The UK’s communications regulator has set out guidance on how online services should carry out age checks as part of the Online Safety Act.
Ofcom’s various proposals will leave privacy campaigners in hot pursuit. These include credit card verification, facial age estimation, photo ID matching, and more.
All of these checks are made in the name of protecting children from the far-flung grottoes of the World Wide Web. However, service providers are likely to be caught in the middle in implementing the guidance without violating privacy regulations. For example, Ofcom notes that the following age checks can be “highly effective”:
- Open banking. The bank verifies that the user is over her 18 years of age without sharing any other personal information.
- Mobile network operator (MNO) age check. Responsibility is transferred to the MNO content restriction filter, which can only be removed if the device user can prove to her MNO that she is over 18 years old.
- Photo ID matching. We compare a user’s image to an uploaded document used as proof of age to ensure they are the same person.
- Credit card check. Your credit card account will be checked for validity. In the UK, the credit card holder must be over the age of 18.
- Digital ID wallets and our favorite, facial age estimation, analyze your facial features to estimate your age.
It doesn’t take a genius to imagine how a determined teenager would get around many of these restrictions. You can also imagine the potential privacy nightmares inherent in many of those restrictions if adults were forced to share this level of information when visiting age-restricted sites.
At this point, the reader may have a distinct sense of déjà vu. In 2022, the UK government threatened to require handing over a full range of personal data in order to access social media sites. Protecting children from pornography is a cause and we are here. The idea of age verification was floated years ago and is back as part of the Online Safety Bill.
Last time, the idea of allowing certain companies to act as information matchers/age verification service providers was floated, but critics correctly speculated that this would create a huge jackpot target for national data. Ta.
In 2022, Daniel Pryor, then director of research at the Adam Smith Institute think tank, found that while tech-savvy teens were more likely to be able to circumvent the restrictions, adults entering personal information warned that there is a good chance of exposure in the event of a data breach. violation.
Ofcom’s proposals include guidance on data protection and age assurance, all of which will increase the burden faced by businesses seeking to deal with age checks while ensuring the protection of user data. . And no, simply asking users to confirm that they’re over 18 or popping up a disclaimer isn’t enough to satisfy regulators.
Dame Melanie Dawes, chief executive of Ofcom, said: “Children have easy access to pornography online and new online safety laws clearly need to change.”
“Our practical guidance sets out a range of methods for highly effective age checks. It is clear that weaker methods, such as requiring users to self-declare their age, do not meet this standard. is.
“Regardless of the approach, we ensure that all our services ensure that children are well protected from encountering pornography, and that the privacy rights and freedom of adults to access lawful content are protected. I look forward to your consideration.”
This rule applies to services that are linked to the UK, i.e. where the UK is a target market or where the service has a “significant number” of UK users. However, Ofcom is vague about defining what constitutes such a figure. Ofcom also states that sites must not provide information or links about virtual private network (VPN) providers. However, throwing such blocks may tempt users to explore the technology, which carries its own risks.
Final guidance is expected to be published in early 2025, after which Ofcom expects the UK government to bring the obligation into force. ®