An insight into the ‘engineering for Age Verification’

Guest contributor: Phil Archer is Data Activity Lead at W3C

As Abraham Lincoln said: “we cannot escape history” and, although it’s 7 years since I was directly involved in online safety, it was interesting to read Rachel’s blog post on age verification.

As I said briefly in my comments, I asked around the virtual W3C office and there are a range of existing technologies that might be suitable, RFC6749 (OAuth), being the obvious one to cite. There are various tools and an active community around that. You can add digital signatures on top of OAuth if needed. It’s notable that the UK Government Digital Service is rolling out a secure ID system based on OAuth too. A previous EU project in which W3C was involved, PRIMELIFE, defined a method for a zero knowledge proof of a given attribute so, in this context, you’d be able to prove that the user was over a certain age without knowling anything else about them.

The area within W3C where this is most relevant is, as noted, Web Payments. There is a lot of work going on to develop standards for a vendor-neutral and, obviously, secure method of passing money across the Web. Participants in the Web Payments Interest Group include many banks as well as the browser manufacturers.

From an engineering point of view, age verification is simply a use case for the wider issue of being able to conduct transactions securely and privately. But who do you trust to store and manage data about you? The best person to manage personal data about you is, surely, you yourself. This is at the heart of the Cross Cloud project that some of my colleagues are working on within Tim Berner-Lee’s research group at MIT. Under Cross Cloud, you manage your own data and share it with applications as you see fit. Think of it as a wallet that you keep securely in your pocket and just take out the relevant info you want to hand over to the person in front of you, keeping the rest to yourself.

A lot of people won’t like that idea: there are very powerful interests, including mega corporations and governments, who very much want to be your ID provider. Personally, I’d rather be able to manage my ID myself.

Phil Archer is Data Activity Lead at W3C, responsible for coordinating standardisation efforts around data on the Web. Between 2000-2008 he was CTO at the Internet Content Rating Association (ICRA), a concerted but failed effort to popularise content labels for child protection. See ICRAfail, A Lesson for the Future (PDF).

This post is part of a series of expert blogs that are being published in the run up to the Online Age Checking: The Time Has Come symposium, which will be held at the British Library on September 22.

Book your place at the upcoming symposium to listen to  a wide range of experts share their views about online age checking and the scope for a data exchange eco-­system  to provide the commercial sector with age attributes (under 18’s)  in a permissioned, privacy enhanced manner, ensuring security of personally identifiable information (PII) at all times.



Leave a Reply

Your email address will not be published. Required fields are marked *