Age assurance stakeholders need more data

Age assurance technology is being put to the test in new ways in the UK and Australia, and regulators, standards bodies and businesses from around the world are closely watching. They are also considering how to adapt the findings of the field’s pioneers and asking questions at the Global Age Assurance Standards Summit.

The Summit is organized by the Age Check Certification Scheme, and runs Tuesday through Thursday in Amsterdam. The overarching focus, in the words of ACCS Founder and CEO Tony Allen, is “global standards for local regulation.” It is organized along similar lines to a G20 meeting, due to the high level of interest in age assurance in G20 nations, but representatives from countries around the world, including Bangladesh and Malawi, are also meeting on site.

Familiar names in age assurance like Yoti, Persona, Luciditi, Veratad and Innovative Technology (ITL) are presenting their technologies and perspectives. Other technology providers like Rigr, which uses facial age estimation for forensic investigations of CSAM, are also on the scene, contributing to the discussion.

Australia’s trials

KJR is conducting Australia’s trial of age assurance technologies, and presented how they are doing so to an overstuffed room of Summit attendees.

The company is testing the ease of implementation for the different technologies and their user experience, along with their effectiveness, Andrew Hammond explained.

Another talk covered how the trial process was formulated, based on a set of ISO standards and IEEE 2089. It utilizes 10 assessment criteria, covering accuracy, ease of use and interoperability, but also bias, privacy, rights and data security protections, technology readiness and circumvention, which will focus on presentation attack detection (PAD) and injection attack detection (IAD).

The actual testing will including static reviews, manual functional testing, PAD, manual usability and acceptance testing and automated functional and non-functional testing.

A few age assurance providers have dropped out of the process, and KJR will engage with the rest when testing is complete to confirm that the testing was not adversely affected by a misconfiguration or unforeseen problem. If necessary, retests will be conducted.

The fastest implementation of age assurance technology took close to half an hour, the rest longer.

The company will be in Australian schools starting next week for hour-long sessions which will be held across the country, bringing a selection of devices and software to be tested. Mystery shoppers testing the technology in unconstrained conditions will follow.

The eventual result will be data from over a thousand test participants for each of 23 apps tested. A report will be prepared in May for June publication.

It will be the largest body of age assurance test data of its kind when complete, and stakeholders are very keen to see it.

Where should age assurance be applied?

While the most common view among regulators and technology providers present is that age assurance should be applied at the platform level, but other argued for age assurance at the device level and Aylo made its pitch for the OS level.

Whatever level age checks happen at, Google says they should be applied through digital wallets. Since age was added to the EMVCO specification, Mastercard sees a big role for itself, as it already plans to be in everyone’s digital wallets. There is still a binding piece that leaves room for age assurance providers, Luciditi Co-founder and CTO Philip Young points out.

Yoti Chief Policy and Regulatory Officer Julie Dawson delivered a presentation specifically on the question of where in the stack age should be checked. Each answer has benefits and drawbacks enumerated by Dawson.

OS-level tools can help, but those that exist are used by around 1 percent of parents. They could also limit competition in a way that would conflict with anti-trust regulations. App store controls can help, but many of the interactions regulators want to protect children from happen in browsers. Shared family devices will not function well for both adults and children if they must pick one level of protection or the other.

Ultimately, Yoti sees a hybrid approach that enables consumer choice as preferable, and perhaps even inevitable.

Under 18s

During the morning plenaries, Online Child Safety Consultant John Carr noted that the EU arrived at 13 as the age of consent for data processing under GDPR more or less by happenstance. The initial plan to make the age 18 disappeared under a wave of news headlines that the EU would ban teens from social media. The age of 13 was picked up from American regulation, which was arrived at because of the semantic designation as the beginning of “teen”-hood, aided by the lobbying of the video game industry.

With age limits for social media raised repeatedly during Day 1 of the Summit, the question of what age limits should apply at was debated several times. The younger you go, though, the less likely you are to find a useful photo ID, a credit card or a line in an authoritative data source.

But at what age do people become less susceptible to content glorifying eating disorders, for example? In another of the themes of the day, there is scant science to turn to for answers, so whatever age the laws and regulations of the different countries arrive at, further learning and revision will be necessary.

Article Topics

age assurance standard  |  Age Assurance Standards Summit (2025)  |  Age Assurance Technology Trial  |  age estimation  |  age verification  |  biometrics  |  KJR Testing  |  regulation  |  Yoti