AVPA says OSA launch successful, but regulation, deployments need refining

The Age Verification Providers Association (AVPA) has published a postmortem on the UK Online Safety Act rollout, with details on specific deployments and lessons learned from the “largest coordinated deployment of age assurance ever seen at a national level.”

AVPA says that, on day one of enforcement of the OSA, association members collectively completed an estimated 5.7 million age checks. Writing on Linkedin, it suggests the scale of the action makes it a blueprint for other nations looking to follow suit. “The UK’s experience offers valuable insights not only for providers, but also for Ofcom, the ICO and legislators and regulators abroad, particularly those in the EU, the U.S. at state and federal level, Brazil, India, New Zealand and Australia who are already engaged in this field.”

Methods varied across the spectrum, with no single approach dominating, even among the largest adult content sites. “Pornhub implemented its own AllPassTrust federation, offering methods from OneID, Verifymy and Aylo’s own in-house credit card checks; XVideos and XNXX deployed AgeGO, including reusable digital IDs available as an option from Yoti; and xHamster also used Yoti for both digital ID and age estimation.”

Yoti, the UK firm that offers a suite of different age assurance options, is the closest thing to a winner to emerge from the initial scrum, at one point finding itself at the very top of the Apple App Store charts.

AVPA considers the launch a major success, but acknowledges that both the age verification industry and regulatory bodies have issues to address. A common concern has been overreach, as services like Spotify impose age checks as a compliance safeguard, limiting access to certain content.

While few expressed public frustration about not being able to watch porn, users of sites such as Reddit and Discord also found themselves facing age checks. Some gaming sites reported the removal of LGBTQ-themed content as smaller platforms looked to minimize the risk of noncompliance. And the OSA may not be done yet: new Technology Secretary Liz Kendall is preparing to publish a new register of regulated services soon.

AVPA’s report organizes key challenges into four interconnected themes: trust, integrity, circumvention and convenience.

Convenience: make it easy for anyone, anywhere

Starting backward, convenience is simple enough: the eternal quest to reduce friction is familiar ground for biometrics observers. Interoperability is a major sticking point. AVPA maintains what has become a consistent position, namely that “clearly interoperable, independent age assurance systems using reusable credentials by confirming checks secured from a robustly managed ecosystem will be viewed as equivalent to those supplied directly under a contract with a provider.” In other words, solutions like euConsent’s AgeAware app can help solve the interoperability problem.

Inclusivity is also flagged as an issue, and AVPA recommends that “all age verification providers offering document based checks should add the option to use PASS Cards” for verification, and that “Ofcom should emphasise that its regulations require platforms to consider accessibility and inclusivity.”

Circumvention: tech can handle VPNs, but HEAA definition needs refining

Circumvention is an issue that can be partly tackled with specific minimum standards for liveness detection and injection attack detection. Moreover, “providers should join known testing or benchmarking programmes such as the NIST benchmarking programme to show their credibility in terms of facial age estimation accuracy.”

For now, however, the real flies in the ointment are Virtual Private Networks (VPNs) and poor quality age assurance systems promising to plug a regulatory hole for cheap.

On VPNs, AVPA has been clear in its opinion that simply because a workaround exists, that doesn’t make it legal. Here, it acknowledges the issue – but, like others in the age assurance sector, suggests it can be solved with tweaks to technology. Technical signals such as language, currency, and time zone can be referenced to detect likely VPN use.

“Ofcom should issue guidance on detecting and deterring circumvention, including flagged high-risk VPN traffic (i.e. potentially a UK child),” the report says. But it also re-entrenches its stance: if VPNs are allowing large numbers of kids to access adult content, then the sites providing that content have an obligation to find a way to stop them.

The flip side of the problem is sites that are themselves either relying on highly suspect age check products, or dialing down safety settings on legitimate products in ways that go beyond providers’ control.

Here, AVPA reopens the discussion on how Ofcom defines “Highly Effective Age Assurance” (HEAA), which has been contentious for some time.

“Clients may be confused by the Ofcom HEAA requirement as it is not explicit or codified,” AVPA says. “Ideally it would set a threshold for the level of age assurance based on the IEEE 2089.1 approach, e.g. methods should prevent 95 percent of those up to 24 months below the age limit and 99 percent of those 25-48 months below from access.”

“Ofcom explicitly chose not to set numerical thresholds ‘at this stage’ but left the way open to doing so in future, and this should be a high priority.”

Trust: certification, accreditation, regulation and time

The numbers and switches are a relatively easy challenge, compared to what AVPA identifies as its other two major themes. Trust and integrity are both abstractions that depend on a wide variety of cultural and situational factors.

AVPA recommends “digital certificates showing the use of compliant AV systems,” which would be “issued by the providers to their clients, under a public key infrastructure (PKI) hierarchy governed by the AVPA. Independent audit and certification against international standards such as ISO/IEC 27566-1 and IEEE 2089.1 must serve as the basis for this.”

Accreditation and certification schemes will help, and a more specific definition of HEAA could also help here: if a provider cannot muster the numbers, they shouldn’t be trusted. Regulations are also a key piece. People have learned to trust highly regulated industries in which institutions have the numbers to show they are safe or secure. Consider how few people would agree to fly with an airline that operates with no regard for regulations.

However, the larger picture involves trying to establish digital trust, on a sharp curve, in an environment that is highly attuned to the dangers of surveillance, the ubiquity of rogue data collection, and the power granted to those who control large tech platforms. Ultimately, the only way to establish lasting trust is to prove oneself over time. The OSA launch, AVPA says, “has helped normalize age assurance and, if privacy is protected and data breaches avoided through rigorous data minimisation, trust will grow.”

This is where integrity becomes crucial.

Integrity: proven systems used in good faith

AVPA’s argument here is largely technical. Systems that require users to create accounts, it says, undermine anonymity and increase the risk of tracking across platforms.

“Federated login systems such as AllPassTrust allow users to log in across multiple sites with the same credentials. This increases the risk of sharing and cross-site tracking. These systems do not offer double-blind protection, where the content site cannot see who the user is, and the AV provider cannot see what sites are accessed. While not required in the UK, other jurisdictions such as France and Italy do require it.”

The argument, then, is both technical and ethical. Use the best and most privacy preserving option available, ideally double-blind, tokenized systems that preserve anonymity. But also, use it responsibly. For it is not just technical integrity that must withstand scrutiny, but also the integrity of those acting as providers. The recent discovery that AgeGo’s system harvests user data on specific URLs prior to initiating a third-party age check underlines the point: the infrastructure is only as secure as those vetted to use it. And earning trust means learning not to break it.

“The task now is to refine deployment, improve interoperability, raise standards and build public trust,” says AVPA in its conclusion. But it also once again points to an attractive option.

“Almost every issue identified above is mitigated by the introduction of a well-governed and well-designed interoperable ecosystem.” Double-blind, tokenized and organized, the sector will be well-prepared to meet new challenges that emerge as global policy matures.

Article Topics

age verification  |  AVPA  |  biometric age estimation  |  biometrics  |  Ofcom  |  Online Safety Act  |  reusable digital ID  |  UK age verification