Ofcom publishes highly anticipated age assurance statement

Ofcom has published its Age Assurance and Children’s Access Statement. The much-anticipated statement includes guidance on “highly effective age assurance” and a “non-exhaustive list of age assurance methods” the UK regulator considers “capable of being highly effective at correctly determining whether or not a user is a child” – as well as those it deems incapable.
Language in the statement will be considered a win by the age assurance sector, given its inclusion of age estimation as a “highly effective” method. However, there are still concerns on the industry side about measurement.
According to Ofcom’s guidance, the following are “kinds of age assurance that are capable of being highly effective” for pornographic websites, classified as “Part 5”. These methods are deemed to have met Ofcom’s criteria for Technical Accuracy, Reliability, Robustness and Fairness.
Open banking, or bank account verification, in which “confirmation of whether or not the user is over 18 is shared with the relying party,” with user consent. “The user’s date of birth is not shared with the relying party, nor is any other information.”
Photo-identification matching, which “works by capturing relevant information from an uploaded photo-ID document and comparing it to an image of the user at the point of ID upload to verify that they are the same person.”
Facial age estimation, which “works by analysing the features of a user’s face to estimate their age.”
Mobile-network operator (MNO) age checks, which apply content restriction filters (CRF) to block children from “accessing age-restricted websites over mobile internet on pay-as-you-go and contract SIMs.” MNO age checks verify whether the CRF on a user’s mobile phone has been removed, indicating that the registered user of the device is over 18.
Credit card age checks, which work like bank ID checks but with credit cards. In the UK, individuals must be 18 to have a credit card.
Email-based age estimation – “solutions that estimate the age of a user by analysing the other online services where that user’s provided email address has been used,” which might associate it with financial institutions such as mortgage lenders.
Digital Identity Services, which “includes digital identity wallets which enable users to verify and securely store their attributes (such as age) in a digital format. This verification may take place using a variety of methods, including those listed above.”
Methods deemed “not capable of being highly effective” include self-declaration of age,
age verification through online payment methods which do not require a user to be over the age of 18, and general contractual restrictions such as terms and conditions.
AVPA approves of breadth but fears numbers needed to avoid legal disputes
The Age Verification Providers’ Association (AVPA) is happy with aspects of the guidance, but has reservations. A post on AVPA’s LinkedIn account applauds how the statement “acknowledges the wide choice of innovative and effective methods to prove your age quickly and anonymously online.”
It celebrates that “there is now a clear deadline of July for all websites, apps and platforms with any pornographic content, whatever their size, to require effective age assurance.”
And it is particularly happy with Ofcom’s “warning against adult sites promoting circumvention,” which means “they are still legally required to apply age checks even if UK users turn on a virtual private network (VPN) to disguise their location.” This addresses what AVPA director Iain Corby has called the “VPN fallacy,” which says the existence of a feasible workaround is an argument for not implementing age checks at all.
The trade association, however, is still unsatisfied with the technical specificity of the statement.
“We remain concerned that Ofcom has not set a clear minimum level of accuracy, nor a requirement for this to be independently audited,” its post says. “This risks legal disputes about what constitutes ‘highly effective’ – and there is evidence from France, Germany and the USA that some less reputable sites will seek to exploit any potential loopholes.”
AVPA is pushing Ofcom to fix the problem before enforcement commences, with reference to “clear statistical benchmarks set in the IEEE’s international standard.” The organization is also pledging to work with Ofcom and the adult industry to “raise public awareness and confidence in privacy-preserving, convenient age checks” ahead of the July deadline.
Yoti, Verifymy respond to statement with cautious optimism
Industry names are also weighing in on the Ofcom statement, with more detailed versions of AVPA’s major issues.
In a statement emailed to Biometric Update, Robin Tombs, CEO of UK biometrics provider Yoti, says that while the guidance shows “a clear direction of travel” on age assurance, there is still “too much that can be left open to interpretation.”
“Effective regulation needs to be clear and specific,” Tombs says. “Some of the methods that Ofcom has listed as highly effective must include the appropriate elements, such as liveness detection, otherwise they can be easily spoofed by children.” This would throw into question their Robustness, per Ofcom’s criteria.
Furthermore, “by not listing a definitive list of methods, which can be updated periodically, it does make it difficult for platforms to know if an alternative method they were considering might be suitable.”
Regardless, the publication of Ofcom’s age assurance guidelines marks a milestone in the evolution of digital regulation. In an email to Biometric Update, Lina Ghazal, head of regulatory and public affairs at VerifyMy, calls it “a pivotal moment in the fight to make the internet a safer place, particularly for children.”
“The Online Safety Act is set to make 2025 the biggest year for age verification since the Intoxicating Liquor Act 1923 passed over 100 years ago,” Ghazal says.
Ghazal is particularly pleased with the inclusion of email address age estimation – “an innovation developed by VerifyMy” – as a highly effective method. She notes that email age estimation is “fast and fully inclusive, given 99.94 percent of regular online users have an active email address.”
“Ofcom has made it clear that outdated methods such as self-declaration are no longer viable,” she says, “and age-check methods deployed must be technically accurate, robust, reliable and fair in order to be considered highly effective.”
Article Topics
age estimation | age verification | AVPA | biometrics | digital identity | Ofcom | regulation | UK | VerifyMy | Yoti
Comments