You might be familiar with the process of verifying your age in the UK. There's no shame in that. Age verification is hardly limited to just those sorts of sites—it turns out all manner of content is now age-gated, including information on health topics surrounding addiction. Even Xbox is rolling it out. You don't have to be looking at extremely naughty adult content to get hit with a request to verify your age. But even if you're a good, rule-abiding adult looking to quickly verify your age and move on with your life, you should still be cautious as to the data you share and who you share it with.
Don't just take my word for it. Ofcom, the UK's regulator in charge of keeping watch for compliance with the Online Services Act 2023, has said of the handing over of age verification data: "you should exercise a degree of caution and judgement when giving over personal information."
But there's an issue here: you don't get a say in who you hand your data over to. The website or service you're interacting with, the one asking for your age, has signed with an age verification provider to get it. That's who you're verifying with, and you don't get to pick and choose. You might have to verify with Persona, k-ID, Yoti, AgeChecked, Verifymy, Entrust, OneID… okay, I'm just listing a Google search now, you get the idea.
There are a lot of providers for age verification, or age assurance as they call it in the biz, and each one comes with its own data security promises and practices. From those I've checked, such as Discord's provider of choice, k-ID, they often say the right things about data protection, ie "Discord and k-ID do not permanently store personal identity documents or users' video selfies." But it's asking a lot of users to check the terms of service for every age verification provider. Even if you did, what if you don't like the look of a provider's data protection policy but they're solely in charge of verification for your favourite website or application, would you do it anyways?
The UK's current age verification system puts its faith in GDPR and the data security practices of a multitude of private companies to protect British users' data. That doesn't fill me with confidence when the companies collecting it are outside the UK or EU. These companies should still be GDPR compliant to some degree if they offer services in both regions, but it's tough to monitor the world at large for breaches, and a totally foreign provider might not be beholden to such stringent standards as one closer to home.
The Online Safety Act was passed on 26 October 2023, and includes provisions to protect children and adults from illegal content, block children access to pornographic content, and put into place new criminal offences. It gives Ofcom, the UK regulator, powers to fine companies up to 10% of their global annual turnover. It also includes provisions on end-to-end encryption, though it's unclear how these would be enforced.
A provider that fails to offer satisfactory data protection can be reported to the Information Commissioner's Office (ICO), which handles complaints about data handling and oversees the auditing of PECR, another form of data protection legislation that will apply in this case. However, I generally have my doubts into whether any organisation, of any size, can keep atop of the sheer scale of information being dealt with in this system. It amounts to millions of age verification requests per day. Will data leaks be prevented, or will regulators mop up the mess once it's out there? Once information is on the internet, we all know how tough it is to scrub it off again.
More worryingly still, the possibility for massive illegal data collection through spoofed websites or age assurance pop-ups (those made to look authentic, but are not). A user may be misled to uploading their ID, passport, or provide a facial scan to a system that is designed to steal that information and leverage it against the user, through identity theft or blackmail. Blackmail could be quite easy, considering some of the websites that are covered by the age protection, and the information that could be shared: an undeniable selfie.
So, it's easy for Ofcom to tell users to be careful about who they give their data to—it's not so easy in practice.
There are also other concerns with the Online Safety Act, such as the scope of what's included (alcohol and nicotine addition subreddits and Wikipedia?!); whether it's in any way effective at actually blocking what it says it is (VPNs exist; I use Proton VPN); and whether it doesn't just drive users to riskier options, especially those hosted in unfriendly nations or with lesser data protection or designed to do malicious things. Those are valid concerns too, but I want to focus on the privacy problem here, due to my own expertise, the experts I've spoken to, and an attempt to keep this article under 3,000 words (to which I have failed, even just covering the data angle). The intent is to inform—you can make your own mind up about the rest.
You'll also read about forthcoming measures in the EU with the Digital Services Act that sound a lot like the UK's. The UK and EU were, of course, once intertwined, though due to Brexit, they differ on some of the details. Similarly, Google is rolling out age assurance measures in the US, only to a small set of users at first before a wider rollout, and Xbox is thinking of expanding out to other regions with its age verification process. So, it's not just the UK, though it might be a special case in how poorly it's going about it.
That's a lot of bad news about how age verification currently works in the UK, but it doesn't need to be a privacy minefield from a technological standpoint. There are ways to provide age assurance methods that don't provide any personal information to websites asking for age assurance. In fact, there are so-called double blind alternatives that not only prevent websites knowing who you are, even the age verification providers are unable to log which website or service is asking.
So how do these solutions work, and why are we not using them already? Let's take a look.
A better solution
"I think many of the current age verification paradigms, like the one we're talking about in the UK, are like using a sledgehammer to crack a walnut," Evin McMullen, co-founder of age verification provider Privado ID, says. "They are over exposing data to prove a simple point, but there are ample alternatives that do not require the clear text disclosure of such sensitive information and impose upon businesses of all sizes, but especially many that were not equipped to handle and process this type of data."
