Over-18s only: the clock is ticking for age-verification technology
Image credit: Getty images, Alamy, Dreamstime
One important function of censorship is to keep unsuitable products and services away from those who are too young to be subjected to them. How can technology determine how old a user is? The answer had better present itself soon, as a legal obligation is on the horizon.
How many children under the age of 18 reach that point in a website when they are faced by that digital fortress that is the ‘Are you over 18?’ tick box and then turn back to deal with more juvenile matters? Not many.
This, though, is about to change. Following parental concerns that adult-orientated material was too easily accessible by children – by accident as well as through youthful curiosity – the Digital Economy Act was drawn up and passed by Parliament in April 2017. Its consequences are likely to be felt in the first half of next year when it becomes enforceable, probably at the beginning of May. Age verification will not only become compulsory; it will also be required to be legitimate. The ‘age’ tick box should become a thing of the past.
There are current ways of combating age deception that can be perfectly adequate. Online ordering of goods that are to be delivered should theoretically be the easiest to deal with. Tobacco, alcohol, solvents, fireworks and knives – all require the purchaser to be 18 or over. Britain’s largest retailer, Tesco, claims that the face-to-face contact between delivery person and the recipient for its home delivery service equates to the experience of buying over the counter. Unless the recipient is the person who ordered the goods and can produce proof of identity and age, the goods cannot be released. Having its own drivers gives Tesco the confidence that this practice is strictly adhered to, according to the company.
Many companies make deliveries through third-party services – couriers – which arguably do not have the same compunction to follow another company’s delivery policy. There are anecdotal stories of cartons of cigarettes, bottles of spirits, fireworks or sharp knives being left with young children, rather than being put back in the van for redelivery. This is not quite the same as online ordering, but it’s not a big step for a wily teenager to get the hang of what will and what will not be delivered and then progress to making the purchases as well.
Amazon uses the qualifier: “By placing an order for one of these items you are declaring that you are 18 years of age or over. These items must be used responsibly and appropriately.” That is hardly going to dissuade an enthusiastic teenager.
Having the ability to pay online is not a preventative measure either, as banks like Lloyds TSB and HSBC can offer junior accounts, including a use of a debit card, from the age of 11 onwards.
Assuming deliveries are not going to be abandoned in a porch or other ‘safe place’, however, a product has the advantage that it will be delivered with face-to-face contact, going some way to take away the underage concerns if done diligently. The opposite is true when it comes to services, which are more problematic.
Preventing children witnessing unsuitable content is at the heart of the issue. John Marsden is head of fraud and identity at Equifax, one of three UK credit reference agencies. He says: “We’ve had age checking over the counter for some time now, but there are issues with particularly sensitive bits of information that are not locked down to age at the moment, and the biggest one is pornography. The world of digital has turned it on its head.”
It is difficult to determine the scale of the problem, as real numbers will only be in the domain of adult providers, who are understandably reluctant to offer the information. Alistair Graham, founder of age verification company Agechecked, says: “I would say when we are speaking to both adult providers and legislators about the size of the problem, around 25 per cent [of people watching adult entertainment being under age] is seen as a reasonable figure. So, it is in the millions.”
But are companies providing pornography or other content deemed unsuitable for under-18s doing anything wrong? Netflix claims to have adequate parental controls built up to allow responsible parents to protect their offspring from anything inappropriate. This works as long as the adult remembers to set it up properly, is at least as adept technologically as the child, and in fact is an adult in the first place – it is only the universally ignored T&Cs that stipulate the customer must be over 18.
Graham says: “This is the crux of the problem – is it the parents’ responsibility, the child or the provider? Realistically, if your child was given a bottle of whisky by an adult when you weren’t aware, the finger instinctively points at the other adult. It is the same here – this is about policing the provider.”
The scope of the Digital Economy Act goes far beyond age verification – it is a wide-ranging act that covers many aspects of how digital information is distributed and used and how the businesses that use digital platforms do so fairly and responsibly.
One stated intention is that it is to “provide for restricting access to online pornography”, and that is where age verification comes in. A policy group called the Digital Policy Alliance (which includes both Equifax and Agechecked) was set up to consult on how best to implement this, but Marsden observes that one particular step needs to be made: “To have a regulation you need a regulator who was going to be responsible for that online content. This type of business will not apply it unless it knows it is going to get policed. In policing the Bill we’re talking about putting firewalls round the country to stop content coming in, and stopping providers in the UK with the original provision. Somebody will need to accept that regulatory body supervisory role for the deadline [next spring] to be applied.”
That regulator, which will be appointed by the government’s Department for Digital, Culture, Media and Sport (DCMS), is widely expected to be the British Board of Film Classification (BBFC). This would appear a natural extension of the BBFC’s scope from television, film and physical media further into the online world.
