Age assurance tech is ready now, and international standards are on their way

The Global Age Assurance Standards Summit has wrapped up, culminating in a set of assertions, a seven-point call-to-action and four main principles for protecting young people from the risks of age-inappropriate goods and services.

The event convened more than 700 stakeholders for a week of consultation and debate about the future of standards for age assurance, what their goals should be and how they can be achieved technically, with support from the Safe Online initiative and the British Standards Institute (BSI). The first four days of the event covered many different facets of the issue, including detailed discussions of technical terminology, alternative methods of carrying out age checks, parental consent and how biometrics fit with the other parts of a complete system.

A communique from the event organizers begins with statements they say reflect a consensus amongst attendees: It is possible with current technology to deploy age assurance in a way “that is privacy preserving, secure, effective and efficient.” In combination with other tools, it can help protect children in the digital world.

International standards will help ensure that protection, and “laws and regulations can (emphasis in original) create the legal framework with robust procedures in place to secure the protection of children from harm.” All of this can also be done in a way that does not erode the freedom of adults online.

A definition is provided, courtesy of the working group behind ISO/IEC WD 27566-1. “Age assurance is the process of establishing, determining and/or confirming an age assurance attribute, including age verification, age estimation and age inference,” the definition reads.

That standard’s part 1 (framework) has reached a committee draft, after a consensus was reached at the Summit, and will be released to national standards bodies. Part 2 has been approved as a work item, and work was done on part 2, with another call for contributions expected soon, Age Check Certification Scheme Founder and CEO Tony Allen told attendees during a wrap-up session.

Calls to action, principles and guidelines

The call to action specifies support for future adoption of the standards developed, and encouragement for governments to adopt them to align with their legislation. Those who decide age eligibility are urged to apply the standards and make “their controls are transparent, accountable and respectful of the rights of individuals.” All stakeholders are urged to support the dissemination of the standards, and further dialogue around them, and “Encourage age assurance companies to engage in human rights due diligence throughout the lifecycle of their products, in order to prevent and effectively prevent and/or address any adverse impacts on the full range of human rights and children’s rights caused by, contributed to or linked to age assurance tools. This will ensure that age assurance tools can be deployed in a way that maximises the protection of children, whilst also maximising privacy and data protection for both children and adults.”

Governments should be encouraged to report back to the international standards bodies about their progress, and attendees should stay engaged as all of the above happens.

The four principles decided on are that age assurance should be based on individuals’ rights and best interest, the principle of data minimization, transparency and accountability, and cooperation and participation.

Three guidelines are provided for each principle. The principle about individual rights notes in a guideline that children have “evolving capacities,” and Allen notes that this guideline is about the need to avoid an effectively separate internet for children, which does not allow room for nuance and personal growth. The principle on data minimization includes the guideline that age assurance systems “should avoid the onward sharing of hard identifiers, such as passports or biometrics, unless absolutely necessary, proportionate and justified.”

Yoti Co-founder and CEO Robin Tombs notes in a LinkedIn post that Ofcom’s session included the point that database checks and verified parental consent are not considered “highly effective age check methods.” The company recommends that digital age wallets be considered differently than digital identity wallets, allowing age confirmation without the need to submit any identity details. Allen said in response that this is why BSI and the ACCS have pushed for stand-alone age assurance standards, instead of treating it as an attribute derived from identity.

The long path to meaningful action

During a keynote session on the last day, John Carr of the UK Children’s Charities’ Coalition on Internet Safety shared the story of how the recognition of a problem with online access to age restricted services for children, and gambling in particular, led to the creation of technologies and the market for them.

He warns that as codes of practice are finalized, Ofcom will need to find a way to provide resources to civil society organizations to level the playing field with big tech companies and their legal teams. He also warns that organizations like NetChoice exist to delay the application of rules for the internet with legal challenges.

Article Topics

Age Check Certification Scheme (ACCS)  |  age verification  |  British Standards Institution  |  Global Age Assurance Standards Summit  |  ISO 27566-1  |  ISO standards  |  Ofcom  |  Safe Online  |  standards