As a wave of new laws requiring social media companies to verify the age of children continue to pass, U.S. Senator Brian Schatz of Hawaii and his bi-partisan colleagues Senators Tom Cotton, Chris Murphy, and Katie Britt have introduced a Federal version, the Protecting Kids on Social Media Act. In essence, this would require any online application or website which allows users to publish or distribute to the public or to other users text, images, videos, or other forms of media content not to open accounts for children under 13, and only to do so for those aged 13-17 with the consent of a parent or guardian. Algorithms used to select which content and ads to display would also not be allowed to used for users under 18. Obviously, to implement such a law, social media platforms will need to know which users are under 13, which are under 18 and which are adults who can open and use accounts as at present, which is where age assurance comes into play.
Opponents of the measure have reached for the playbook used in the UK when plans were first announced to require age verification for pornography, repeating all the arguments which have gradually been abandoned in Europe, as technology which can, after all, put a man on the moon, has developed to deliver a much simpler objective – prove your age online without disclosing your identity by maintaining the strictest privacy protections. Some 40 companies are doing this, thousands of times an hour, fully preserving the anonymity of users, protecting their privacy and data security.
In this post, we hope to paint a picture of how privacy-preserving online age assurance already works in practice, and will operate in the US, if the market develops along the same lines as it is in Europe.
We should not be forced to give Twitter, Meta or Tiktok our ID to prove our age online
Of course not. Specialist age verification technology is designed to ensure you don’t have to.
The first moves to check age online were, unsurprisingly, to prevent children seeing pornography. Adult sites were very concerned their users would stop visiting them if they thought their identity might become known, and the site would keep a record of what they viewed, putting them at risk of being exposed or blackmailed. So, the adult sites needed a way to reassure their users and the simplest option was to use an independent, trusted third-party to do the age check, and then to confirm only to the adult site the answer “yes” or “no” to the question, is this user old enough to access adult content.
Age Verification is Completely Privacy Preserving
Our age verification companies only send social media companies the result of the age check, as “pass” or “fail.” This can be supplemented with non-identifiable information for audit requirements, such as the method used to complete the check, or a defined “level of assurance.” Our age verification companies don’t share or maintain access to anypersonal data. Even those which also offer a re-usable digital identity (from which age can obviously be derived) need the user to turn a digital key to release any personal data.
None of our members have had a data security breach because they do not create any central databases of personal information. All a hacker could find is that a user who perhaps chose the username MickeyMouse123 was born on May 7 1967.
Age Verification Maintains Online Anonymity
Our providers are doing millions of verifications a year.
The essence of age verification is that it is NOT identification. That is a separate process, which perhaps might be an option used by dating sites to deter catfishing or dating fraud, for example. But that is very different, and would require separate and explicit consent. Age verification is a strong indicator that the user is a real person, not a bot, but does not disclose any personal data other than a simple yes or no, as to whether the user is over (or under) a particular age.
How do we know the Age Verification Companies are only testing age?
Where a social media platform uses one or more third-party age verification providers, it is the platform rather than the user who selects which providers are available. A data breach can be devastating to a large online service, so they exercise careful due diligence in selecting their providers and will only use those in whom they have confidence that their user’s data will not be abused, lost or stolen. That means selecting providers who put privacy-by-design and data minimization at the heart of their system.
How do we know the Age Verification Companies are Preserving Privacy?
The last thing any social media company wants to do is give a third-party a list of the identities of their users. By selecting providers who are already audited and certified to international standards, social media platforms are able to choose only those which have been rigorously tested to keep data secure (by not keeping it!), protect privacy and accurately check ages. While the USA does not have an equivalent data protection regime to Europe’s GDPR, the Act proposed by Senator Schatz includes the key provisions applicable in Europe that prevent personal data used during the age verification process from being kept and abused.
How do we know this technology will work?
