Current Region:
Global

How do you check age online?

Currently, age verification checks (to the standards defined by BSI’s ‘PAS 1296:2018’) can be conducted using any of the following methods, either alone or in combination.

Different methods (or combinations) offer more or less confidence in the accuracy of the result – this is referred to as the “level of assurance”.

Goverment Identity Documents (Passport, Driving Licence, National Identity Card)

A reliable, physical identity document can be reviewed and the age details noted.  Users will typically submit an image of one or more  of these documents using a smartphone camera.  Technology, known as optical character recognition (OCR) reads the data from the document which is then typically validated based on known security features built into the form of ID used.

The photo on the document can also be compared to a freshly taken photo or video of the user, which is known as a “liveness” check.

For the highest levels of assurance Near Field Communication (NFC) technology can be used to read the microchip in the document, and the data on the chip compared to the image on the document, and a fresh photo or video of the user. 

These standards are defined in the ‘electronic Identity Document Validation Technology’ (e-IDVT) guidance issued by the UK Cabinet Office (GPG45). 

Mobile Phone account records

In the UK, mobile phone companies apply parental controls to new phones and sim cards which can only be unlocked by proving your age to the network.  Once this process has been completed, age verification providers can check if a phone has access to adult-only restricted content, thereby confirming a user has been checked by their network to be an adult.

Credit reference agencies and other private sector databases

Users will usually enter their name, address and date of birth (either specifically for the purposes of age verification or as part of their account opening or purchase process), and a search is made of credit reference agency databases to confirm the details are accurate and obtain or confirm the date of birth.  Typically this form of check is used where the user will need to be located at the address claimed as part of this process, to prevent user’s entering the details of other people.

Age estimation via biometric analysis

A number of features and characteristics of people change with age. 

For example, facial features can be analysed to estimate age.  Users are either prompted to share a still or video image, or an existing profile picture can be used, and artificial intelligence then estimates their age.  The AI learns how to do this by reviewing hundreds of thousands of anonymous images of people with a known age, and this means the technology is becoming better by the day. 

Presently, to be sure that someone is definitely over 18 or under 18, typically systems are set with a narrow buffer of 2-5 years, depending on the level of accuracy required by the client, or any regulatory requirements. 

There is no need for age estimation to retain any personally identifiable data about an individual, as the result is immediate and the facial image can be instantly deleted.

Other biometric features include voiceprints, gestures and keystrokes (how you type) as well as analysis of how you write (natural language processing ‘NLP’).  These methods are currently less well-developed than facial analysis.

Note: The facial analysis technique described here is quite distinct from facial recognition as no images are being matched  for the purpose of estimating age.  Facial recognition may be used to check that a user relying on a previous age check is still the same individual who completed the check, but that is a separate process required for “authentication” rather than age verification.

Credit Card

Generally, credit cards are only issued to adults, so the possession and the ability to use a credit card is a strong indicator that someoen is over 18. At its simplest, submitting a valid credit card number may be sufficient, but to add to the confidence in this method, a payment authorisiation can be requested from the issuer, and for the highest level of assurance, a micro-payment can be charged.  The final option has the impact of appearing on the statement, so if the card has been used without their knowledge, this would be apparent from inspection of online or paper statements.

Physical Check

This is where a user is enrolled into an age verification scheme in person.  They may be asked to produce a physical proof of age when doing so, or it could be left to the judgement of staff based on a “Challenge 25” approach, with users closer to the age they are claiming required to provide some additional proof.

Liveness Check

This is not a method in its own right, but is an additional safeguard against fraud, where a user is asked to take a photo or a video of themselves, and may be asked to say some specific words or phrases, so this can be compared with identity documents, or previously recorded data to ensure a match.  It prevents the use of still images and other ways users may try to circumvent age checks.

Open Banking

Banks generally require a strong leve of identification check to open an account, and keep a record of their customers’ dates of birth.  Some banks allow trusted third parties to confirm a date of birth supplied to by the customer with those records.  Typically, the user logs into their own online banking system, and gives approval for the data to be supplied to the third party, which in this case would be an age verificaiton provider.

Biometric age identity verification

This is a process to recognise a pre-enrolled user who has already proven their age using a unique biometric feature such as their face, voice or vein structure.

Electoral Roll

In a similar fashion to the use of private sector databases, users can provide their name and address, and a search is made of the electoral roll databases to confirm the details are accurate and that they are over 18 by virtue of being on the roll.  As this data is public, this method is again usually restricted to situations where the user will need to be at home at some point to validate that the claimed entry on the electoral roll relates to them.

Government databases e.g. passport

For this method, approved private sector companies are given access to check the details of an individual, confirming only if the user seeking age verification has provided completely correct information (not giving direct access to the data they hold).  This is called one-way blind check.  So the user would enter their name, address and date of birth, and the AV provider can check with a government database that  the date of birth and all other details  are 100% accurate.    If any detail is wrong, the check fails but the AV provider is not given any detail about what part of the data entered does not match the official record.

In the UK, Her Majesty’s Passport Office is piloting this mechanism. The same approach can be extended to other databases e.g. tax, benefits, education, housing but in many countries,  this may require legislation to allow users to instruct the government to confirm the accuracy of their personal data through such one-way blind checks.

Social  Proofing / algorithmic profiling

This is another artificial intelligence solution which assesses the likely age of a user based on their online behaviour.  Estimates are based on a user’s online public profile and how they interact with an online service – their interests, their friends, their school etc.  but cannot determine an exact age, and has a wider margin for error and risk of evasion, making it unsuitable for applying many legal and regulatory requirements.  That said, this is a relatively new area, but one which is also improving.  It is limited by access to personal data,  which for a new user will not exist on the service they are accessing, and where it exists elsewhere, access is likely to be restricted by data protection laws.

Account holder confirmation

This is where an adult who has already been age-verified, provides confirmation that a child is of a certain age.  For example, an adult may open an account for watching video content online and create a profile for their children to use that account in a limited age-appropriate manner. 

This method relies on the honesty and involvement of a parent or legal guardian, and it is also not easy to confirm that the person creating the child’s profile has the legal power to do so.  While other independent methods of age assurance are developed, this may be pragmatically adopted as a proxy for verification.  

How accurate are these methods?

Each of these, alone or in combination, verify age to a different ‘level of assurance’.  Regulators can determine the level of assurance they require for each use.  So to view an 18 rated film, it might be deemed sufficient to rely on a credit reference agency based check.  But to buy a knife online, the requirement may be for a government issued identification document to be used, its chip interrogated and facial recognition software applied to ensure that the person making the purchase at that time is the same person to whom the ID document was issued. For details on standards and levels of assurance, click here.

What about “self-declaration?

Self declaration is simply asking users to tick a box, or enter their age or date of birth –  without any additional checking against other data sources. 

Technical measures can reduce the risk slightly – for example, allowing any year of birth to be entered, not only a the year from before which the user would meet the site’s minimum age requirement, or preventing users applying trial and error by repeatedly amending their age until they are admitted.

These weak methods of age assurance would not, on their own, achieve the level of accuracy required for robust age checking which passes the principal standard for age checks, BSI PAS 1296:2018.  They can be used in combination with other age assurance techniques but on their own, they fall outside the scope of age assurance.

CONTACT

General Enquiries: avpa@avpassociation.com 07811 409769