Disruptive Proactivity

Age Verification is just months away from becoming the law and, for all the criticisms to date, opposition to it has been ineffective. When the ‘cookie law’ was introduced in 2011, it was expected by regulators and others that a good design would supplant the initial one, which is merely compliant. That did not happen. To avoid Age Verification becoming the new cookie law, there needs to be a design pattern that offers privacy as a benefit, not as a burden.

Age Verification is a narrow form of ‘identity assurance’ – where only one attribute (age) need be defined. The method by which this is done is not prescribed, but it would be perverse were the desire for privacy and protection to create more new databases and even more risk. And these issues have been solved before, replacing the ID card and scheme with Verify; that infrastructure is rolling out EU-wide, and can be reused.

Given GDPR, the patterns should be as shown to the right:

Users get a choice of skipping verification this time – and being asked against next time – or the ability to verify their age with a separate service which will provide the website with a single attribute of confirmation:

“The user is over the age you need them to be” (i.e. 13 / 16 / 18 / 21 / 65).

There is nothing else a site needs to store in order to be completely compliant with this requirement of the GDPR: when a site sends a user to a verification service, the user only comes back with a token signed by the service if they are of the required age. Simple!

Such services should follow the EU’s eIDAS Regulation and the UK’s GOV.UK Identity Assurance standards, i.e. reusing credentials that already exist (also providing an incentive for countries to finish deployment). Whether an adult is approving a site for themselves, or for a child for whom they are responsible, would be a record held by the verification service.

If facebook and Google want to get into the ID assurance game, then that’s OK too; but they must also only provide the same answer, and no provider can be preferred over any other. Each assurer must, of course, be insured.

While we suggest the “GDPR_Age_Verification” as an HTML button ID, we suggest W3C and browser vendors agree a standard name.

If you provide a service that can validate age or parental responsibility internally, where you simply need to know that parental permission has been asserted for the child, the second button can link to a page with a unique reference code – so the URL for that page can be sent to the parent or carer, who can log in on a different device. When the parent then logs in using their credentials, they are asked to confirm responsibility, approval, and (optionally) any other parental-control settings you wish to offer. The child should not be expected to know their parent’s username.

As better prototypes emerge, we’ll link to them from here. (If you are a company looking for changes in order to implement this, our friends at Projects By IF are the design house to talk to.)

In the UK, we also have PornID

While GDPR is EU-wide, the UK is also requiring Age Verification for adult sites from 2018. The same privacy-preserving design above also applies here.

The Verify programme has had no permanent lead for over a year – it is managed only “temporarily” – which means GDS has no coherent view on a critical technology policy inside Government; this is a failing that can be laid solely at the feet of the current GDS leadership.

The Manifesto on which the UK Government was elected in 2017 is clear. Multiple political policies are now interacting with clear political will – ‘PornID’, GDPR, Verify – yet there is no leadership to deliver services that meet the stated and legally-mandated need.

There is rightly concern at the creation of a vast database of porn habits; yet the Verify model protects privacy throughout, such that no party knows too much about any other party. The service need know only one thing: if it sends a browser session to a Verify service, it will only come back verified if the user is of the required age.

Given the punitive fines for failures, any such infrastructure and all assertions should be insured, and re-insurable. Verify was designed to meet such standards; anything else providing such a service must also do so.

Verify was also designed for commercial reuse, so why not re-use it? (And thereby meet the usage targets that GDS has set itself.) The only reason appears to be lack of political desire, despite the fact it was political desires that decided this should be done.

• This post also appears on Phil Booth’s blog.

The pharmaceutical supply chain has developed a set of integrity protections against fraud, using transparency and accountability in aid of human health. The same can apply to food, if a choice is made to do so.

DEFRA collects large amounts of data on the food chain, especially around meat products, and the Government has now announced mandatory CCTV in abattoirs. While it collects a great deal of data, it still publishes very little of it in a form that is accessible and usable to the citizen in the supermarket.

From data that is already mandatory and collected, but not available, it is possible to see every regulated step of the batch of meat as it turns into the packet of mince in your hand.

We saw a failure a few weeks ago with eggs – how does a citizen know whether the eggs in their fridge may have been affected? Without factual information, they are reliant on trusting that the system really worked during a recall, when the recall is solely because the system already failed. It is not a trust generating scenario.

People may believe that British products may be more inspected and trustworthy than others elsewhere, but there is currently no competitive advantage to that. Only with Government showing what standards are met can the public see that they have been met. What does the British flag on food actually mean?

Where there are false assertions made, and proven, then other products of the perpetrators can be clearly shown as affected, and those unaffected have peace of mind based on knowledge and fact. It is insufficient to know that it shouldn’t be a problem – it is necessary to know that it wasn’t.

As Avaaz push a petition against the farmer whose neglect caused the death of 20,000 pigs burnt alive in a fire, the farmer who treats their animals well get the benefits of being seen to do the right thing. Those who choose otherwise are also seen to do so.

DEFRA’s data transformation project has done great work to make this possible – the next step is easier than the previous ones.

As the UK considers the basis for future trade arrangements, it would be a step forward for them to be based on evidence and knowledge, not merely political hope.