Age Verification is just months away from becoming the law and, for all the criticisms to date, opposition to it has been ineffective. When the ‘cookie law’ was introduced in 2011, it was expected by regulators and others that a good design would supplant the initial one, which is merely compliant. That did not happen. To avoid Age Verification becoming the new cookie law, there needs to be a design pattern that offers privacy as a benefit, not as a burden.
Age Verification is a narrow form of ‘identity assurance’ – where only one attribute (age) need be defined. The method by which this is done is not prescribed, but it would be perverse were the desire for privacy and protection to create more new databases and even more risk. And these issues have been solved before, replacing the ID card and scheme with Verify; that infrastructure is rolling out EU-wide, and can be reused.
Given GDPR, the patterns should be as shown to the right:
Users get a choice of skipping verification this time – and being asked against next time – or the ability to verify their age with a separate service which will provide the website with a single attribute of confirmation:
“The user is over the age you need them to be” (i.e. 13 / 16 / 18 / 21 / 65).
There is nothing else a site needs to store in order to be completely compliant with this requirement of the GDPR: when a site sends a user to a verification service, the user only comes back with a token signed by the service if they are of the required age. Simple!
Such services should follow the EU’s eIDAS Regulation and the UK’s GOV.UK Identity Assurance standards, i.e. reusing credentials that already exist (also providing an incentive for countries to finish deployment). Whether an adult is approving a site for themselves, or for a child for whom they are responsible, would be a record held by the verification service.
If facebook and Google want to get into the ID assurance game, then that’s OK too; but they must also only provide the same answer, and no provider can be preferred over any other. Each assurer must, of course, be insured.
While we suggest the “GDPR_Age_Verification” as an HTML button ID, we suggest W3C and browser vendors agree a standard name.
If you provide a service that can validate age or parental responsibility internally, where you simply need to know that parental permission has been asserted for the child, the second button can link to a page with a unique reference code – so the URL for that page can be sent to the parent or carer, who can log in on a different device. When the parent then logs in using their credentials, they are asked to confirm responsibility, approval, and (optionally) any other parental-control settings you wish to offer. The child should not be expected to know their parent’s username.
In the UK, we also have PornID
While GDPR is EU-wide, the UK is also requiring Age Verification for adult sites from 2018. The same privacy-preserving design above also applies here.
The Verify programme has had no permanent lead for over a year – it is managed only “temporarily” – which means GDS has no coherent view on a critical technology policy inside Government; this is a failing that can be laid solely at the feet of the current GDS leadership.
The Manifesto on which the UK Government was elected in 2017 is clear. Multiple political policies are now interacting with clear political will – ‘PornID’, GDPR, Verify – yet there is no leadership to deliver services that meet the stated and legally-mandated need.
There is rightly concern at the creation of a vast database of porn habits; yet the Verify model protects privacy throughout, such that no party knows too much about any other party. The service need know only one thing: if it sends a browser session to a Verify service, it will only come back verified if the user is of the required age.
Given the punitive fines for failures, any such infrastructure and all assertions should be insured, and re-insurable. Verify was designed to meet such standards; anything else providing such a service must also do so.
Verify was also designed for commercial reuse, so why not re-use it? (And thereby meet the usage targets that GDS has set itself.) The only reason appears to be lack of political desire, despite the fact it was political desires that decided this should be done.