Privado ID describes itself as creating privacy-preserving digital identity solutions, focused on "privacy, decentralization and user data self-sovereignty"—all things seemingly missing from the UK's existing system. McMullen makes light of this in our chat, noting that some age verification systems actually turn themselves into targets for hackers and are at risk of becoming honey-pots.
It's the difference between math checks out and trust me, bro.
Evin McMullen, co-founder, Privado ID
"We often see in age verification systems where copies of user or gamer information are being stored by each application or each game. Creating honey pots—creating an incentive for bad actors to try to break into these often poorly secured databases, where the rewards for bad actors accessing sensitive data often exceed the labour required to get access to that data inappropriately."
"And this not only is an issue, you know, in the gaming space for UK based gamers, but we also see it happening all over the world."
Evin McMullen is an identity expert and co-founder of Privado ID. The company offers open source, privacy-first identity verification infrastructure and digital wallet tools.
There is a better solution, however, one which would keep personal data away from specific websites, services and even providers: Zero Knowledge Proofs (ZKP).
ZKP is not new. It's a cryptographic technique for proving something is true or false without revealing any information to prove something is true or false. ZKP has been used on blockchains and even debated as a tool for nuclear disarmament talks, but in this context, they act as a guarantee that a user is over a certain age without providing any identifying information on said user.
"Do you trust math or a handshake more? It's the difference between math checks out and trust me, bro," says McMullen.
"No one wakes up in the morning with dreams of logging in. And so the more efficient and safe we can make that process, the better."
The benefit of using this sort of system, McMullen says, is it "does not require handing [personal data] over at all, but rather allowing users or gamers to retain their private personal information safely on their devices, and then to generate proofs from those devices, then be able to pass things like age verification. So that you basically keep a physical separation between that sensitive data and places where you're trying to use it."
It's like trying to run a raid with everyone using a different voice chat app.
Evin McMullen, Privado ID co-founder
A ZKP has to be secure itself, however, otherwise no one would trust them. There's still a degree of figuring out what exactly the standards are and the World Wide Web Consortium (W3C) is trying to get some agreement across all parties with its Verifiable Credentials models.
"So we've got all these different parties, governments, platforms, games, identity providers, and they are not all speaking the same language. So it's like trying to run a raid with everyone using a different voice chat app, for example," McMullen says. "And so interoperability means getting them to use common standards, common types of data, common forms of verification. And as we saw in the early internet, we are now starting to see coalescence around these sorts of standard data types."
There is plenty of support for ZKP and wider wallet-based solutions.
The EU has been attempting to formulate a framework for this. It's called eIDAS, and while the first iteration was dedicated to cross-country interoperability for all the member states of the European Union, the second iteration, eIDAS 2.0, introduces interoperability through a European Digital Identity Wallet. This isn't just intended to be used for age verification, though that is the plan through the EU's centralised AV app (which already has plans to use ZKPs at some point in the future), but also to allow for transactions and systems of all types to be easier across member states, including opening bank accounts, submitting tax forms, and signing up for foreign universities.
Privado ID is one of a companies working with the European Commission on rolling out age verification systems built around ZKPs. Another is Google, which has already taken steps to introduce ZKP into Google Wallet, in partnership with Sparkasse in Germany. But it's a widespread effort on how to go about interoperability, including all manner of businesses, governments, and trade associations.
"We didn't want to become cookie pop-ups on steroids, and we're at a slight risk of doing that right now."
Iain Corby, executive director of The Age Verification Providers Association
"There's a huge question about whether you would survive as an industry if you persisted with requiring everybody do a cookie pop-up age check on every game and site they went to. So in a way, it's almost existential," Iain Corby, executive direction of The Age Verification Providers Association, says. Corby was previously deputy CEO of the UK charity GambleAware.
"We didn't want to become cookie pop-ups on steroids, and we're at a slight risk of doing that right now."
Corby works across a wide brief trying to square the circle of how to get private businesses, countries, and even political blocs to work towards some sort of agreement on how age verification works going forward; everyone needs to agree on how the checks should be done for the system to actually work. He worked on a pilot programme to test interoperability for age verification with the EU around five years ago, and today he's helped form euCONSENT, a non-profit organisation based in Brussels working on the AgeAware app to certify and audit age verification providers (companies like Privado ID) to work within a wider, trusted system. It's essentially planning to extend parts of eIDAS for a pan-European age verification system.
Iain Corby is executive director of The Age Verification Providers Association. He also works for euCONSENT, a non-profit organisation working on the AgeAware ecosystem.
An interoperable system works with tokens. These tokens contain a standardised set of information: whether a user passed an age check; to what standard of assurance they passed (these can vary depending on the needs of the platform, ie ordering a knife online could require more stringent age verification methods than, say, accessing parts of Reddit); the date the token was issued; and who issued it. This would all run through a decentralised anonymisation process, meaning if an age verification provider were to add a cookie to the token to try and track your access to websites, it'd be removed before it was of any use whatsoever.
People do not want 10 digital IDs. They want one that works everywhere and doesn't spy on them.
