In a widely syndicated article, entitled “The many ways that California’s online age-verification law is unconstitutional”, Professor Eric Goldman and Dr Adrian Moore demonstrate that they are either unaware of, or choose to ignore, the state of the art in online age assurance.
They start by correctly accepting that self-reporting by checking a box or entering your birthdate doesn’t meet the law’s requirements.
They then mention the use of automated age estimation using biometrics, like face scans, but do not explain why they see this as problematic. It is possible to estimate a user’s age, within +/- 1.5 years of accuracy, from a selfie-image. This is turned into a mathematical analysis of a face – at which point the amount of data being used is no longer sufficient to re-identity an individual, and certainly not enough to re-create an actual image. Those numbers are compared with the numbers generated by thousands of other images from people whose age is known to spot common patterns that are found amongst people of the same age. It’s not rocket science, and indeed, if you are particularly sensitive about sharing even that mathematical map with anyone, the analysis can be done locally on your own device, so your image need never leave it. Even if the image is turned into numbers elsewhere, it is immediately deleted.
Finally, they turn to the more conventional age verification through document review. They claim this means showing government-issued identification to verify BOTH your identity and age. They argue this means sharing private information with every website operator and that can be used to steal your identity. But this is to completely ignore the way the existing, widely-used age verification sector is structured. First, it is not the website operators themselves that check your age, but independent third parties who do so, and, as a result of strict data processing laws in Europe which US state age verification laws are replicating, must not retain any personally identifiable information except a date of birth. These services then respond to websites with only a “yes” or “no” to a question as to whether a user is old enough (or in some cases young enough when sites wish to keep out predatory adults). Identity data is neither stored nor shared. Indeed, the essence of the online age assurance industry is proving your age without disclosing who you are.
As an industry, with funding from multinational organisations such as the European Commission and United Nations, we have developed an interoperable network that will allow you to re-use one age check across multiple sites. It is likely the first check you will do will be for a major platform such as Meta’s Facebook or Microsoft’s Xbox, in which case you’ll use an age assurance provider selected by them which will have been subject to detailed due diligence including checks on privacy and data security measures.
Indeed, the industry operates to international standards covering accuracy, privacy and security, and providers can be independently audited and certified against those standards by government approved conformity assessment bodies around the world.
In ten years’ time, we will look back in horror at what – and who – we exposed our children to online without any protection. In the real world, we do not allow them to walk into a bar, casino or strip club without the owners blocking their admission – yet we do this online today without any limitations.
Age assurance is a proportionate, convenient measure to protect kids online. If we can put a man on the moon, we can check your age when you use the Internet without exposing your identity. We doubt the Founding Fathers foresaw the abundance of hardcore pornography and thousands of adult sexual predators catfishing millions of children when the drafted the First Amendment, and if the US Constitution is to stand the test of time, it must be interpreted based on a clear understanding of the capabilities of technology to manage these risks to our children without risking the freedoms of adults.
