More and more of us are becoming aware of the risks of ‘phishing’ – fake emails or websites that seek to extract personal data, particularly passwords and other secrets we use to secure our online activities. This is, sadly, not a problem unique to age verification, as many other online services are at risk of such attacks.
But that does not mean we are not vigilant because Age Verification could become a new vector of risk for this. We believe it is critical that the sector is closely regulated, and consumers are able to confirm that providers are trustworthy before they disclose personal details in order to verify their age.
We also recognise that it is not enough to rely on consumers to conduct their own due diligence. There are additional measures in place to mitigate this risk.
- Age-restricted websites themselves are concerned that they use only reputable, certified AV providers. They have no commercial interest in putting their customers at risk of data breaches. And most people are first prompted to do an age check by a website they already know and trust. It may be their preferred supermarket when they first order alcohol for delivery, or a gambling site operated by a high street brand. Even if their first request for age verification comes from a porn site, most people use the largest, better known sites. All these websites select AV providers, and carry out their own due diligence on those providers, because they do not want to put their user’s data at risk of theft, given the reputational damage that would cause to them. So individuals need not decide alone which sites are trustworthy.
- Second, Certification Bodies list those providers they have audited, and consumers can link directly to these sites from these registries. (The UK government is developing a Digital Identity and Attributes Trust Framework which licenses identity providers, issuing a logo that will link back to the regulator’s list of approved suppliers – age verification providers offering their services for the sale of alcohol will soon need to be certified this way too).
- Third, AV providers are vigilant for imposters, which are in effect stealing their business. In the UK, they can report them to the ICO which has extensive powers to act against any site that is abusing personal data. Data protection authorities across the EU and the rest of the world have similar powers.
- In addition, the euCONSENT project is connecting multiple AV providers across the AgeAware network so you can re-use an age check done with one provider on websites that use other AV providers. There is extensive and ongoing due diligence of suppliers who join this network so that is a further safeguard. Consumers will be able to go to the euCONSENT website and check which providers are certified.