Morally, claims Graham, “this is not taking it any further than we as customers have been used to for hundreds of years”. It will signify an emphasis on everyone involved being responsible. “What is interesting in the legislation in the UK is that there are other service providers that also come under an umbrella of what is known as auxiliary service providers. If they are helping that distributor as part of their service to distribute adult content they are also obligated to ensure that merchant has age verification in place.”
Payment providers would come under this umbrella, as could hosting services, VPNs and ISPs. Theoretically, no one will be able to view age-classified content without having their age verified, but it will take time for the industry to evolve to accommodate the new legislation. Payment providers could be an obvious frontline for age verification but then not all content is distributed in a way which immediately involves money.
“The majority of content online has no fee when the content is delivered,” Graham says. “Payment on its own is not the sole solution. Potentially, hosting providers – people that are providing the hosting services for these organisations – would be responsible for making sure that whoever they are hosting has these measures in place.”
He estimates that there are millions of relevant sites in the UK and the number of people that are likely to be verified is 20 to 30 million – all in a short space of time in 2018.
Anonymity (termed in the sector as ‘pseudo anonymous’) is the key to this verification, particularly for adult content sites. There is a sensitivity to such sites which means many of those, even if over 18 and legally allowed to view the content, do not want to leave any data trails that would associate them with it. The goal for much of that industry as well as the consumers of it, is to have a system where the user verifies once and thereafter just has to log in.
Moreover, the initial verification is not done with the adult content provider. “I think people really need to feel that they are giving their information to a site that doesn’t do anything but verify them,” says Graham. “For us, anonymity is absolutely critical to everything we do. In fact, once we verify a customer, we scrub any personal information from that verification so that person can still use their account to be able to login anonymously and we don’t actually know who they are, which is fine because that is the service we provide. We don’t do anything with any data other than age verification.”
There are a number of ways of verifying age, cross-checking with the data held by the credit reference agencies (Equifax, Experian and Core Credit). One is the credit card, which cannot generally be issued in the UK until the age of 18. There is the added advantage here that 3D secure (such as ‘MasterCard SecureCode’ and ‘Verified by Visa’) can be used to determine that the person using the card is who they say they are and not someone using, for example, their parent’s credit card.
And there are other methods. Any owner of a mobile phone in the UK that is viewing adult content must go through age verification to unlock their phones, so those numbers will have records against them as to whether they have been unlocked or not. Then there are also standard methods such as electoral roll look-ups, passports and driving licences.
The integrity of the test may vary according to requirements, as Graham explains: “Depending on which particular regulator you are talking to, certain checks will be robust enough for them and certain checks will be too light-touch. The goal is to move from a status where there is no proper effective age verification happening online to an area where it is ubiquitous; it works across the board. Some regulators may want more confidence that a person is a particular age and is definitely that person, and they might put more standards in place. But we are a long way from there.
“Currently the ‘18, yes or no’ is the status quo, which is rubbish. This time next year, when everybody has got used to doing the light-touch verification that is proposed for the adult industry traffic, then we will be in a lot stronger place than we are today.”
Unquestionably there is a huge issue, particularly with relation to the adult film sector, and it will be a challenge for the regulator to come up with a system that works for both the industry and its users. It will be the regulator who determines how the Digital Economy Act is enforced in its own sector.
“The current idea with the online adult content is there is a massive problem and fixing the vast majority of it with a light-touch age verification moves us a long, long way in the right direction,” says Graham. As data increases and methods of using improve, it could be that the regulators start being more demanding, but as Graham adds: “The main thing, really, is solving the majority of the problem and not trying to make the perfect solution and becoming the enemy of the good.”
There are 56 types of product that are age restricted in the UK, spanning 16 sectors. It is intended that age-verification technology will be demonstrably easy to use for both the service provider and the user and will become a familiar online feature next year. The most disturbing use of age deception is when an adult pretends to be a child. The technology is not there yet to provide protection for this, but development for underage misuse will hopefully lead to the technology for the reverse scenario as well.
Imminent changes in data law ‘will have a massive impact’
The General Data Protection Regulation needs to be complied with by 25 May 2018. It is EU legislation but the UK government has confirmed that Brexit will not affect British adoption. GDPR will be regulated by the Information Commissioner’s Office (ICO).
The government is introducing measures related to this and wider data protection reforms in a Data Protection Bill, which needs to be in place before the May deadline for GDPR next year. The consequences are potentially huge. Data is only allowed to be used for the sole purpose that it was collected for and if permissions do not exist for historical data then they will need to be re-gathered. There will also be the right for an individual to examine any information that is held on them.
The upshot should be that details are more secure and unwanted use of it, for example sales calls and emails, will cease.
But the short-term impact, according to research from recruitment company Robert Half UK, is that 66 per cent of CIOs will hire additional, permanent employees to cope with the introduction of GDPR.
John Marsden from Equifax says: “We’ve probably put another 25 or 30 people on our staff just concentrating on how to audit data, explaining where it’s from, deleting things if we think it’s not going to comply and making sure that the terms and conditions that it was shared with us in the first place were correct and robust.
“So yes, it will have a massive impact on us.”