title for Age Verification note
home | about | site use | resources | publications | timeline |::|   Ketupa

overview

issues

mechanisms

industry























related pages icon
related
Guides:

Censorship

Identity
& Identity
Crime

Privacy





related pages icon
related
Profiles:

Social
Network
Services

Forgery
& Fraud

Australia
Card

Biometrics

Australian
Official
Registers











section heading icon     mechanisms

This page considers age verification mechanisms, ie tools used by individuals to substantiate claims that they are of a particular age (eg to access an age-restricted venue or service) or used by an entry to deny access by the individual to that venue or service.

It covers -

     introduction

The preceding page highlighted questions about the use of age verification mechanisms (in particular for online versus physical access to venues and services) and inappropriate expectations about the effectiveness of specific mechanisms.

In essence, there is no mechanism that is faultless or that will work effectively in all environments. All mechanisms have costs, whether to the person whose age is in question, the entity concerned with verification or a third part. Those costs may involve enrolment charges and administration expenses. They may also involve erosion of privacy and exposure to identity theft or receipt of unwanted marketing. All mechanisms are susceptible to subversion.

There is little agreement within Australia regarding a coherent approach to age verification per se. There is no international agreement about online age verification principles and mechanisms; it is unlikely that detailed agreement will emerge in the near future, contrary to fervent media releases from some solution vendors.

That poses challenges for social network services (SNS), retailers and other providers of content or goods that operate across jurisdictions where there are disparate requirements regarding corporate, institutional, parental and individual responsibility.

As the past we can accordingly expect to see use of baskets of age verification mechanisms, with the contents of each basket reflecting cultural expectations, political imperatives and functional needs.

In practice much age verification online remains of the 'personal warranty' variety, ie the consumer ticks a box or otherwise indicates that he or she is of the requisite age and in the requisite jurisdiction and is telling the truth. There is no external validation. Much verification offline similarly relies on assertion by the individual and whether that individual looks old enough to get in the door (or too old to get an age-based concession).

     national identity cards and passports

How can you authoritatively prove how old you are? Some proponents of national identity card schemes, such as enthusiasts for the Australia Card, have argued for regimes in which all adults bear cards that include a birth date, name and photograph. Some envisage that minors over the age of 12, 14 or 16 would have individual cards rather than having to rely on a parent's or guardian's card as a proxy identifier.

Entry to some entertainment venues and purchase of particular goods/services would be dependent on the vendor sighting the consumer's photo ID, which would substantiate the bearer's claim to be of the requisite age and additionally provide the vendor with other information of value for customer profiling (eg as the basis of a blacklist of people to be excluded from the specific venue or from independent venues that use a networked identity service).

Such proposals have been criticised on several grounds. The first, and most obvious, is that a photo identity can be readily subverted, with an under-age consumer using Photoshop to add a few years to his/her age. Few people have detailed forensic skills and the situations in which a photo ID is provided as proof of age (for example among the hubbub of a queue jostling to get into a nightclub at 11pm) are often not conducive to meaningful scrutiny of what appears to be a legitimate identity card.

Critics, including the author of this page, have also criticised capture of data from identity cards by the operators of entertainment venues, with questions about potential misuse (including unauthorised provision to third parties) and unauthorised access.

Others have noted that some people rely on passports as the definitive proof of age or identity, claiming that a passport is harder to forge or is simply so unusual that most people will not bother attempting a forgery where only a proof of age is required.

Both passports and national identity cards are useful for physical verification but cannot be readily used online, although the author is aware of one geek who persuaded a network gatekeeper to provide access after he waved his passport in front of his webcam and then offered to email a scan of the relevant pages.

     birth certificates

Birth certificates have been hailed as definitive signifiers of age, given that they are official documents and provide a specific date of birth (usually with a specific place).

In practice they do not provide a viable mechanism for online age verification. Formats are often inconsistent - a particular issue where verification is meant to take place across jurisdictions and cultures - and subject to forgery. They are paper documents that supply a name and date of birth but do not provide a photograph or sophisticated biometric information that ties the bearer to that document. That is an issue because, as noted elsewhere on this site, there have been numerous incidents where an identity thief has readily obtained and then misused some else's birth certificate.

There have been proposals that parents would provide social network service operators and other entities with hardcopy (certified or otherwise) of birth certificates or email scanned versions of the certificate to the service operator or to an associated register.

Those proposals have been criticised as assuming that parents will make the effort, operators will differentiate between fake and genuine birth certificates, and minors will not undermine the regime by providing photoshopped documents in the guise of their parents/guardians.

One of the more meaningful criticisms of use of hardcopy birth certificates as an online age verification mechanism is simply the cumbersomeness of the mechanism, with suggestions that there would be delays of weeks from when a minor wanted to join a service such as MySpace to the time when the service operator had received the hardcopy and accepted the application. Given that the business model of most SNS is predicated on large populations it is extremely unlikely that operators will embrace any mechanism that deters population growth.

     driver's licenses

For most young Australians the driver's license - in the absence of an education department identity card or broader proof of age card - is the mechanism for verifying that the bearer is of age.

That reliance reflects the format of the driver's licence (ie an officially-issued photo ID card that includes the person's date of birth and an address, current or otherwise) and wide acceptance within the community as being the defacto national identity document, one that is recognised in 100 Point Schemes by banks and other institutions.

