Age-Checking Proof of Concepts

agecheck_NEW-01

infographic (1)

Download Infographic

The Digital Policy Alliance’s Age Verification Group commissioned the development by the British Standards Institution of a Publicly Accessible Specification: 1296 Online Age Checking Code of Practice.

The key aim of the PAS is to protect online merchants (online merchants may be vendors, sellers, importers or distributors) by preventing ineligible customers from buying age-restricted merchandise online, from accessing age-restricted online content (e.g. streaming age-restricted media, adult content, specific categories of advertising) or using age-restricted online services (e.g. dating agencies).

The PAS aims to protect the online merchant’s reputation, providing a benchmark for good practice within the industry and enabling groups within society to have more control over restricting content. As with all standards, however, it cannot provide immunity from prosecution if items are sold to minors.

The audience for the PAS is any organisation that wishes to check an age grouping, including online merchants and service providers who deal with age-sensitive products. The PAS will take the approach of decoupling identity verification and age-related attribute checking, and describe an attribute-based ‘confidence scale’ for age assurance purposes.

Screen Shot 2016-01-05 at 10.51.39Next Steps:

Trust Elevate, funded in part, by the Knowledge Transfer Network will host a series of multi-stakeholder meetings over six months (between February – July 2016). The purpose of these stakeholder meetings is to plan for a Proof of Concept testing exercise. The business requirements of the Retail Sector are for a frictionless, user-centric, commercially viable and scalable way to check the age-related eligibility of customers at the point of transaction. Retailers would like a system that complies with both existing and anticipated regulation and is underpinned by a liability model. Other stakeholders who will be involved in the discussions include representatives from the retail, banking and payments sectors, Government, large corporates, SMEs, regulators, privacy, legal, identity and child protection experts.

What Problems Are We Seeking to Address?            

Identity is made up of attributes and in specific online transactions, only particular attributes are relevant, like age or geo-location.  However, existing models of online identity verification operate on the principle of verifying a full identity, which is expensive and only serves the compliance requirements of a limited number of sectors. This bias has not only distorted the marketplace but has also led to a range of unintended consequences including:

  • Substantial financial and reputational damages incurred by companies when data breaches occur and large quantities of often verified personal data stolen.
  • Data breaches result in a detrimental erosion of Internet users privacy and security who are exposed to the related risks of identity theft and fraud as illustrated by the recent spate of data breaches, most notably Vtech that involved the theft of the personal data of 6.7 million children and 4.9 million adults.
  • A negative impact on the rights of children and young people, when online businesses do not enable the same protections online as offline, for example, limiting access to age-restricted online content.

The inability to remotely check specific attributes, including age, is having a negative effect on business development opportunities for the retail sector that want to enable consumers to, for example, pick-up goods purchased online at unmanned lockers at train stations.

What are the Solutions?

Data Minimisation, a Fairer Social Contract and a Functional Marketplace      

A growing number technical architectures and standards are emerging that operate on the principle of data minimization, which means that rather than verifying an internet user’s full identity, only a particular attribute is cross-checked to establish an internet user’s eligibility to transact with an online service. Attribute-related eligibility checks allow the following:

  • Enable the online delivery of eligibility-based services.
  • Enhanced privacy as a result of tighter disclosure only of personal information relevant to the context.
  • Simpler liability arrangements and lower legal costs, because it is easier to vouch for specific attributes rather than abstract identity.

Disruption and differentiation

Attribute Based Eligibility Checks will disrupt the existing models of online identity verification and will lead to the emergence of a more functional marketplace served by both Attribute Providers and those Identity Providers and Data Brokers that can adapt their current offerings. Adaptation is necessary to both remain competitive in this emerging marketplace and to be compliant with the provisions of the new EU General Data Protection Regulation. Payment Service Providers and mobile operators will play a critical role in this new marketplace.

Differentiation and disruption are shaping this emerging marketplace, and this is set to accelerate in 2016, driven in part by the associated significant reduction in costs to businesses associated with compliance with legal requirements, including those defined in the new General Data Protection Regulation, which apply globally to European citizens’ data.

Fairer social contract

For Internet users, these developments will equate with greater control over their personal data, better protection of their privacy, and enhanced online safety. This emerging model of Attribute Based Eligibility Checks is governed by the of principles Privacy by Design that will help to re-calibrate many of the current discussions about privacy and consent and online safety.

Perhaps most noteworthy of all is that user-centric attribute based-eligibility checks will signal a significant move toward a fairer social contract concerning personal data, whereby both the requirements of businesses can be met and the rights of end-users to privacy and security respected.

Benefits to businesses: Return on investment

  • Significant reduction in costs associated with meeting legal requirements to conduct age-related eligibility checks
  • Faster and more efficient customer registration and login processes – enhanced customer experience
  • Reduction in risks to customers’ personal data – positive impact on costs of business insurance
  • Greater scope to innovate and explore a range of business development opportunities
  • Improved reputation and trustworthiness
  • Compliance with the provisions defined in the new General Data Protection Regulation

Outputs

The outputs of the programme of stakeholder meetings will be a coherent strategy and viable commercial and liability models that will underpin an attribute exchange ecosystem. This will enable Identity Providers and Attribute Providers to expedite the process of commercialising their products while also ensuring that businesses (Relying Parties) will be in a position to meet their legal and business requirements concerning age-related eligibility checks.

The stakeholder meetings will utilise and adapt existing Trust Frameworks, and leverage the expertise amassed in similar work streams – Cabinet Office, Identity Assurance Programme and GSMA’s Mobile Connect Programme to expedite the process. The focus of the stakeholder meetings will be on the planning around the beta testing of an age attribute exchange ecosystem from July onwards. The Proof of Concept testing phase of an attribute exchange ecosystem will use a version of the Trust Platform that underpins GOV.UK Verify.