A number of human rights and LGBTQ+ organizations wrote to members of the US Congress last week opposing a kids’ online safety bill (KOSA) they argue would not actually help make the Internet a better place for children and teens.
We wanted to respond to their concerns about age verification:
“Age verification may require users to provide platforms with personally identifiable information such as date of birth and government-issued identification documents, which can threaten users’ privacy, including through the risk of data breaches, and chill their willingness to access sensitive information online because they cannot do so anonymously.”
The essence of online age verification is proving your age without disclosing who you are to the services you are accessing.
One of the first expected use-caes for age verification was to access online pornography. As you can imagine, it was clear from the outset that users would not want to give out personal data to this sort of site. This has prepared the technology well for safe use by children. Not only did they fear their data being hacked or sold, but they were also concerned that they might be victims of extortion from people threatening to expose their online interests. So the AV sector was built with Privacy-by-Design from the outset, applying the principle of data minimisation religiously.
Our members achieved this in a number of ways. The first is structural – with age checks being carried out not by the websites themselves, but by independent third-party AV providers. These suppliers would check a user’s age using a variety of methods, and then simply confirm “yes” or “no” to the site that user wished to access, if the user was old enough. No personal data was shared with the website. Indeed, some AV providers pseudonymised their users, remembering them only by a username (of their choice) which was associated with age established by the original age check.
Age estimation techniques emerged allowing users to prove their age by sharing only a selfie image or voice sample, which could be immediately deleted once the software had used it to assess the likely age range of the user. There is no unique identification of any user – the AI does a pixel level analysis of patterns that can be associated with people of a particular age in order to estimate age.
Users can also create digital identities and selectively disclose which elements they wish to share; they are in full control of what information they share – so they can choose to share only their age (e.g. 18+) and no other personally identifiable information. As this data is all kept securely and only the user has the digital key to their own information, there is no risk of it being misused.
Across all these methods, no central databases of personally identifiable information are created so there is no new risk of data breaches as a result of age verification – you can’t hack a database that does not exist.
Users can therefore continue to access websites and even open accounts on platforms without giving away the full details of their identity. So users can browse for sensitive topics with confidence that their privacy is being protected.
And through initiatives such as www.euCONSENT.eu there will be the ability to re-use an age check completed on one site across multiple other sites, further reducing the need to share any personal data at all after you’ve completed your first check.
The Open Letter addressed a wide range of concerns with KOSA, but age verification need not be one of them.
- So if it is only the mathematical representation of the patterns resulting from analysis that are written to temporary or permanent storage, then that would not constitute saving the photo image itself’
NOTHING is written to temporary or permanent storage- the AI does the sum and delivers an age estimate. There is no unique identification
- In fact, the amount of data required for this artificial intelligence is not even sufficient to identify the user uniquely – it is just a mathematical representation of certain patterns that can be associated with people of a particular age through machine learning software.