It is already being used to perform millions of online age checks every month, be that for accessing gambling sites, buying alcohol or vapes and, increasingly, social media platforms for their European users. We have 25 members who provide age verification, and all do so in line with our Code of Conduct, so even in parts of the world where GDPR does not apply, the principles of privacy-by-design and data minimization must still be applied. This code is binding on all our members and requires in summary:
- Fairness and transparency (data used to verify age should not be used for other purposes without consent),
- Use of appropriate verification methods (compliant with international or local standards),
- Privacy and Security (privacy and security by design’ principles and minimization of the use and retention of personal data)
- Accuracy (rectify inaccurate data)
- Independence (operational and financial independence from the suppliers of age-restricted goods, services)
Is it tested?
Yes. There is already an audit process for age verification technology, against the existing international standard (published by the British Standards Institution, BSI). In the US, the Institute of Electrical and Electronics Engineers (IEEE) is about to approve an updated standard for age verification, and an International Standards Organsiation (ISO) standard is also being developed. Certification is offered by accredited auditors, approved through the global ILAC Mutual Recognition Agreement.
But what if I don’t trust any of the third-party options?
Using your full ID is only one way to verify your age. Increasingly accurate software can estimate your age based on face or voice analysis, or even by studying how you play a computer game. With these techniques, you need never share your name, address or even your actual date of birth. The best facial analysis software achieves results with an average error of only 1.5 years. So, this may allow some 11 and 12 year olds to slip through the net, but will quickly put a stop to the majority of children under 13, and nearly all under 11, from opening a social media account. This may way constitute a reasonable method of age verification which is all the Bill requires.
Isn’t facial estimation biased by skin-tones.
In the early days of using facial recognition software, it was trained using only white faces. When tested on other skin tones, unsurprisingly it was not as accurate. The problem was addressed by ensuring proper diversity in the population used for this training process.
Okay, age checks might be private but parental consent must require social media platforms to ID the parents?
Exactly the same approach can be applied for parental consent as for age verification. So, when an age verification provider learns that the user is aged 13-17, they can ask the child to nominate a parent or guardian to give consent. An age check on the parent can provide some reassurance it is not just a friend of the child pretending to be a parent. Various clues can be checked to build confidence that the adult is legally responsible for that child.
Where state authorities agree, it is straightforward to confirm against official databases that the child has nominated their actual parent or guardian, using a “one-way blind check” to preserve privacy (“We’ve been told by child x that their parent is y – is this accurate?” to which you only get a yes or no response, not the more revealing “no, their parent is actually not y it is z”.)
Because the Bill reserves to parents the right to withdraw consent, they can be given a unique link when they first give consent that will allow them to revoke it. The AV provider need not retain any personal information about the parent for this to be available.
The internet should be free from government regulation.
This is, of course, a legitimate political position to take, but to be consistent, by extension proponents of this approach must surely also call for kids to be allowed to roam free downtown, going into any bar, casino or strip club without hindrance, and to talk to hundreds or thousands of strangers in the park, perhaps in private huts created so their parents and passing police officers cannot see or hear what they are doing.
But society has decided over many decades that there are some things we don’t want kids to do or see, and we often ask adults to prove their age in order to implement these democratically determined rules. In fact, we usually do so quite intrusively, looking at a driving license with far more personal information than is needed to confirm age. With the advent of the ‘metaverse’, as we all spend far more of our lives in a virtual not a real world, Bills such as this seek only to apply the same rules online as offline – and, thanks to technology, we can do so in a far more privacy-preserving way.
Whether its for social media or any other purpose, verifying the age of an online user without requiring them to disclose to a social media platform their full identity, is technically straightforward. As with banking or healthcare, regulation is required to safeguard data, and this can be complemented by audit and certification processes to give consumers the confidence they require.
Through a simple referral network, age checks can be re-used across multiple platforms, so there is minimal impact on the user’s experience. This also delivers a cost-effective, ubiquitous solution to make the internet age (but not identity) aware, allowing the same norms of the real-world to be applied to our virtual lives.