The age verification industry promotes the development and adoption of international standards as the most effective way to align global regulatory requirements and enable convenient, cost-effective and interoperable online age assurance.
The age assurance sector is transitioning to adopt IEEE 2089.1 which is replacing BSI PAS 1296:2018 as the industry’s global standard, and will, once it is approved, also adopt the requirements of ISO/IEC 27566 – this page explains how these standards complement each other and create a robust foundation for the AV industry.
International standards set out the requirements for high quality, reliable age checks using a wide-range of methods. Each method or combination of methods delivers a different level of confidence in the result (or “level of assurance” as it is technically termed) so that websites and regulators can consider the appropriate level of check they conduct – usually decided in proportion to the risk of harm particular goods, services or content present to children.
These levels are affected by a combination of factors – for example, not only their basic accuracy but also the extent to which we know the evidence used belongs to the user providing it, the ability of the system to prevent fraud such as presentation attacks using a mask or injection attacks with deepfake images, and how recently the check was performed.
Regulators have not yet been specific in the level of assurance they expect for particular risks, but we hope these standards will provide a framework for doing so.
Example: The UK Online Safety Act 2023 requires ‘highly effective age assurance’ for the most harmful online content. We have proposed that this could be defined as: Highly effective age assurance systems must demonstrate that their certified expected outcomes are such that more than 95% of children under 18 are prevented from accessing primary priority content, and more than 99% of children under 16 are prevented.
Standards allow for these levels of assurance to be discussed, designed, delivered and required by regulators or laws, all using a common understanding and language so there is less confusion about what is intended.
IEEE 2089.1 Standard for Online Age Verification was published in May 2024, the result of over two years of deliberation by a working group of industry experts from around the world.
It sets out a best practice process for implementing age verification (including age estimation), beginning by identifying relevant legislation in the jurisdictions where a digital service determines its need to be compliant, then selecting the appropriate methods of age assurance, conducting it, then measuring its level of age assurance while also ensuring privacy protections, applying data security measures and promoting interoperability.
For the first time, this standard defines a common, multi-dimensional approach to measuring the effectiveness of an age assurance process which can be applied across different methods – including both estimation and verification.
You can access the standard from the IEEE’s website here. ($77, $62 for Members of IEEE, or free by subscription).
ISO/IEC 27566 (CD)
The International Standards Organisation accepted a proposal from the UK, supported by the UK Government to define an ISO standard for age verification.
ISO/IEC 27566 Information security, cybersecurity and privacy protection — Age assurance systems — Framework Part 1: Framework has reached the Committee Draft stage in its development, which means there is a stable document which has been agreed by the relevant global working group (SC27/WG5).
The AVPA is engaged with BSI, which leads on its development, with an approved standard expected to be ready in 2025.
Two further parts of the Standard will follow, addressing methods of age assurance, and their measurement.
A three part international standard
- Age Assurance Systems –Part 1: Age Assurance Systems – Framework
- Age Assurance Systems –Part 2: Benchmarks
- Age Assurance Systems –Part 3: Technical Architecture
The British Standards Institution, BSI published in 2018 the first standard in this field which was widely adopted by the age verification sector. It is titled “Online age checking. Provision and use of online age check services. Code of Practice” and is also known as PAS 1296:2018. (The standard was sponsored by the Digital Policy Alliance which brought together a wide-range of stakeholders to achieve a consensus for the standard).
BSI PAS 1296:2018
- Describes how “levels of assurance” can be based on a “vectors of trust”
- Can be conveniently referred to in regulations to guarantee that age verification is delivered to the required standard
You can obtain a copy from the BSI here. (£114)