Dr. Rachel O’Connell
GOV.UK Verify, the central government platform for online identity assurance, is due to go live today following the completion of its service assessment.
Minister Matt Hancock is reported as saying that it will make a significant contribution to privacy and cyber security in the use of online services.
“Verify allows secure and straightforward identity checking without the need for an identity database – and underpins the digital transformation of government.” Hancock said.
The internationally recognised identity proofing standards, technical architecture, legal trust framework, and privacy and consumer protection principles that underpin Gov.UK Verify enable citizens to prove online that they are who they say they are in a manner that Government departments can trust. Gov. UK Verify is an example of an identity ecosystem that enables electronic identity verification in compliance with the new General Data Protection Regulation.
At this juncture, Gov.UK Verify is currently restricted to enabling citizens to access eGovernment services but there are plans to look at extending it to the commercial sectors. There are a number of business sectors, including banking, fintech, insurance, and wealth management, that would benefit hugely from being able to avail of robust identity assurance schemes.
Age is simply one attribute of your identity and it is not always a requirement for an online business to know the full details of a customer’s identity for a transaction to occur. Despite the importance of age-checks in routine business transactions, involving age-restricted goods and services online, until recently there was no agreed way to conduct age-related eligibility checks online in a privacy-preserving, affordable and convenient manner. However, tech companies, mobile operators and payment providers are now using similar technical architecture, open standards and privacy and consumer protection principles to those used by Gov.UK Verify, in order to develop age-related eligibility checking solutions.
This blog post will explore how Gov. UK Verify operates and, separately, how age-related eligibility checking services are undertaken.
How does GOV.UK Verify operate in practice?
- The relevant Government department requires certainty that a claim to a particular identity made by a citizen, or on behalf of a citizen, can be trusted to be the claimant’s “true” identity.
- A citizen chooses from a list of companies, known as Identity Providers. These companies have been through rigorous security assessments to test the efficacy of their data handling and security processes as well as the quality of the data they provide before being certified. Certified companies, which include banks, credit reference agencies, postal services and a range of new technology companies that provide innovative methods of identity verification, are also required to comply with data protection laws and contractual obligations put in place to respect user rights and needs.
- Each certified company has different ways of verifying a citizen’s identity- for example, a citizen that has a bank account with Barclays will go through a particular process that enables the bank to vouch for their identity. Other companies allow a citizen to scan a passport and run a facial recognition comparison between the photo in the document and a live selfie. Innovation in the identity sector means the options for electronic identity verification are growing all the time.
- The technical platform that underpins Gov.UK Verify is an online Internet gateway that operates according to specific sets of rules on transferring information about the user between Identity Providers and a Government Department. Crucially, it does not centrally store citizens’ data and the rule set hides the details of the Identity Provider a citizen chose from the Government department’s and vice versa.
At this juncture, Gov.UK Verify is currently restricted to enabling citizens to access eGovernment services but there are plans to look at extending it to the commercial sectors.
Age-related eligibility checking services
Age-checks can be used to establish a customer’s eligibility to access and purchase goods and services. Crucially, conducting a single attribute check costs far less than a full identity verification process. Moreover, recent technology and policy innovations enable businesses in one or more sectors to collaborate, as per the terms of a legal agreement known as a Trust Framework, to conduct age checks using a federated ‘verify once, use many times’ model. This approach not only significantly reduces the costs associated with doing age-related eligibility checks, but also provides clarity regarding the underpinning liability model, which makes age-checking a viable proposition for a range of business sectors.
How will age-checking services operate?
- In practice, a consumer will choose from a list of Age-Check Service Providers unless age-checking is integrated into the payment process.
- The selected age-checking service will respond to a query raised by a merchant when for example, a customer is purchasing or accessing age-restricted goods and services.
- The query may be, for example, ‘is this person over 18?’ or ‘is this person aged between 12-16 years’ to which a Yes/No response will be supplied.
The code of practice that will underpin how age-related eligibility checking services will operate is being outlined in a Publicly Available Specification (PAS), 1296 Age Checking code of practice,* that is comprised of a set of recommendations, for example:
- Levels of certification that age-checking service providers can attain: In the UK, tScheme is the independent, industry-led, self-regulatory scheme set up to create strict assessment criteria, against which it will approve Trust Service. The identity providers certified by t-Scheme to be part of the Gov.UK Verify may decide to provide age-checking services.
- A trust framework is a document that articulates the tools and rules that underpin an age-checking service together with an assessment and enforcement infrastructure that makes them operational. Age-checking service providers will be certified to the level prescribed in a trust framework document by, for example, one or more business sectors wishing to conduct age checks.
- Essential privacy and consumer protection principles that underpin Gov.UK Verify are included in the PAS 1296 Age Checking code of practice
- The degree of confidence or trust that can be placed on the processes that underpin the Yes/No response to an age-check
Business sectors required conduct age checks
Trust Elevate is facilitating a series of multi-stakeholder work streams with various business sectors required to perform age-checks.
Adult Content Providers
The forthcoming Digital Economy Bill will stipulate that adult content providers will be required to conduct age checks to ensure that people accessing content are over 18 years of age. The Digital Policy Alliance’s Age Verification Group is facilitating multi-stakeholder dialogue which involves representatives not only of UK adult content providers but also global companies such as MindGeek, and ICM Registry the top level domain registry for the adult sector. The Digital Policy Alliance commissioned the PAS 1296 Age Checking code of practice.
Trust Elevate convened the first Adult Age-Check Summit at the Department for Culture Media and Sport in January and continues to facilitate an ongoing dialogue between major stakeholders.
In an e-commerce setting, age checks are not only important from a compliance perspective but are also critical to enabling retailers to meet customers’ expectations for seamless omnichannel shopping experiences. Age-checks will also enable retailers to both expand their online offerings and to continue to design innovative collection and delivery mechanisms.
Under 18’s online platforms
A separate blog post on the proposed changes to the Audio Visual Media Services Directive, the implications of Article 8 of the new General Data Protection Regulation and the upcoming Under 18’s Age Check Summit will be posted shortly.
Article 8 requires that where the personal data of a child under 16 is being processed to provide ‘information society services’ (for example, online businesses, social networking sites and so on) consent must be obtained from the holder of parental responsibility for the child. Member states are allowed to lower this threshold where appropriate but not below the age of 13.
*A Publicly Available Specification (PAS), 1296 Age Checking code of practice is currently being written by the founder of Trust Elevate, Dr. Rachel O’Connell