The AVPA has been working in partnership with the Proof of Age Standards Scheme (PASS) to enable the use of digital proofs of age in person across the UK.
PASS is a non-profit organisation, originally created to agree and maintain a common standard for physical proof of age cards. Their cards (as illustrated – left) are recognised in both law and statutory guidance as sufficient proof for not only access to licensed premises and the purchase of age-restricted goods, but also as proof of identity when voting.
So, it was natural for the Home Office, in 2021, to invite PASS to explore options for a digital version of their card. It set the industry a challenge to ensure that a card provided by any approved issuer can be accepted by any shop, bar, club, casino or cinema in the country. This is technically difficult, as complex security measures are required to prevent simple forgeries of images displayed on a phone screen, and these need to be agreed across all the suppliers. PASS had already approved a technical standard for digital proof of age, but left it to the industry to find a way to ensure such cards could be universally accepted.
Members of the AVPA and PASS, including UK Hospitality, the Retail of Alcohol Standards Group and the Association of Convenience Stores were consulted and a call for a proposal for new technology to allow people to prove their age using just their smartphone was issued in May 2022. It sought a universally accepted interoperability solution for Digital Proof of Age (DPoA) systems issued under the PASS Scheme. The solution was required to enable any approved DPoA to be validated by any relying party, using existing or low-cost technology without the need for new hardware or extensive staff retraining. It had to meet strict security, privacy, and resilience standards, ensure no additional personal data is stored or shared, and offer high uptime (99.9%) with minimal disruption. It also needed to comply with existing PASS 5 technical standards for digital proofs (illustrated below), support both QR code and NFC formats, and be sustainable through a transparent fee model. The provider was not permitted to enter exclusivity arrangements, had to treat all Issuers equally, and offer a clear exit strategy so it was not locked into a monopoly position. Preference was given to solutions using international standards, supporting offline use, and encouraging new market entrants.
Proposals were reviewed by a wide-range of stakeholders to form an industry consensus and a recommendation was made to the PASS Board to select Fujitsu to build the necessary infrastructure. A technical steering group was formed, again with wide representation, to advise on the detailed design of the solution.
Public Key Cryptography is the technical foundation of many digital identity systems. It works using two keys: a private key, which is kept secret, and a public key, which anyone can access. Under the dPASS scheme, a digital proof of age credential is created and then digitally signed using a private key. This signature can then be verified by anyone who has the matching public key, proving that the credential is genuine and hasn’t been tampered with.
In the dPASS solution, Issuers (age verification providers) provide consumers with a mobile app that generates a QR code containing this digitally-signed credential. This QR code is scanned by an existing device (either a Point of Sale or a mobile device) that uses software provided by PASS to validate the proof of age credential. This software uses the public keys of trusted issuers to check the signature on the QR code.
The consumer can only create that QR code if they have properly proven their age to the issuer, and they then use a biometric password – their face or fingerprint – to prove they are the rightful user of that proof of age.
A key benefit of this approach is that no personal data is shared with a shop, bar, club or casino – or their staff – when proving age. The QR code is enough to confirm that the person showing it is above the required age, and there is no need for staff to compare a photo to the customer as the technology has already made sure it is the rightful user.
Commercially, the requirement that any certified dPASS can be accepted anywhere, constrains the possible business models because all those accepting a dPASS have no choice about which they allow, so cannot have different prices imposed on them by the issuers. So instead, we proposed a licensing model based on an annual fee per till. The revenues raised will cover the costs of governing and operating the network and also be shared with the issuers in proportion to the volume of use of the dPASS they issue. The sums involved will be set at a level that ensures there are enough providers issuing dPASS to stimulate a healthy, competitive and innovative market.
Another advantage is that the same technical approach to validating a dPASS can be used when people begin to have government issued proofs such as a digital driving licence or veterans card. Those can be used as sources of age data that Digital Verification Services (issuers) can then translate into QR codes that also use the dPASS standard. This way, the retailers, bars, etc do not need any new equipment, software or contracts to accept an increasing range of digital ID. And because PASS is a non-profit, it can safely be trusted to sit at the centre of this national infrastructure and act as an honest broker, maintaining standards, and facilitating the growing market in digital proof of age – and indeed identity.
This solution is ready today – the only option that can allow the Secretary of State to meet his goal of buying alcohol with digital proof of age by Christmas 2025
