How do you check age online?
Currently, age verification checks (to the standards defined by BSI’s ‘PAS 1296:2018’) can be conducted using any of the following methods, either alone or in combination.
Different methods (or combinations) offer more or less confidence in the accuracy of the result – this is referred to as the “level of assurance“.
Government Identity Documents (Passport, Driving Licence, National Identity Card)
A reliable, physical identity document can be reviewed and the age details noted. Users will typically submit an image of one or more of these documents using a smartphone camera. Technology, known as optical character recognition (OCR) reads the data from the document which is then typically validated based on known security features built into the form of ID used.
The photo on the document can also be compared to a freshly taken photo or video of the user, which is known as a “liveness” check.
For the highest levels of assurance Near Field Communication (NFC) technology can be used to read the microchip in the document, and the data on the chip compared to the image on the document, and a fresh photo or video of the user.
These standards are defined in the ‘electronic Identity Document Validation Technology’ (e-IDVT) guidance issued by the UK Cabinet Office (GPG45).
Mobile Phone account records
In many countries, including the UK, mobile phone companies apply parental controls to new phones and sim cards which can only be unlocked by proving your age. Once this process has been completed, age verification providers can check with the network if a phone has access to adult-only restricted content, thereby confirming a user has been checked by their network to be an adult.
Credit reference agencies and other private sector databases
Users will usually enter their name, address and date of birth (either specifically for the purposes of age verification or as part of their account opening or purchase process), and a search is made of credit reference agency databases to confirm the details are accurate and obtain or confirm the date of birth. Typically this form of check is used where the user will need to be located at the address claimed as part of this process, to prevent user’s entering the details of other people.
Age estimation via biometric analysis
A number of features and characteristics of people change with age.
For example, facial features can be analysed to estimate age. Users are either prompted to share a still or video image, or an existing profile picture can be used, and artificial intelligence then estimates their age. The AI learns how to do this by reviewing hundreds of thousands of anonymous images of people with a known age, and this means the technology is becoming better by the day.
Presently, to be sure that someone is definitely over a certain age, typically systems are set with a “buffer” so they actually test if someone is estimated to be, say, 2 years above that age. The size of this buffer depends on the level of accuracy required by the client, or any regulatory requirements.
There is no need for age estimation to retain any information about an individual, as the result is immediate and the facial image can be instantly deleted. In fact, the technology does not require enough data for that data to be unique to the individual, so it not classed as personally identifiable information (‘PII’)
Other biometric features include voiceprints, gestures and keystrokes (how you type) as well as analysis of how you write (natural language processing ‘NLP’). These methods are currently less well-developed than facial analysis but progressing fast.
Note: The facial estimation technique described here is quite distinct from facial recognition as no images are being matched for the purpose of estimating age. Facial recognition may be used to check that a user relying on a previous age check is still the same individual who completed the check, but that is a separate process required for “authentication” rather than age estimation.
In many countries, credit cards are only issued to adults, so the possession and the ability to use a credit card is a strong indicator that someone is over 18. At its simplest, submitting a valid credit card number may be sufficient, but to add to the confidence in this method, a payment authorisiation can be requested from the issuer, and for the highest level of assurance, a micro-payment can be charged. The final option has the impact of appearing on the user’s statement, so if the card has been used without their knowledge by a child, this would be apparent from inspection of online or paper statements.
Banks generally require a strong level of identification check to open an account, and keep a record of their customers’ dates of birth. Some banks allow trusted third parties to confirm a date of birth supplied to by the customer with those records. Typically, the user logs into their own online banking system, and gives approval for the data to be supplied to the third party, which in this case would be an age verification provider.
Biometric age identity verification
This is a process to recognise a pre-enrolled user who has already proven their age using a unique biometric feature such as their face, voice or vein structure.
Social Proofing / algorithmic profiling
This is another artificial intelligence solution which assesses the likely age of a user based on their online behaviour. Estimates are based on a user’s online public profile and how they interact with an online service – their interests, their friends, their school etc. but cannot determine an exact age, and has a wider margin for error and risk of evasion, making it unsuitable for applying many legal and regulatory requirements. That said, this is a relatively new area, but one which is also improving. It is limited by access to personal data, which for a new user will not exist on the service they are accessing, and where it exists elsewhere, access is likely to be restricted by data protection laws.
This is where a user is enrolled into an age verification scheme in person. They may be asked to produce a physical proof of age which is checked by a trained member of staff when doing so, or it could be left to the judgement of staff based on a “Challenge 25” approach, with users closer to the age they are claiming required to provide some additional proof.
This is where other people with credibility are able to confirm a user’s age. They may be professionals, such as teachers or doctors. It is one of the most inclusive methods of age verification, as users do not need to have any documents or particular records.
You can only vouch for someone if all of the following statements apply:
- you have an existing relationship with the user
- you are sure the user is who they say they are
- you are in a position of authority in their community
- you have proved your own identity
A vouch will be more reliable if the person who’s vouching has known the user over time. This is because it’s hard for someone to maintain a fraudulent identity over time without it being detected.
There’s no rule about how long a person has to know someone before they can vouch for them, but they must know the user well enough to be comfortable doing it.
Account holder confirmation (verified parental consent in the USA)
This is not considered a method of age verification. It is where an adult who has already been age-verified, provides confirmation that a child is of a certain age. For example, an adult may open an account for watching video content online and create a profile for their children to use that account in a limited age-appropriate manner.
This method relies on the honesty and involvement of a parent or legal guardian, and it is also not easy to confirm that the person creating the child’s profile has the legal power to do so. While other independent methods of age assurance are developed, this may be pragmatically adopted as a proxy for verification.
Attestation / self-declaration
This is not considered a method of age verification, but can provide a starting point for the process, and in some cases where there is no risk in believing the answer given is accurate, it may still be fit-for-purpose.
Self declaration is simply asking users to tick a box, or enter their age or date of birth – without any additional checking against other data sources.
Technical measures can reduce the risk slightly – for example, allowing any year of birth to be entered, not only a the year from before which the user would meet the site’s minimum age requirement, or preventing users applying trial and error by repeatedly amending their age until they are admitted.
These weak methods of age assurance would not, on their own, achieve the level of accuracy required for robust age checking which passes the principal standard for age checks, BSI PAS 1296:2018. They can be used in combination with other age assurance techniques but on their own, they fall outside the scope of age assurance.
This is not a method in its own right, but is an additional safeguard against fraud, where a user is asked to take a photo or a video of themselves, and may be asked to say some specific words or phrases, so this can be compared with identity documents, or previously recorded data to ensure a match. It prevents the use of still images and other ways users may try to circumvent age checks.
How accurate are these methods?
Each of these, alone or in combination, verify age to a different ‘level of assurance’. Regulators can determine the level of assurance they require for each use. So to view an 18 rated film, it might be deemed sufficient to rely on a credit reference agency based check. But to buy a knife online, the requirement may be for a government issued identification document to be used, its chip interrogated and facial recognition software applied to ensure that the person making the purchase at that time is the same person to whom the ID document was issued. For details on standards and levels of assurance, click here.