The UK’s contentious Online Safety Act (OSA), enacted over a year ago, aims to place new responsibilities on social media and search platforms to safeguard their users. However, the precise implications of the legislation and its implementation methods, particularly concerning age verification, are still being determined. To address this, two prominent UK regulatory bodies, the Information Commissioner’s Office (ICO) and Ofcom, have now issued a joint statement [PDF] outlining expectations for companies to meet these new obligations.
The ICO, responsible for UK information rights, and Ofcom, which regulates communication industries, have provided broad guidelines. A central and recurring theme in their statement is the requirement for “highly effective age assurance (HEAA)” where applicable for online services.
What exactly constitutes this somewhat vague term? The regulators define it with a degree of flexibility: age assurance solutions should be technically accurate, robust, reliable, and fair, while also considering accessibility and interoperability. This intentional ambiguity aims to grant services the flexibility to select age assurance methods that best fit their specific context, including their size, user base, and available resources.
While precise assessment criteria remain unstated, the regulators did offer examples of what qualifies as HEAA. These include (but are not limited to):
- Credit card verification
- Open banking solutions
- Photo-ID matching
- Facial age estimation
- Mobile-network operator (MNO) age checks
- Digital identity services
- Email-based age estimation
Conversely, methods deemed not to be highly effective include self-declaration, debit card checks, or general contractual clauses restricting children’s use of a service.
Should an online service provider not implement HEAA checks, they must factor this into their children’s risk assessment and deploy necessary protections to ensure their service is suitable for all children.
This “highly effective” requirement appears primarily targeted at services that feature pornographic content. Under the OSA, user-to-user services likely to be accessed by children and allowing “primary priority content” (harmful material), or services publishing their own pornographic content, are mandated to use HEAA to prevent minors from accessing such material.
Crucially, both the ICO and Ofcom emphasize a “flexible, tech-neutral approach” to age assurance. This means regulators will not enforce any specific technological solution, provided it is “highly effective,” proportionate to the identified risks, and adheres to data protection legislation.
This approach differs notably from the European Union’s strategy. The EU is developing an age verification blueprint that aims to establish a common method for member states to use. While this could simplify regulation, it places significant pressure on the political bodies to ensure the chosen technology is precisely right.
A significant concern surrounding age verification generally revolves around ensuring data privacy. While numerous innovative solutions exist, the most secure ones typically employ “zero-knowledge proofs (ZKPs)”. These technologies allow a company to definitively verify identity or age without ever receiving or storing the actual personal information, thereby maintaining complete privacy.
The joint statement does not explicitly mention ZKPs, but their use would certainly align with the “highly effective” criterion. There is ample discussion of data privacy, with the ICO’s separate guidelines, for instance, advising services to “embed data protection into the design of your products, services and applications.”
However, there’s a distinction between protecting collected data from leaks or misuse and preventing its collection and storage in the first place. Mandating a focus on privacy and data protection doesn’t automatically equate to the implementation of ZKP and complete data privacy.
It’s vital to continue advocating for methods like ZKPs to ensure that if age assurance measures become mandatory, they do so without compromising user privacy. Furthermore, it’s worth remembering that many experts caution against the widespread implementation of such verification without careful consideration of potential pitfalls.