Yoti responds to Ofcom’s guidance on age checks for porn sites

While the age assurance sector has welcomed Ofcom’s newly published guidance on highly effective age assurance for adult content sites, many have expressed concern that the document remains too vague in key areas.
A new blog from Yoti outlines the areas in which the face biometrics firm believes Ofcom’s guidance on age checks needs further clarification. For the most part, the observations follow a common theme: the UK regulator needs to go deeper.
“There are a lot of good principles and effective guidance to ensure children are protected online and there is a clear deadline of July 2025 for all sites (be that pornography sites or social media platforms which allow pornography) to have age verification in place to prevent children from accessing adult content,” writes Yoti’s communications manager, Rachael Trotman.
“We are pleased to see that Ofcom has listed several popular age assurance methods, such as facial age estimation, digital ID wallets, and document verification, as capable of being highly effective.”
“However, there are certain areas where the guidance falls short.”
More detail in methods, standards needed for consistency
Yoti lists several interrelated concerns with Ofcom’s guidance.
“The guidance does not provide a definitive list of methods,” says Yoti, “just the kinds of age assurance that are capable of being highly effective.” That means there are still open questions about certain established methods. Making the list more specific would help platforms trying to determine if their age assurance methods adhere to the guidelines.
The same applies to set age thresholds for age estimation. Ofcom’s guidance suggests a “challenge age” approach – a set number of years over legal age that acts as a buffer for contingency. (For goods or services restricted to those 18 or over, that translates to “we card anyone who looks under 25.”) But Yoti says that letting platforms assess and set this challenge age will lead to inconsistencies, and points to other regulators who have clearly defined buffers.
On age assurance standards, Yoti says “the guidance does not yet provide the clarity and comprehensive standards the industry urgently needs.” The firm suggests making reference to “clear statistical levels laid out in the IEEE’s international standard” and imposing mandatory audit requirements. “A clear and enforceable set of guidelines would not only create a level playing field but also build public trust in the system.”
Likewise, Yoti notes that Ofcom does not specify minimum standards for document verification.
“For document checks to be highly effective, minimum standards should require face matching, document authenticity checks and liveness detection. Otherwise there is too much opportunity for successful circumvention.”
Too many loopholes and openings for circumvention
Among Yoti’s more technical grundles is a lack of detail around age tokens, which can apply an initial age verification across subsequent uses of different restricted platforms.
“An important detail missing from the guidance is that the initial age check for an age token should be done against a highly effective method,” Trotman writes. “After all, the age token reflects the quality of the initial age check.”
As Yoti and its peers have argued before, the definition of “highly effective age checks” needs to be precise – and it needs to apply across the age assurance ecosystem, or risk diluting the potency of the guidance.
“Some of the methods that Ofcom has said can be highly effective, could be easily spoofed by children, which means they won’t pass the robustness test,” Yoti says. A specific complaint concerns liveness detection, which Yoti considers “fundamentally essential to ensuring age checks are effective and can’t be spoofed.”
“Ofcom should have been braver and stipulated that platforms using facial age estimation need to use it with liveness detection. Otherwise, it is unnecessarily easy to circumvent.”
Letting porn sites collect and keep user data doesn’t inspire trust
A final concern is that Ofcom allows in-house age checks, with no requirement to delete data. Yoti notes that “some countries, such as the U.S., are including a requirement that age checks can’t be done by the adult operator and all age checks must be deleted afterwards.”
The move makes sense on a regulatory level, but also points to a demonstrated truth: even ardent porn lovers don’t want to hand off their personal information to smut peddlers.
“Allowing porn sites to capture sensitive information like passport or driving licence details, or Name, Date of Birth and Address, will not help Ofcom to build high public trust.”
Privado advocates for collaboration, cohesion
Privado ID is likewise watching the regulatory landscape, and seeing more need for a unified approach. A blog from the company says it “understands that meaningful advancements in age verification require collaboration across the ecosystem.”
“Age verification and estimation online is vital and there are several ways of achieving it,” says Otto Mora, Standards Architect at Privado ID. “However if everyone has their own separate data format that will impact interoperability and the user experience. This is why our work at the Decentralized Identity Foundation to create standardized credential schemas helps the digital identity industry to stay coordinated and streamline adoption in online platforms.”
Privado ID has partnered with Swiss age estimation firm Privately to scale its capabilities with AI. “When integrated with Privado ID’s standards aligned Proof of Age credentials,” Mora says, Privately’s facial age estimation “can serve as an additional layer of verification, further enhancing the accuracy and reliability of age proofing.”
Article Topics
age verification | biometrics | children | digital identity | Ofcom | Privado ID | regulation | UK
Comments