UK Age Checks: Privacy Panic or Fixable Flaw?

Age Verification in the UK: A Privacy Minefield?

You’re likely familiar with the increasing need to verify your age online in the UK. It’s not just for accessing adult content anymore. A wide range of online content, including health information related to addiction and even features on Xbox, are now implementing age gates. While verifying your age might seem like a simple task, it’s crucial to be aware of the data you’re sharing and who you’re sharing it with.

Ofcom, the UK’s regulatory body responsible for monitoring compliance with the Online Safety Act 2023, advises caution and careful consideration when providing personal information for age verification. However, the current system offers limited control over who receives your data.

How Age Verification Works Now

When a website or service requires age verification, they’ve partnered with a specific age verification provider. This means you’re essentially forced to verify your age through that particular provider, regardless of your preferences. The list of providers is extensive, including names like Persona, k-ID, Yoti, AgeChecked, Verifymy, Entrust, and OneID. Each provider has its own data security policies and practices.

While many providers, like k-ID (used by Discord), claim to protect your data and state that they don’t permanently store personal identity documents or video selfies, it’s unrealistic to expect users to meticulously review the terms of service for every provider they encounter. Even if you do, you might find yourself in a situation where you disagree with a provider’s data protection policy but are still required to use them to access your favourite website or application.

Data Security Concerns

The UK’s current age verification system relies heavily on GDPR and the data security measures of numerous private companies to safeguard user data. This raises concerns, especially when the companies collecting data are located outside the UK or EU. While these companies should still adhere to GDPR if they offer services in these regions, monitoring global compliance and addressing breaches is challenging. A provider based in a foreign country might not be subject to the same stringent standards as one closer to home.

If a provider fails to offer adequate data protection, you can report them to the Information Commissioner’s Office (ICO), which handles data handling complaints and oversees the auditing of PECR. However, given the sheer volume of information processed daily through millions of age verification requests, it’s questionable whether any organisation can effectively manage and safeguard it all. The risk of data leaks and the difficulty of removing information once it’s online remain significant concerns.

The Threat of Spoofed Websites

There’s also a worrying potential for large-scale illegal data collection through fake websites or age assurance pop-ups designed to mimic legitimate ones. Users could be tricked into uploading their ID, passport, or providing facial scans to systems designed to steal this information for identity theft or blackmail. The sensitive nature of the websites requiring age verification, coupled with the potential for capturing undeniable selfies, makes blackmail a particularly concerning risk.

While Ofcom’s advice to be cautious about sharing data is sound, it’s difficult to put into practice within the current system.

Broader Concerns with the Online Safety Act

Beyond privacy, the Online Safety Act raises other concerns, including:

• Scope: The Act’s reach extends to areas like alcohol and nicotine addiction subreddits and even Wikipedia.
• Effectiveness: The Act’s ability to block content is questionable, especially with the availability of VPNs.
• Unintended Consequences: The Act might drive users to riskier platforms hosted in countries with weaker data protection or malicious intent.

While these concerns are valid, the focus here is on the privacy implications of age verification due to its significant impact on users and the availability of alternative, more privacy-focused solutions.

The EU and US are Also Addressing Age Verification

The EU is also developing similar measures through the Digital Services Act. While the UK and EU once had closer ties, Brexit has led to some differences in their approaches. Google is also piloting age assurance measures in the US, starting with a small group of users before a wider rollout. Xbox is considering expanding its age verification process to other regions. This shows that the UK is not alone in addressing this issue, but its current implementation might be particularly flawed.

A Better Solution: Zero Knowledge Proofs (ZKP)

The current age verification system doesn’t have to be a privacy nightmare. There are methods for providing age assurance without sharing any personal information with the requesting website. Double-blind alternatives exist that prevent both the website and the verification provider from knowing who you are or which website is making the request.

How Do These Solutions Work?

Evin McMullen, co-founder of Privado ID, argues that the current UK system is like “using a sledgehammer to crack a walnut,” overexposing data to prove a simple point. Privado ID focuses on creating privacy-preserving digital identity solutions centered on privacy, decentralisation, and user data self-sovereignty.

