How does AV work?
Currently, age verification checks (to the standards defined by BSI’s ‘PAS 1296:2018’) can be conducted using any of the following methods, either alone or in combination.
Different methods (or combinations) offer more or less confidence in the accuracy of the result – this is referred to as the “level of assurance”.
Digital identity via hard identifiers i.e. Identity Documents (Passport, Driving Licence)
An identity document can be reviewed either as part of an organisation’s online flow and just the age detail noted. This can then be re-used as a token to access multiple sites. Or when users set up a reusable digital identity wallet and verify their identity details, they can subsequently share their age attribute, such as 18+ or under 18 without disclosing their full identity
Users typically submit an image of these documents using their smartphone camera. OCR technology reads the data from the document which is validated based on known security features. The photo on the document can also be compared to a freshly taken photo of the user. Or Near Field Communication technology can be used to read the microchip in the document, and the data on the chip compared to the image of the document, and the photo of the user. These standards are defined in the electronic Identity Document Validation Technology (e-IDVT) guidance issued by the UK Cabinet Office.
Private sector databases e.g. Credit reference agency data
Users enter their name and address, and a search is made of credit reference agency databases to confirm the details are accurate and obtain or confirm the date of birth.
Government databases e.g. passport
The UK Passport Office is piloting allowing private sector companies to check the details on a passport, confirming only if they are correct (not giving direct access to the data they hold). This is called one-way blind check. So the user would enter their name, address and data of birth, and the AV provider can check with the passport office that the date of birth is accurate. This can be extended to other databases e.g. tax, benefits, education, housing
Users enter their name and address, and a search is made of the electoral roll databases to confirm the details are accurate and that they are over 18 by virtue of being on the roll.
Mobile Phone account records
In the UK, mobile phone companies apply parental controls to new phones and sim cards which can only be unlocked by proving your age to the network. Once this process has been completed, age verification providers can check if a phone has access to adult-only restricted content, thereby confirming a user has been checked by their network to be an adult.
Age estimation via facial analysis
Users are either prompted to look into the camera on their device to share an image. Or the site will compare the estimated age of a profile picture to their face during a livestream. submit either a still or video image and artificial intelligence then estimates their age. The AI learns how to do this by reviewing hundreds of thousands of anonymous images of people with a known age, and this means the technology is becoming better by the day. Presently to be sure that someone is definitely over 18 or under 18, typically systems are set with a narrow buffer of 2-5 years, depending on the risk profile of the platform, the sector and any regulatory requirements. There is no need for age estimation to retain any data about an individual, the result is instant and the facial image can be instantly deleted. Facial analysis is quite distinct from facial recognition as no images are being matched.
Social Proofing / algorithmic profiling
This is another artificial intelligence solution which assesses the likely age of a user based on their online behaviour. Estimates are based on a user’s online public profile and how they interact with an online service – their interests, their friends, their school etc. but cannot determine an exact age, and has a wider margin for error and risk of evasion, making it unsuitable for applying many legal and regulatory requirements. That said, this is a relatively new area, but one which is improving rapidly.
Account holder confirmation
This is where an adult who has already been age-verified, provides confirmation that a child is of a certain age. For example, an adult may open an account for watching video content online and create a profile for their children to use that account in a limited age-appropriate manner.
How accurate are these methods?
Each of these, alone or in combination, verify age to a different ‘level of assurance’. Regulators can determine the level of assurance they require for each use. So to view an 18 rated film, it might be deemed sufficient to rely on a credit reference agency check. But to buy a knife online, the requirement may be for a government issued identification document to be used, its chip interrogated and facial recognition software applied.
What about “age assurance”?
Age assurance is a more general term for any attempt to assess the age of a customer, and it is currently less well defined than AV. It may include self declaration – simply asking users to tick a box, or enter their age or data of birth – without any additional checking against other data sources. Technical measures can reduce the risk slightly – for example, allowing any year of birth to be entered, not only a the year from before which the user would meet the site’s minimum age requirement, or preventing users applying trial and error by repeatedly amending their age until they are admitted. These weaker methods of age assurance would not, on their own, achieve the level of accuracy required for robust age checking which passes the principal standard for age checks, BSI’s PAS 1296:2018.