Evin McMullen, Privado ID co-founder
AgeAware, and Privado ID, are open source software, so that they can be easily checked by third parties: "it should be as robust as the sort of claims that Telegram or Signal make," Corby says.
Acknowledging that the underlying technology is mostly ready to go—according to those I've spoken to, anyways—the hold up appears to be in figuring out the messier details around who works with who, who gets paid by who, and collaboration across borders.
"So I would say, from a technical perspective, we are mostly there," McMullen says, "but it's the incentives and the user experience where things start to get messy. You know, people do not want 10 digital IDs. They want one that works everywhere and doesn't spy on them."
Corby explains how he sees how an interoperable system (with ZKPs) might function behind-the-scenes, using Yoti, a popular age verification provider, and PlayStation as an example.
"So let's say PlayStation Plus and Yoti are working together," Corby says. "PlayStation would have to agree with Yoti which methods they were happy to use to get the right level of assurance [set by regulators]. And then they could say, 'well, oh, actually, Yoti, you don't do mobile phone checks. So would you like to work with [another age verification provider]?' So we can bring them in. Then Yoti needs to agree a price with them."
"What Sony wants to do is have as many people just access their system without doing a check. So they want to probably access as many tokens as possible…. So there should be a very strong market pressure to work with as many people as possible. And when you get to that point, then I can literally choose my age verification provider, get a token through that provider, and that will allow me my pass through that whole ecosystem."
The EU's Digital Services Act has a wide-ranging impact on online platforms, and aims to curb spreading of illegal content, services, and good. It includes provisions for age verification to protect children and lays out the blueprint for an age verification framework and age assurance application.
This ends up, in theory, with a scenario that actually works with Ofcom's vague advice to "exercise a degree of caution and judgement when giving over personal information."
It remains an imperfect system, however. These private companies aren't doing these checks for free, they expect to be paid, and who gets the money for the check might require a so-called "orchestration service", which operates independently and sits in the background assigning cash to companies for their part in the process. Someone also has to foot the bill… that someone is likely the website or service provider, in striking deals with age verification providers, which in itself has huge implications for what sort of websites can even afford to do so. It's certainly not hobbyist forums with little to no cash flow.
Pricing is a sticking point. Corby notes some US providers have tried to charge upwards of $1.50 for an identity check but believes that's wishful thinking on the part of venture capitalists, with the UK Government's expectation that increased demand and market forces will take hold and reduce costs from a much lower starting price than that. The UK Government has set an estimated price of around 10 pence per check for the time being. Corby tells me that there's some benefit in re-using checks through tokens in deferring costs for website operators, but ultimately they will have to pay a price to get compliant.
Though both Corby and McMullen are in agreement that an independent age verification sector is a benefit overall.
"I do not think that any one brand or company can, or, quite frankly, should, centrally control, monopolistically control, the way that we are able to represent ourselves online," McMullen says.
"In the same way that we have a diversity of web browsers, a diversity of hardware devices, so too, I think should we be able to choose a diversity of interfaces. But the rails underneath those applications, those wallet-like tools that allow us to represent ourselves in digital space. I think that is where standardisation is required."
This may end up being a split in the future for the UK and EU's systems. The EU, Corby says, is contemplating "effectively nationalising the whole age verification industry." The benefit of this is that, initially, it appears the EU's AV app prototype is more effective in minimising the risk to user's privacy, but in the long-run would see the EU effectively manage the entire process, which may end up being clunkier than private ventures all competing with one another for sign-ups and advancing the tech. Or it might end up more or less the same.
"The beauty of [ZKPs] is a single provider can go live with it. I mean, the options you get will only be that provider's options, but they immediately get the benefit of the double blind zero knowledge proof transmission and just the usability for the users' experience. Then as soon as you've got the network effect, hopefully it will just take off fairly fast," Corby says.
Corby tells me they expect better verification methods to go live in as little time as a couple months from now. So, in the autumn. That might be a handful of providers at first, but even Ofcom's fairly sparse guidance on the matter suggests age verification providers should stay up to date with interoperable standards and consider implementing them. It even name checks euCONSENT.
It is imperative that the builders of these experiences prioritize utility and security for their users if we want to continue to enjoy the internet.
Evin McMullen, Privado ID co-founder
McMullen is also positive that the change will spread across the internet in coming months and years, with new verification types becoming available, including human verification, or proof of life, to combat AI agents posing as people. However, they also note it is likely to be "a more crowded and clumsy adoption curve than a clean and simplified one."
"But it is imperative that the builders of these experiences prioritize utility and security for their users if we want to continue to enjoy the internet," McMullen says.
From diving deeper into the technical details of the age verification process, I've come away with mixed feelings. The people driving the technology behind it are determined to make it better, using solutions that largely already exist or are near-enough good to go, and they have the right ideas about what's important for users. Which makes it all the more worse that the initial system rolled out in the UK is so utterly shambolic for user privacy. That seems to be a regulatory/political decision, deciding to go ahead despite the concerns and playing it fast and loose with British citizen's data.
