It's ba-ack... UK watchdog publishes age verification proposals

The UK's communications regulator has laid out guidance on how online services might perform age checks as part of the Online Safety Act.

The range of proposals from Ofcom are likely to send privacy activists running for the hills. These include credit card checks, facial age estimation, and photo ID matching.

The checks are all in the name of protecting children from the grot that festoons large swathes of the world wide web. However, service providers will likely be stuck between a rock and a hard place in implementing the guidance without also falling foul of privacy regulations. For example, Ofcom notes the following age checks as potentially "highly effective":

• Open banking, where a bank confirms a user is over 18 without sharing any other personal information.
• Mobile network operator (MNO) age check, where the responsibility is shunted onto an MNO content restriction filter that can only be removed if the device user can prove to the MNO that they are over 18.
• Photo ID matching, where an image of the user is compared to an uploaded document used as proof of age to verify that they are the same person.
• Credit card checks, where a credit card account is checked for validity – in the UK, credit card holders must be over 18.
• Digital identity wallets and, our favorite, facial age estimation, where the features of a user's face are analyzed to estimate the user's age.

It doesn't take a genius to imagine how a determined teenager might circumvent many of these restrictions, nor the potential privacy nightmare inherent in many of them if an adult is forced to share this level of info when accessing age-restricted sites.

At this point, readers might be getting a distinct feeling of déjà vu. In 2022, the UK government threatened the requirement of handing over all range of personal data to access social media sites. The justification was protecting children from pornography, and so here we are. The idea of age verification was floated years before and has returned as part of the Online Safety Bill.

The previous time around, the idea of allowing certain firms to work as information collaters / age verification service providers was floated, with critics correctly surmising this would create huge jackpot targets of citizen data.

In 2022, Daniel Pryor, then head of research at the Adam Smith Institute think tank, warned that any tech-savvy teen would likely be able to circumvent restrictions, while adults entering their details stood every chance of being exposed in the event of a data breach.

The Ofcom proposals include guidance on data protection as well as age assurance, all of which will add to the burden faced by operators trying to deal with age checks while also ensuring user data is protected. And no, simply asking the user to confirm they are over 18 or popping up a disclaimer isn't going to be sufficient to satisfy the regulator.

Dame Melanie Dawes, Ofcom's chief executive, said: "Pornography is too readily accessible to children online, and the new online safety laws are clear that must change.

"Our practical guidance sets out a range of methods for highly effective age checks. We're clear that weaker methods – such as allowing users to self-declare their age – won't meet this standard.

"Regardless of their approach, we expect all services to offer robust protection to children from stumbling across pornography, and also to take care that privacy rights and freedoms for adults to access legal content are safeguarded."

• King Charles III signs off on UK Online Safety Act, with unenforceable spying clause
• Watchdog mulls online facial age-verification tech – for kids' parents
• Pornhub walls off Utah in age-verification law protest
• Children should have separate sections in social media sites, says UK coroner

The rules apply to services with links to the UK – where the UK is a target market, or the service has a "significant number" of UK users. Ofcom is, however, vague when it comes to defining what constitutes such a number. Ofcom also states that sites must not provide information about or links to Virtual Private Network (VPN) providers. However, there is every risk that by throwing up such blocks, users will be tempted to look into the technology, which carries its own dangers.

The final guidance is due in early 2025, after which Ofcom expects the UK government to bring the duties into force. ®