Zero Knowledge Proofs (ZKP) offer a better approach. ZKP is a cryptographic technique that proves something is true without revealing any underlying information. While ZKP has been used in blockchains and even discussed in nuclear disarmament talks, in this context, it guarantees that a user is above a certain age without disclosing any identifying information.

McMullen uses the analogy: “Do you trust math or a handshake more? It’s the difference between math checks out and trust me, bro.”

With ZKP, users retain their personal data safely on their devices and generate proofs to verify their age, keeping their sensitive information separate from the websites they’re accessing.

The Need for Interoperability

For ZKP to be effective, it must be secure and trusted. The World Wide Web Consortium (W3C) is working to establish common standards through its Verifiable Credentials models.

McMullen compares the current situation to “trying to run a raid with everyone using a different voice chat app,” highlighting the need for interoperability between governments, platforms, games, and identity providers.

EU’s eIDAS and Digital Identity Wallets

The EU is developing a framework called eIDAS to address this. The second iteration, eIDAS 2.0, introduces interoperability through a European Digital Identity Wallet. This wallet will not only be used for age verification through the EU’s centralised AV app (which plans to use ZKPs), but also for transactions and systems across member states, such as opening bank accounts, submitting tax forms, and enrolling in foreign universities.

Privado ID and Google are among the companies working with the European Commission on ZKP-based age verification systems. Google has already introduced ZKP into Google Wallet in partnership with Sparkasse in Germany.

Concerns About Cookie Pop-Ups

Iain Corby, executive director of The Age Verification Providers Association, expresses concern about becoming “cookie pop-ups on steroids” and the need to avoid requiring users to perform age checks on every website they visit.

Corby is working to achieve agreement between businesses, countries, and political blocs on age verification methods. He helped form euCONSENT, a non-profit organisation based in Brussels, to certify and audit age verification providers to work within a wider, trusted system, essentially extending parts of eIDAS for a pan-European age verification system.

How an Interoperable System Works

An interoperable system uses tokens containing standardised information:

• Whether a user passed an age check.
• The standard of assurance they passed.
• The date the token was issued.
• Who issued the token.

This system would run through a decentralised anonymisation process to prevent tracking.

Open Source Software and User Control

AgeAware and Privado ID are open-source software, allowing for third-party verification.

McMullen emphasises that “people do not want 10 digital IDs. They want one that works everywhere and doesn’t spy on them.”

A Hypothetical Example

Corby provides an example of how an interoperable system might function using Yoti and PlayStation. PlayStation would agree with Yoti on acceptable verification methods to meet regulatory requirements. If Yoti lacks a specific method, they could partner with another provider. The goal is to allow users to access the system with as few checks as possible, creating market pressure to work with as many providers as possible. Users could then choose their preferred provider and use a token to access the entire ecosystem.

Remaining Challenges

While the technology is largely ready, challenges remain in determining payment structures and collaboration across borders.

The website or service provider will likely bear the cost of age verification, impacting smaller websites with limited resources.

Pricing is also a concern, with the UK Government estimating a price of around 10 pence per check.

Independent Age Verification Sector

Both Corby and McMullen agree on the benefits of an independent age verification sector.

McMullen believes that no single entity should monopolise online identity representation and that users should have a choice of interfaces, while standardisation is needed beneath the surface.

UK vs. EU Approaches

The UK and EU may diverge in their approaches, with the EU considering “effectively nationalising the whole age verification industry.” While this might initially minimise privacy risks, it could become less efficient than a competitive private sector.

The Future of Age Verification

Corby expects better verification methods to go live soon, potentially including human verification to combat AI agents.

McMullen anticipates a “more crowded and clumsy adoption curve than a clean and simplified one” but stresses the importance of prioritising utility and security for users.

Conclusion

While the technology for better age verification exists, the initial system rolled out in the UK raises significant privacy concerns. The people developing the technology are committed to improving it, but the current situation appears to be the result of regulatory decisions that prioritise speed over user data protection.