office that the date of birth is accurate. This can be extended to other databases e.g. tax, benefits, education, housing
Users enter their name and address, and a search is made of the electoral roll databases to confirm the details are accurate and that they are over 18 by virtue of being on the roll.
Mobile Phone account records
In the UK, mobile phone companies apply parental controls to new phones and sim cards which can only be unlocked by proving your age to the network. Once this process has been completed, age verification providers can check if a phone has access to adult-only restricted content, thereby confirming a user has been checked by their network to be an adult.
Facial image analysis
Users submit either a still or video image and artificial intelligence then estimates their age. The AI learns how to do this by reviewing thousands of photos of people with a known age, and this means the technology is becoming better by the day. Presently to be sure that someone is definitely over 18, typically systems are set to check if the user looks at least 25. This margin for error means there is a less than 0.01% chance of the system estimating the user is over 25 when they are in fact under 18. The margin required to maintain this level of accuracy is reducing as the AI learns.
Social Proofing / algorithmic profiling
This is another artificial intelligence solution which assesses the likely age of a user based on their online behaviour. Estimates are based on a user’s online public profile and how they interact with an online service – their interests, their friends, their school etc. but cannot determine an exact age, and has a wider margin for error and risk of evasion, making it unsuitable for applying many legal and regulatory requirements. That said, this is a relatively new area, but one which is improving rapidly.
Account holder confirmation
This is where an adult who has already been age-verified, provides confirmation that a child is of a certain age. For example, an adult may open an account for watching video content online and create a profile for their children to use that account in a limited age-appropriate manner.
How accurate are these methods?
Each of these, alone or in combination, verify age to a different ‘level of assurance’. Regulators can determine the level of assurance they require for each use. So to view an 18 rated film, it might be deemed sufficient to rely on a credit reference agency check. But to buy a knife online, the requirement may be for government issued identification document to be used, its chip interrogated and facial recognition software applied.
What about “age assurance”?
Age assurance is a more general term for any attempt to assess the age of a customer. It also includes self declaration – simply asking users to tick a box, or enter their age or data of birth – without any additional checking against other data sources. Technical measures can reduce the risk slightly – for example, allowing any year of birth to be entered, not only a the year from before which the user would meet the site’s minimum age requirement, or preventing users applying trial and error by repeatedly amending their age until they are admitted. These weaker estimation methods of age assurance would not, on their own, achieve the level of accuracy required for robust age checking which passes the principal standard for age checks, BSI’s PAS 1296:2018.