How do you check age online?
Currently, age verification checks (to the standards defined by BSI’s ‘PAS 1296:2018’) can be conducted using any of the following methods, either alone or in combination.
Different methods (or combinations) offer more or less confidence in the accuracy of the result – this is referred to as the “level of assurance”.
Digital identity via hard identifiers i.e. Identity Documents (Passport, Driving Licence, National Identity Card)
A reliable, physical identity document can be reviewed and the age details noted. Users will typically submit an image of one or more of these documents using a smartphone camera. Technology, known as optical character recognition (OCR) reads the data from the document which is then typically validated based on known security features built into the form of ID used.
The photo on the document can also be compared to a freshly taken photo of the user.
For the highest levels of assurance Near Field Communication (NFC) technology can be used to read the microchip in the document, and the data on the chip compared to the image on the document, and a fresh photo or video of the user.
These standards are defined in the ‘electronic Identity Document Validation Technology’ (e-IDVT) guidance issued by the UK Cabinet Office (GPG45).
Private sector databases e.g. Credit reference agency data
Users will usually enter their name, address and date of birth (either specifically for the purposes of age verification or as part of their account opening or purchase process), and a search is made of credit reference agency databases to confirm the details are accurate and obtain or confirm the date of birth. Typically this form of check is used where the user will need to be located at the address claimed as part of this process, to prevent user’s entering the details of other people.
In a similar fashion to the use of private sector databases, users can provide their name and address, and a search is made of the electoral roll databases to confirm the details are accurate and that they are over 18 by virtue of being on the roll. As this data is public, this method is again usually restricted to situations where the user will need to be at home at some point to validate that the claimed entry on the electoral roll relates to them.
Government databases e.g. passport
For this method, approved private sector companies are given access to check the details of an individual, confirming only if the user seeking age verification has provided completely correct information (not giving direct access to the data they hold). This is called one-way blind check. So the user would enter their name, address and date of birth, and the AV provider can check with a government database that the date of birth and all other details are 100% accurate. If any detail is wrong, the check fails but the AV provider is not given any detail about what part of the data entered does not match the official record.
In the UK, Her Majesty’s Passport Office is piloting this mechanism. The same approach can be extended to other databases e.g. tax, benefits, education, housing but in many countries, this may require legislation to allow users to instruct the government to confirm the accuracy of their personal data through such one-way blind checks.
Mobile Phone account records
In the UK, mobile phone companies apply parental controls to new phones and sim cards which can only be unlocked by proving your age to the network. Once this process has been completed, age verification providers can check if a phone has access to adult-only restricted content, thereby confirming a user has been checked by their network to be an adult.
Age estimation via biometric analysis
A number of features and characteristics of people change with age.
For example, facial features can be analysed to estimate age. Users are either prompted to share a still or video image, or an existing profile picture can be used, and artificial intelligence then estimates their age. The AI learns how to do this by reviewing hundreds of thousands of anonymous images of people with a known age, and this means the technology is becoming better by the day.
Presently, to be sure that someone is definitely over 18 or under 18, typically systems are set with a narrow buffer of 2-5 years, depending on the level of accuracy required by the client, or any regulatory requirements.
There is no need for age estimation to retain any personally identifiable data about an individual, as the result is immediate and the facial image can be instantly deleted.
Other biometric features include voiceprints, gestures and keystrokes (how you type) as well as analysis of how you write (natural language processing ‘NLP’). These methods are currently less well-developed than facial analysis.
Note: The facial analysis technique described here is quite distinct from facial recognition as no images are being matched for the purpose of estimating age. Facial recognition may be used to check that a user relying on a previous age check is still the same individual who completed the check, but that is a separate process required for “authentication” rather than age verification.
Social Proofing / algorithmic profiling
This is another artificial intelligence solution which assesses the likely age of a user based on their online behaviour. Estimates are based on a user’s online public profile and how they interact with an online service – their interests, their friends, their school etc. but cannot determine an exact age, and has a wider margin for error and risk of evasion, making it unsuitable for applying many legal and regulatory requirements. That said, this is a relatively new area, but one which is also improving. It is limited by access to personal data, which for a new user will not exist on the service they are accessing, and where it exists elsewhere, access is likely to be restricted by data protection laws.
Account holder confirmation
This is where an adult who has already been age-verified, provides confirmation that a child is of a certain age. For example, an adult may open an account for watching video content online and create a profile for their children to use that account in a limited age-appropriate manner.
This method relies on the honesty and involvement of a parent or legal guardian, and it is also not easy to confirm that the person creating the child’s profile has the legal power to do so. While other independent methods of age assurance are developed, this may be pragmatically adopted as a proxy for verification.
How accurate are these methods?
Each of these, alone or in combination, verify age to a different ‘level of assurance’. Regulators can determine the level of assurance they require for each use. So to view an 18 rated film, it might be deemed sufficient to rely on a credit reference agency based check. But to buy a knife online, the requirement may be for a government issued identification document to be used, its chip interrogated and facial recognition software applied to ensure that the person making the purchase at that time is the same person to whom the ID document was issued.
What about “self-declaration?
Self declaration is simply asking users to tick a box, or enter their age or date of birth – without any additional checking against other data sources.
Technical measures can reduce the risk slightly – for example, allowing any year of birth to be entered, not only a the year from before which the user would meet the site’s minimum age requirement, or preventing users applying trial and error by repeatedly amending their age until they are admitted.
These weak methods of age assurance would not, on their own, achieve the level of accuracy required for robust age checking which passes the principal standard for age checks, BSI PAS 1296:2018. They can be used in combination with other age assurance techniques but on their own, they fall outside the scope of age assurance.