Most entertainment venues will thus be satisfied with provision of a licence (increasingly through scanning of the card at the door). Proving age online is more challenging, given that the retailer, service operator or other entity typically does not sight the licence, particularly does not sight the licence in a way that ties the bearer to the image on that card.

Critics have noted that not all people have driver's licenses or indeed a proof of age card. A fundamental criticism for online sorting of minors, where parents and services may wish to restrict access by people who are over 12, is that driver's licenses are typically not granted to minors under 16.

     proof of age cards

Governments and even some commercial entities have sought to sidestep some of the above problems by providing minors and adults with what are variously described as 'proof of age' or 'proof of identity' cards. Those cards are typically in the same format as a driver's license, featuring a photograph, the bearer's name and date of birth, and sometimes address or other details (such as a tage for welfare entitlements).

In Australia the cards have served as surrogates for driver's licenses in many environments, for example gaining concessional fares in public/private transport and access to age-restricted venues. Their utility is restricted by familiarity, particularly where the card was issued by another jurisdiction or a commercial body whose authority/format is not recognised.

As with driver's licenses it is difficult to conceptualise a proof of age card as a useful mechanism for identifying people online, particularly young minors who simply lack a card and will not gain one until they reach 16 or thereabouts.

     credit cards

In practice credit cards (or surrogates such as adult content 'payment cards') are one of the two dominant mechanisms for age verification online. The expectation is that the card will only be used by the person to whom the card has been issued, with that person of course being an adult. An online retailer or service provider will be able to interact with the issuer of the card, seamlessly and instantly validating the cardholder's identity.

Reality is of course more complicated and credit cards provide a weak proxy for effective age identification. That is because mere possession of a credit card - or of the information on the card - is not a reliable assertion of identity or age. Some minors are given or lent credit cards by their parents, siblings or older peers. Some borrow use of or steal credit cards from people around them, consistent with comments elsewhere on this site that much credit card fraud involves your nearest & dearest rather than the Vladivostok mafiya.

Other critics have noted more subtle concerns. One is that many financial institutions and service providers levy a nominal charge for electronic verification, with checking simply involving a match with the relevant location and to verify that the card account is still active (ie has not been closed or is flagged for suspected idetity fraud). There is no meangful check of name, age or signature and little checking of consumption pattern.

Given anxieties about phishing some parents are reluctant to provide credit card details simply for the purposes of identity verification (ie where there is no purchase or subscription fee) and are even more hesitant about letting the kids have the details for provision whenever requested by a SNS operator ... or by a scammer.

In the US the federal Child Online Protection Act (COPA) of
1998 sought to restrict access by minors to online adult content, with site operators being able to use the defence that they had made a good faith effort by requiring a credit card, adult personal identification number or similar age-verification. That legislation, as noted in the discussion of censorship elsewhere on this site, quickly became embroiled in legal challenges and has not proved effective in restricting access to instant messaging, chat or newsgroups.

     biometrics

Developers of biometric solutions have inevitably turned to questions of age verification, with critics commenting that vendors are simply asking the wrong questions and providing the wrong answers in dealing with challenges about restricting access by minors to adult sites.

One approach has been the notion of thumb or even retina scanning, with the captured data being matched with a register on the specific device, held by the operator of an adult site or by a third party gateway service specialising in verification.

The approach, unsurprisingly, has not found favour. That is because some consumers are anxious about "gifting" their biodata to an organisation, particularly one that is online and that may be susceptible to the large-scale data loss recurrently highlighted in the mass or specialist media. It is also because there is insufficient infrastructure at the end-user or network operator/service provider ends. Finally, it is because many parents recognise that the technology can be outwitted, eg if mum or dad forgets to go offline and a minor can thereby piggyback on that parent's verified identity. If it is to be an effective tool for excluding minors the biodata must be either tied to 'permissions' on a specific device or to an external register than features validated age information.

A handful of vendors have adopted a different approach, promoting biometric tools that use physiology to directly identify that someone using a machine is a minor rather than to identify a specific individual. One proposed solution involves electronic measurement of the the size and structure of the bones in a hand or individual fingers, on the basis that young children have more cartilage than teens and that adults are determinable by bone density - the same measures used in some forensic post mortem examinations.

i-Mature (now Verificage) claimed in 2005 to have

developed an innovative technology that can determine, through a simple biometric bone-scanning test, whether a user is a child or an adult - and thereby control access to Internet sites and content. AGR technology could help prevent children from accessing adult Internet sites and prevents adults from accessing children's sites and chat rooms.

"i-Mature's solution provides a means of guaranteeing the identity and age of young Internet users today, in contrast to other solutions available which can exacerbate the problem," comments Burt Kaliski, vice president of research and chief scientist at RSA Laboratories. "With AGR, the burden of administration would be removed altogether, and the credential could not be abused if lost, borrowed or stolen.

Regrettably Verificage was busy promoting its "mouse-like PC peripheral" in 2008 as providing a "predator free internet experience", one that

provides children with a safe internet experience by blocking contact with online predators and filtering out inappropriate content without hindering your child's learning, social networking and exploring opportunities.

Critics have noted that expectations about safety may be unrealistic, because a predator may go online using a valid identifier. One comment was that

we must not be forget that some child predators have children of their own and could defeat the device by forcing their children to use it so they could go online as an "age-verified" child. Again, this would give rise to a false sense of security online.




icon for link to next page   next page  (industry)







this site
the web

Google

 

 

version of November 2007
© Bruce Arnold
caslon.com.au | caslon analytics