Speaking to the Privacy Laws and Business Conference at St John’s College, Cambridge University last month, the AVPA’s Executive Director updated delegates on the latest situaton in the rapidly evolving age assurance sector:
The problem we have on the internet was probably best encapsulated by a very early cartoon which showed two dogs sitting on an office chair, on a laptop and one dog says to the other, “It’s great: On the internet nobody knows you’re a dog.” And the problem we have is that, of course, on the internet nobody knows if you are a child, so anytime we want to offer differential protections for children rather than adults or indeed to preserve the freedoms of adults while protecting children, we need to get some sense of the age of users.
As you know, this has progressed sector by sector and, like a lot of things on the internet, it started with pornography. In the UK, we had the Digital Economy Act which created a lot of my members as they prepared to try to figure out how you could prove your age online without disclosing your full identity. That was obviously very important for people a bit nervous about being tracked as to what their particular peccadillo might be when they were looking online at adult content.
But it moved fairly quickly, not least because the government got cold feet on that. I would say the technology was ready to go – as ready as it is today. Many of my members pivoted to helping people with things like age-restricted purchases of alcohol, vaping products and the like but then increasingly we’ve started to become worried about processing of data for children and people on the internet – bad actors adults who are trying to subvert children.
So all of these things really, I used to say in these speeches, are leading to a tipping point where we need to know the age of users but I genuinely believe we’ve passed that tipping point now, and if all the existing legislation was rigorously enforced – and I have lively conversations with our regulator friends about that level of enforcement – the vast majority of websites, unless they’re the completely the most innocent website you can imagine with nothing but nursery rhymes on it, ought really to have a good idea of the rough age of their users and do that in proportion to the level of harm. Obviously, as the harm increases, you know, with even more accuracy that your users are old enough
There’s been a veritable tsunami of legislation which drives me to this conclusion.
- GDPR is perhaps a good place to start. Even without the UK’s interpretation in the age appropriate design code, GDPR does expect you to take special precautions around children’s data and protect them from mental and physical harm through processing their data. Obviously, in the UK, that’s been much more clearly articulated in that “Children’s Code” and that now means we don’t just need to know whether you’re an adult or a child but, in some cases, roughly what age group of children you are.
- The Audio Visual Media Services Directive has given our colleagues at Ofcom the opportunity to get started on this with just 18 websites. It’s taken them two years to get up and running regulating that so we’re not quite sure how long it’s going to take them to do the other five million porn sites under the Online Safety Bill – hopefully not in proportion!
- Then you’ve got sort of coming forward things like the Digital Services Act with its prohibition on using artificial intelligence to target children with advertising so immediately any site with advertising is going to need to know whether it’s got children or not in order to figure out what tech it can use to target them.
We use a wide range of methods to do age verification. Traditionally, as you might imagine, you used to scan your passport and send it to your wine supplier. We can do that electronically now – it’s called eIDVT – electronic identity documents verification – but also we use things like open banking to ask your bank to confirm your age, which is a good sort of zero data way of doing that.
We can use our age estimation techniques which are getting incredibly accurate. So, facial estimation – and I emphasize estimation not recognition; the amount of data we use to figure out your age from your face is not enough to recognize you or certainly not to recreate an image of you. But that’s now within a year and a half – plus or minus a year and a half of your real age – for the ages that we most care about, the 13s and the 18s shall we say. And of course, if you’re trying to check somebody’s 18, you can always use the facial estimation to check whether they look over 25, because if they look over 25, there’s a vanishingly small chance they’re actually under 18. Some of the people who knock on doors and deliver alcohol in this country achieve about a 47% success rate in terms of checking your ID – we’re quite happy with our 99.9% success rate.
We are working however to create some international standards so you can measure this level of success and we’re pointing to five different standard ‘levels of assurance’, or ‘levels of confidence’, because if we do that, it makes life a lot simpler for building the tech, for buying the tech, for specifying the level of regulation that you want to impose as a regulator or a policy maker. We have PAS 1296 which is a British Standard. We’re working on an IEEE and an ISO standard and that’s part of a wider project, funded by the European Union on interoperability. It’s called euCONSENT and that’s where we’ve brought together a number of AV providers to figure out how if you go to website A using provider A to prove your age today and then you go to website B tomorrow you don’t have to repeat the whole rigmarole approving your age. We’ll recognize you as a user we have previously been checked, re-direct you back to the original provider who will confirm to the new provider that you’re old enough, or not, to access that website, all in a way that doesn’t actually share any personal identity data. It just sends a ‘yes’ or ‘no’ as to whether you’re old enough. We’ve had a great Advisory Board on that, chaired by a child protection expert John Carr. We’ve been lucky enough to have Google and Meta sitting on that board, as well as representatives for data protection authorities and a lot of business groups from across Europe.
We, as a small independent sector, are a little bit worried that some of our big tech friends might move in and start doing age verification and we’re equally, you know, keeping our eye on things like the European Digital Identity and whether that could do the same job. But I think, how many people really want to use their government ID to surf the net? That could be a restriction on government ID and there are some practical issues with that. Equally, you know, on big tech, if you have to ask big tech to advertise gambling because you’re only allowed to advertise it to an adult audience, that’s an enormous increase in their competitive position so perhaps the competition and markets authorities might not like.
I’ll leave it there. I’m lucky enough to have been interviewed by Stuart for one of his webinars so if you’re struggling to sleep in a strange place tonight when you’re here, download the webinar and I guarantee you’ll get to sleep very quickly and know all you need to know about age verification!