Last year, we helped to provide expert witness testimony for US federal courts considering whether various state laws requiring age verification, be that for pornography, social media or age-appropriate design, were constitutional.
The arguments heard in court, and the written judgements which followed, provided a helpful list of do’s and don’ts for legislators in the USA drafting legislation which requires age verification. Here are the main lessons we learned:
Scope
Laws need to be precise and clear which sites are in scope. They should also be obviously targeted at certain services and not others in an arbitrary or arguably biased manner.
If a category of sites is to be defined, then avoid doing so in terms of the percentage of their content which is harmful, e.g. more than one third of content is obscene? This raises the question of how that is measured? What is it being counted – gigabytes, pages, images, views or minutes of available video? And there is also the risk that an adult site with 200,000 pornographic videos adds 400,001 cartoons to bring it under one third the threshold. Far better to define the sites in scope based on the percentage of content downloaded or viewed that is obscene, and be clear whether that is measured by the amount of data in GB, the number of page views that are of pages which host obscene content as a percentage of all page views.
Better still, require age verification not for the site as a whole, but instead for any page that includes obscene content. Although this came up in a case about social media, the same simile may be applied, which was that by requiring AV to create an account, it was the equivalent of checking age at the door to the shopping mall, not the entry to the bar within it. So, children were in danger of being prohibited from accessing many other innocent stores, or in the case in point, legally protected free speech, in a very broad attempt to protect them from specific harm. So, to pre-empt adult sites adding some harmless protected free speech within their site that would then make an age check to enter the site in the first place unconstitutional, apply age verification only to pages that host harmful content.
Methods of age verification
Many examples of legislation have enumerated the methods of age verification that are permissible. Doing so immediately stifles innovation, as new methods are being developed all the time. It can also require higher cost methods, perhaps by giving a monopoly to some sources of age check or insisting use is made of expensive data brokers, for example.
We recommend that legislation defines the outcome required, and takes advantages of the latest international standards, and the certification processes these facilitate.
The UK Online Safety Act requires “highly effective age assurance” to ensure that minors can “not normally encounter” pornography (and some other high risk content such as that relating to suicide and self-harm). The legislation leaves it to the regulator to put flesh on the bones and define in regulations and guidance what it would regard as highly effective, and “not normal”. In the US context, this would be achieved by giving rule-making powers to the Attorney General, Department of Commerce or similar.
We would recommend that the legislation allows the rules to make reference to standards, e.g. “The Attorney-General may refer to agreed international standards and require age verification systems to be certified to meet any such standard or its equivalent.”
In terms of how effective those systems must be, the standards also include defined levels of assurance, as basic, standard, enhanced and strict. At a headline level these require accuracy from 90% – 99.9%. So, for example, if the rule required age verification to the enhanced (99%) level, then no more than 1 in 100 under 18s should be able to slip through the net. This approach recognises that no technology is infallible, but sets boundaries around the degree of error which will be tolerated. Sites where 5 or 10% of those under 18 attempting to gain access manage to do so, can expect enforcement action.
Private right of action of state enforcement
A recent constitutional tactic is to create a private right of action, preventing the Act itself being challenged because of the 14th Amendment. But as we understand this, that merely delays the same constitutional challenge to when the first claim is brought so offers only temporary protection for a new law.
The benefit of state enforcement is that rules, such as those mentioned above, can be set. They can be updated as technology evolves more easily than amending the underlying statute. Expectations can be set out clear for what is required to be compliant, by the same authority that decides whether to penalise a site. A level playing field can be set for all sites, which is also important to avoid a race to the bottom, as sites may otherwise adopt the most lax verification measures they think they can get away with to retain maximum traffic levels.
Lifting the burden
The original Supreme Court case which prevented age verification being introduced at the start of the century argued that it placed too great a burden on adult Americans wishing to access constitutionally protected free speech. We’ve already recommended that AV is applied narrowly, only to pages with obscene content, so that already pre-empts this argument. But additional defense is possible by ensuring that the AV process is as simple, cheap and un-invasive as possible.
Simplicity is aided by offering a wide range of options to the users so they can choose the one they find easiest to use. So not enumerating methods but instead allowing for any method certified to an international standard which delivers the required level of effectiveness also helps.
Cost is also kept down by allowing for a wide range of methods, as it will allow for greater competition. Reusable age checks, and an interoperable network so a check on site A can be easily used again on site B, C and D etc. should also be allowed for by the statute.
And the use of a third-party provider which does not retain any personal data once the age has been verified, and instead only confirms “yes” or “no” to an adult site which asks if the user is 18+ prevents invasive questions about a user’s identity from adult websites. AV was developed mostly in Europe where strict data protection laws prevent personal data being retained unnecessarily or used for purposes other than the user originally intended, so similar data protection measures should be included in AV laws. Regulating providers should be considered – with requiring them to be audited and certified to international standards the simplest mechanism available (known as “co-regulation”).
Access and service
All the draft laws we’ve reviewed to date rely on fines to secure compliance, whether imposed by regulators or the courts. These may not always be effective given the global nature of the worldwide web. The UK has solved this by taking powers for the regulator not only to require that access to non-compliant sites is blocked, but also to insist that suppliers of critical business services such as payments, advertising, search and hosting, withdraw those services if an adult site is not requiring highly effective age assurance. This backup plan should be included in US legislation (as seen in other areas such as federal laws on the sale of marijuana).
Virtual Private Networks
We have yet to see a law that includes a “get-out-of-jail-free” card for adult sites accessed via a virtual private network (VPN). It does not matter whether a child accesses the site directly, with a VPN, or using two paper cups and a piece of string, the laws require the sites to prevent children in that state from accessing adult content. Some adult sites have blocked IP addresses in states with AV laws but sold VPN services on the webpage notifying users of the block. These sites either have a false sense of security that they are immune from prosecution if children use a VPN, or are deliberately trying to shape the belief that this does create immunity.
The UK regulator’s draft rules explicitly prohibit adult sites from promoting VPNs or any other means of circumvention – this should be considered as a provision in US laws too if the rule-maker would require statutory cover for such a rule.
But here is also where the phrasing “not normally able to encounter” is also helpful. If VPNs or GPS spoofing etc become widely used in a state, then adult content has become normally available to children, so those sites will have to tighten controls. They can, for example, block traffic from known VPNs (the cheap ones are easily spotted, indeed lists are publicly available of the IP addresses they use) or apply AV to all VPN traffic.
Further advice
We are available to provide technical advice to legislators drafting or considering legislation which requires age verification. Do get in touch here.