New age assurance standard the culmination of ‘enormous amount of work’

Work on the ISO/IEC DIS 27566-1 draft standard on age assurance has entered the public enquiry phase. Interested parties are able to comment through applicable local national standards bodies until March 14th.

The standard sets out a framework and definitions associated with age assurance, encompassing age verification, age estimation and age inference.

It also sets out core characteristics of ISO/IEC-compliant age assurance systems. These include function, performance, privacy, security and acceptability.

In other words: is an age assurance system doing what it says? Does it work, and how well? Does it preserve a user’s privacy? How vulnerable is it to attack? Is it inclusive, transparent and open to challenges?

Digital trust rests on strong, clear definitions

Digital data transactions tend to arouse more suspicion than person-to-person exchanges. But it is possible to build trusted digital institutions, as has been proven with the widespread adoption of online banking.

In a post on LinkedIn, Tony Allen – lead for the Age Check Certification Scheme (ACCS), architect of Australia’s seminal age assurance trial and one of the authors of ISO/IEC DIS 27566-1 – says one of the new standard’s most important functions is to develop a solid foundation of trust in accredited providers for age assurance systems.

“Really critically, for openness and transparency, the standard prescribes publicly available practice statements for age assurance providers, intermediaries and relying parties which should, in time, build trust and confidence in accredited providers for age assurance systems.”

A sample of the draft available online frames the discussion as a matter of the interconnected problems of communication and trust: “age assurance” and all that it entails isn’t defined clearly enough for most users to trust it.

“This document aims to solve the problem of inadequately defined age assurance processes and associated lack of trust in terms of functionality, performance, privacy, security and acceptability,” reads the draft.

I assure you, these age assurance definitions have been verified

It is a much-needed framework. With rapidly evolving technologies like biometrics and digital age checks, language can be fluid, and certain terms can take on unwarranted baggage. To assure, to check, to verify: each has its own semantic subtleties.

As such, it is worth noting ISO/IEC DIS 27566-1’s definitions of age assurance and related terms:

Age assurance is “a set of processes and methods used to verify, estimate or infer the age or age range of an individual, enabling organizations to make age-related eligibility decisions with varying degrees of certainty.”

Age verification is an “age assurance method based on calculating the difference between a verified year or date of birth of an individual and a subsequent date,” with a note that,  “in some cultures, an alternate calculation (such as use of birth year rather than birth date) may be applicable.”

Age estimation is an “age assurance method based on analysis of biological or behavioural features of humans that vary with age.”

Age inference is an “age assurance method based on verified information which indirectly implies that an individual is over or under a certain age or within an age range.”

In summary, age assurance refers to the thumbs-up or thumbs-down that firms provide and relying parties receive, and the methods used for that purpose. Age verification, age estimation and age inference are specific methods of confirming required age-related data in order to provide that assurance.

Standard looks to inform policy requirements for age assurance

The draft standard also specifies that age assurance is not identity verification, and indeed need not require disclosure of any unrelated personal information. “Although an individual’s age is an attribute of their identity, it is not necessarily the case that establishing the full identity of an individual in a global context is needed to gain age assurance.”

In addition to the overall goal of building trust, the document aims to “enable policymakers to specify applicable types of age assurance systems and associated indicators of confidence in their policy requirements.”

“As an example, a policy maker may determine that, to authorize the sale of alcohol or tobacco or some other age restricted product, a relying party acting as a decision maker should use some particular type of age assurance system supporting specified characteristics to verify that an individual is an adult.”

Article Topics

Age Check Certification Scheme (ACCS)  |  age verification  |  biometric age estimation  |  ISO 27566-1  |  ISO standards  |  standards