Like many I have watched with interest the response to the introduction of age assurance requirements in the UK for sites with content unsuitable for children.
The mainstream media has mostly picked up on the objections, usually on the grounds of privacy, security and freedom. In some cases the reporting is comprehensive, responsible, and provides exactly the scrutiny that the press at its best delivers in our society. In the worst cases, it is absolutely ridiculous. A particular low point for me is Chris Stokel-Walker’s piece for the Independent with the headline “The overzealous Online Safety Act means showing ID to get a pizza delivered“. Wow is that wrong. The Online Safety Act simply doesn’t cover sales of food or home deliveries of food in any way. He’s reacting to a social post apparently showing a message from a pizza delivery company saying ID will be required on delivery. Assuming it’s real, that may be at the discretion of the company, or more likely because the delivery contains alcohol. I don’t know which – or if there’s some other explanation – but it’s nothing to do with the new UK regulations on online safety! Not much research would have been required to check that…
Lazy journalism aside, there are some important questions that journalists and others are asking that need to be addressed, and I wanted to share my thoughts on some of these issues.
The first is around the idea that age assurance results in personal data being captured and stored, and therefore is can potentially be leaked in the future. The Online Safety Act absolutely does not require this – and data protection legislation would actively discourage it. Highly effective age assurance can be accomplished with privacy preserving technology like facial age estimation. The best providers (and I’d hold OSTIA member Yoti up as an example) have offerings that store no personal data once age estimation is complete.
We also hear concerns around circumvention with fake (AI generated documents). Good age assurance solutions should at very least cross-reference any documents uploaded against other sources, and use liveness detection to ensure the person submitting the document is the same person as appears in the picture. Good facial age estimation should similarly use liveness checks to ensure it’s not just being shown a picture of someone else.
Concerns around adults carrying out age assurance steps for children are reasonable and undoubtedly this will happen. This is just like in the real world, where sometimes people go into the shops and buy cigarettes and alcohol for kids but we don’t say “right, stop age checks on alcohol sales because an adult might help a child circumvent it.” We accept that no system is perfect, but that age checks stop a lot of children accessing alcohol and cigarettes a lot of the time and that is hugely positive – even if there are gaps.
Most of these concerns raised about the age assurance process are either concerns about age assurance that doesn’t have proper privacy protection, cross referencing, or liveness checks, or concerns that adults will help kids bypass it (which can happen with most real-world age checks too – and only happens a tiny proportion of the time).
The second point commonly raised is that VPNs can be used to circumvent age assurance, rendering it pointless.
The Online Safety Act requires effective age verification, and age verification that can be bypassed with a VPN can’t be said to be effective, so I suspect many sites will be asked by regulators to age verify when VPN software is in use (many sites detect VPNs for rights protection in steaming so we know it can be done) and close that loophole. This could prove problematic as users outside the UKs accessing sites via VPNs might also be asked to age verify – so it remains to be seen if efforts in this direction will succeed. The tech-savvy will doubtless still be able to find VPNs that aren’t blocked or other mechanisms (even simple proxies) but that’s likely to be a small minority.
For any safety measure there will always be ways to circumvent it. We know the majority of people don’t use VPNs, don’t know how to us them, and even those that have them don’t use them consistently. So for now some people will circumvent age assurance with VPNs, but MOST won’t. Many children will be protected from content by the “speed bump” even if there is a way to circumvent for the more tech savvy.
People should also be wary of some VPNs. Much as some age assurance uses methods with privacy risks, some VPNs do too. While the best VPNs might protect your anonymity very well and allow you to present as being in a different country, there are also bad actors in that community and many free VPNs log activity which creates an obvious vulnerability if their records of peoples browsing history is released. So a poorly chosen VPN may be a bigger privacy threat than good quality anonymous and privacy protecting age assurance in some situations.
A really important point a lot of the coverage seems to miss out is that made very ably by John Carr, who in his Desiderata blog post “A very popular measure” reminds us that polling shows 69% of the population of the UK support these new age assurance measures, with 46% supporting them strongly. It feels to me like the 31% who don’t support the measure are getting a lot more air time than the 69% who do, even though most governments are elected by finer margins (the current UK government won only 43.6% of the popular vote).
I’d be delighted to see more sophisticated discussion on some of these issues – and less of the clickbait headlines based on complete fabrication or abject misunderstanding. For the avoidance of doubt, the Online Safety Act did not in fact steal my pizza, or anyone elses!
