Should we use a digital identity trust framework for age assurance?

February 24, 2021

Last week, the UK government published its Digital Identity and Attributes Trust Framework.  You have to read no further than the second paragraph of Minister Matt Warman’s introduction before appreciating that this document is highly relevant to age verification.  The Minister for Digital Infrastructure writes:

“There are times in day-to-day life when you may be asked to prove something about yourself to access a service or product. When buying alcohol, you may need to prove you are over 18… This might be easy if you have a passport or driving licence and you are able to offer these face-to-face. At other times, it can be difficult.”

Superficially, age verification may be seen by some as just a sub-set of identity-proofing but there are some critical distinctions between the two processes which it is important to understand before  drawing that erroneous conclusion.

People are increasingly concerned about the misuse of their personal data whenever they share it online. There will, inevitably, be considerable mistrust of demands to access a digital identity when a consumer does not understand the need to do so.  While it may make sense to them when opening a bank account, or even booking a flight, there will be a great deal of scepticism about disclosing identity for day-to-day activities online,  such as finding information on dieting or researching the effects of illegal drugs.  Yet, these  are good examples of where society would often not wish young  children to have unfettered access.

In some situations, there are very specific reasons why people do not wish to share their identity.   The most well-known example, which has had a great deal of media attention, is applying age verification before giving access to online pornography.  It was clear that some consumers were extremely concerned – albeit a misplaced concern given the privacy-by-design approach taken  to this technology – that providing ID to adult websites could lead to their online behaviour being tracked and exposed.  But there are also a range of other reasons why people may not wish to use their identity online; perhaps, for example, religious or cultural beliefs within a family may inhibit individuals from online actions that risk upsetting their relatives.

But a more general case can be made when it comes to children.  Regulators such as the UK Information Commissioner have already identified the catch 22 situation whereby it is necessary to request and process personal data in order to assess the age of an online user – but if that user is then found to be below the age of digital consent (13 in the UK) then the very act of gathering that data could be considered illegal.  The advice given by the ICO is to limit users whose age is unknown to harmless areas of a website but of course this, by definition, limits the data available to that site on which to base an estimate of age to the most anodyne content.

We should also be concerned about any solution which requires minors to bandy about their identity online when, in fact, all they need to do is to prove their age.

For these reasons, there is a strong case for considering the age verification process separately from identity-proofing.  Instead, independent third parties can certainly use digital identity as a reliable source of age data, but they need neither retain nor share personal data when a website is merely trying to check a user’s age.  This needs to be made very clear to consumers to build trust in an  internet where almost every site you visit knows your age-range, but not your name.

Indeed, it is already possible to use broader age assurance mechanisms to estimate age with ever-increasing accuracy, without the knowledge of any personal data beyond anonymous biometric details of a user, such as a facial image.  For many, this will be an appealing alternative even if age verification sector is regulated in such a way that identification is never disclosed when an age check is the only purpose.

The UK is not alone in developing an identity framework – Canada, Australia, Sweden and New Zealand are all taking this route.   In each case, we are making these points, although the outcome is very dependent on the  culture of the country concerned.  It is already clear that online privacy is highly valued in Australia, for example.

The Department for Digital Culture Media and Sport does not intend  to provide any new or ready-made solutions for actual products — it is clear that it will be relying on “the creative and innovative drive of industry” to build these, and the age verification sector is well-positioned to deliver.

The trust framework is being published now as a first stage industry prototype (or ‘alpha’) so that it can be tested with services, industries, organisations and potential users. The next step is to begin ‘sandbox style’ testing of the trust framework in partnership with sectors and organisations to ensure it meets their needs, while meeting the government’s ‘robust standards’.  Doubtless, Age Verification providers will enthusiastically embrace that opportunity to illustrate the need for age and ID verification to operate in tandem, but not as one.