More and more of us are becoming aware of the risks of ‘phishing’ – fake emails or websites that seek to extract personal data, particularly passwords and other secrets we use to secure our online activities. This is, sadly, not a problem unique to age verification, as many other online services are at risk of such attacks.
But that does not mean we are not vigilant becuase Age Verification could become a new vector of risk for this. We believe it is critical that the sector is closely regulated, and consumers are able to confirm that providers are trustworthy before they disclose personal details in order to verify their age.
We also recognise that it is not enough to rely on consumers to conduct their own due diligence. There need to be additional measures in place to mitigate this risk.
- Age-restricted websites will themselves be concerned that they use only reputable, certified AV providers. They have no commercial interest in putting their customers at risk of data breaches. And most people will first be prompted to do an age check by a website they already know and trust. It may be their preferred supermarket when they first order alchohol for delivery, or a gambling site operated by a high street brand. Even if their first request for age verification comes from a porn site, most people use the largest, better known sites. All these websites will need to select AV providers, and will carry out their own due diligence on those providers, because they will not want to put their user’s data at risk of theft, given the reputational damage that would cause to them. So we are not expecting individuals to decide alone which sites are trustworthy.
- Second, Certification Bodies will list those providers they have audited, and consumers can link directly to these sites from these registries. The UK government is also developing a Digital Identity and Attributes Trust Framework and will shortly appoint a regulator (possibly the ICO) which will licence identity and age verification providers, issuing a logo that will link back to the regulator’s list of approved suppliers.
- Third, AV providers will be vigilant for imposters, which are in effect stealing their business. In the UK, they can report them to the ICO which has extensive powers to act against any site that is abusing personal data. Data protection authorities across the EU and the rest of the world have similar powers.
- In addition, the euCONSENT project is connecting multiple AV providers across a network so you can re-use an age check done with one provider on websites that use other AV providers. There will be extensive and ongoing due diligence of suppliers who join this network so that will be a further safeguard. Consumers will be able to go to the euCONSENT website and check which providers are certified.