New Zealand takes stock of online age verification options

Age assurance is on New Zealand’s agenda as the country advances its digital identity system and the Trust Framework that governs it. A roundtable event organized by Digital Identity New Zealand brought together regulators, age assurance providers, government officials and other stakeholders to discuss insights and policy options informed by Australia’s Age Technology trial.

Age Check Certification Scheme CEO Tony Allen, who led the trial, presented the results.  Age Verification Providers Association ED Iain Corby, said that New Zealand can learn from the work in Australia, the UK and elsewhere to take “second mover advantage.”

New Zealand and Australia share a certification authority, along with the countries’ cultural and geographical ties, immediately raising one of the key themes of the presentation: balancing consistency, standards and proven effectiveness with local context.

The domestic market also includes some unique options, like New Zealand-based MyMahi, Allen notes.

And age assurance is gaining traction a little further away, as the ACCS has had conversations with regulators in Fiji, Indonesia, Singapore and Malaysia, Allen says.

Lessons from the neighbors and their kids

Allen began by reviewing how age verification, biometric age estimation and age inference work, individually and together as part of a workflow with fallback methods.

He called the Australian trial “by far the most in-depth analysis of age assurance that has even been undertaken anywhere in the world.” Allen reiterated the main findings of the trial, noting that no substantial technical limitations were found, though onboarding customers to age assurance systems “did take a bit longer than the vendors claimed it would.”

There is also room for improvement in age assurance systems’ performance across demographic groups, despite the broad consistency found in the trial.

A key challenge emerging from the trial is whether platforms should be able to answer specific questions about a particular user’s journey. If a young person is harmed by exposure to content on a particular platform, and investigators inquire about how they were able to access it, platforms must have user data that is not necessary for the age check itself.

The trial found “a minority of providers toward over-preparing for investigatory or forensic requests,” and Allen warned New Zealand’s online safety community to set the policy for data retention carefully with this in mind. “Otherwise you end with a global dataset of who’s using what,” he cautions.

Parental control and consent mechanisms generally work well, Allen says, but implementations tend to be geared toward the traditional Western conception of the nuclear family, and work less well for other family configurations and models of responsibility.

Then there is the still-contentious issue of where in the workflow age checks should happen.

“The more proximate you are to the risk that’s identified, the easier it is to do age assurance, and for the users to understand why you’re doing it,” Allen says. That means at the point of contact with the website or app that delivers the restricted content.

He also provided an overview of how the certification scheme in development for Australia and New Zealand works, as well as those around the world.

Lessons from around the world

One of the key lessons from the early days of age assurance enforcement in the UK is around the control age assurance technology providers give to online platforms over settings, Allen notes. If misconfigured, a suitable technology will deliver non-compliant results.

His discussion of circumvention noted the ease with which companies can tell when a user is connecting via a VPN, and that the bar for the sophistication of fraudulent age checks is necessarily lower than it is for use cases like payment security, where those committing the fraud have adequate incentive to pour thousands of dollars into fake IDs or deepfakes if it could lead to a financial windfall.

Corby noted that early implementations of age assurance have revealed that his prior assumption that people would rather give their ID data to a dedicated third party than the various platforms they use is not quite right. For some websites and apps that people are familiar and comfortable with, it is being directed to an additional, unfamiliar service provider that poses a barrier to user trust.

He also noted that at this point in the field’s maturity, “we’re at kind of ‘peak inconvenience’ of age assurance in the world at the moment.”  Further development tokenization to reduce duplicate age checks will help.

MyMahi explained their age verification system, which utilizes the authoritative data from New Zealand high schools to issue a student digital ID that includes built-in limited disclosure capabilities for age.

The technical details of how the ISO standard for age assurance will inform the certification schemes for each jurisdiction, and what is being done while it is on the way to its completed form was discussed by attendees and the presenters.

Article Topics

Age Assurance Technology Trial  |  Age Check Certification Scheme (ACCS)  |  age verification  |  AVPA  |  biometric age estimation  |  Digital Identity New Zealand (DINZ)  |  New Zealand