Current Region:
Global

Age Verification, privacy and data…

April 20, 2022

A YouGov survey for the Open Rights Group reports today that 78% of UK adults would not be willing to upload ID in order to access adult websites including pornography.  The principal reasons given by those holding this view are that 64% of them ‘don’t trust the companies’ that would keep the data and 63% are afraid of a data breach and possible blackmail.

This is a useful benchmark to set as a baseline for the age verification industry which must continue to work to correct such misunderstandings and reassure the public not only that their data is safe, but it is in fact not not even retained by age verification providers in the first place.

And for those who are still unconvinced, then we need to promote the many alternative options for proving your age online that are still suitable for accessing adult content but do not require ID to be uploaded in the first place.

Age checks are not only for porn

The first point to make however, is the context of online age verification.  When the concept was first created, it was almost entirely driven by government policies to protect children from stumbling across adult content online.  Therefore, if you need to do age verification, there could only be one reason you were doing it – to look at porn.  AV was synonymous with porn and attracted a similar level of stigma.

But nowadays, the list of reasons you may need to prove your age online is growing by the day: to buy alcohol when you order home delivery; to purchase vaping products; to give consent for a website to process your personal data (you need to be 13+ otherwise its not valid without your parent’s consent too); to gamble online; to see ads for that gambling; to order new cutlery; to make in-app purchases; to join a dating site; or to open a social media account.

The Age Verification sector has developed a new network which will allow most users to prove their age once for any one of these reasons, and then re-use that same check for most of the other purposes.  So your six-pack of beer ordered yesterday will mean that logging into an adult site today does not require you to dig out your ID again.

Age Verification providers don’t store your personal data

The essence of age verification is to be able to verify your age WITHOUT disclosing your full identity.  When you walk into a bar, they don’t need to know your name, just that you are at least 18 before they can serve you.  So there is no need – and therefore no legal justification under data protection laws (UK GDPR) for AV providers to retain any other personally identifiable information about you, apart from your age.  And even then, they generally don’t even disclose that – instead simply responding “yes” or “no” to a website needing to know if you are old enough (or in some cases young enough) to access the site.

If you do use government ID such as a passport or driving licence to prove your age, then that process takes only a few seconds, and the AV provider has no need to retain the rest of the data so it is generally deleted immediately, or perhaps within a few days at the maximum to allow for quality assurance checks or audits.  The AV provider can continue to assure its client websites of your age while storing as little data as a username (MMouse2022 will do) and your date of birth.   Further safeguards often require the user themselves to supply a digital key held on their own device to unlock access to their own data.

Age Verification providers don’t record which websites you visit

The only non-hackable database is no database at all.  Examples such as the Ashley Madison data leak taught that lesson to anyone who had not yet realised this.  Adult sites are particularly conscious of this, given the fatal impact it had on that particular business, so would never wish to put their own users’ data at risk by working with an AV provider that created such a honeypot for hackers.  So not only for legal reasons – as again there is no need to retain this data and therefore no legal basis to do so –  but also for good commercial reasons, AV providers do not retain any record whatsoever of which site enquired about which user.

The underlying architecture of age verification is double blind – the website you are accessing never knows your identity; and the AV provider does not record which sites you visit.

But how can we trust AV providers to operate this way?

There is no doubt that, just like other organisations you trust with your personal data such as banks, credit reference agencies or the NHS, the age verification sector must be tightly regulated.  The Information Commissioner’s Office is already very focused on the sector, and as well as being checked against GDPR, providers should be inspected to confirm they operate in compliance with relevant international standards – BSI PAS 1296:2018 at present, but shortly to be updated by both IEEE and ISO standards reflecting the latest technical advances.

But what if I still don’t trust an Age Verification provider with my ID?

Well, in that case, don’t give your ID to an AV Provider.  There are other ways to prove your age.  For example, facial estimation uses artificial intelligence to calculate your age by comparing a mathematical map of your face with thousands of maps of other faces where the actual age is known to the software; this can provide estimates accurate to within 1 1/2 years.  Regulators may request a 2 or 3 year buffer with age estimation systems, and so may insist the algorithm guesses you look 20 or above, safe in the knowledge 18 is outside the margin of error,.

And what if you are 18 or 19 and the estimation software does not give you the green light?  Well, you can always use a reusable digital ID wallet to share only the fact that you’re over 18 or  open banking to get your bank to give you the thumbs up that you are over 18.  We are increasingly familiar with being referred by one website to log into our own bank to prove our ID, or even to instruct a payment to a credit card; the same system can be used to give your bank permission to disclose your date of birth –  and only your date of birth – if that is all you want it to share with an AV provider.

In early tests of AV solutions, many users preferred to provide simply their credit card details, which is also likely to be sufficient for accessing pornography, subject to the detailed requirements that will be set by Ofcom.  For some, this may be too close to ID, or present a further financial risk they prefer not to run.  Another alternative is your mobile phone,  as these are restricted unless you prove your age to your network provider, and that can be the basis of an age check to access content in other ways as well.

Can I just use a Virtual Private Network?

You can, but this does not affect the compliance record of the site you are accessing.  However you reach it – conventionally, with a VPN or using two paper cups and a piece of string, if UK users are given access to adult content the site will be required to apply age verification or face fines, access and support service blocking.

But why should I share any data at all?

Age verification is only helping to enable the same level of protection for children when they are online, as we have offered them in the real world for centuries.  Adults suffer the inconvenience of proving their age at the till, or the cinema, or to enter a casino, but generally accept this as a small sacrifice to protect kids from adult activities. Online, technology can make this far less inconvenient than in real life, but without it, children will continue to have unrestricted access to all kinds of pornography, as well as the wider range of online harms where most people believe we have a duty to provide more protections to children than adults.

Privacy; a foundational concept for age verification

Privacy; a foundational concept for age verification

Perhaps the most frequent concern raised about age verification is a risk to privacy.  But the essence of age assurance is the ability to prove your age online WITHOUT disclosing your identity.  Our industry would not exist were there not the absolute need to preserve...