Sharing euCONSENT’s capabilities – Interview with Iain Corby, Secretary General of euCONSENT ASBL and former euCONSENT Project Manager

The age verification industry has been discussing ways of making the process more convenient for users since its earliest days, so for almost ten years now.  The European Parliament had the foresight to ask the Commission to fund a project to look at how age checks could be re-used from one site to another, and to make the process of obtaining parental consent when this is required for younger children, easier.   We formed the euCONSENT consortium to bid to deliver this and were successful in securing a 1.4m Euro grant which we used to design a technical solution and run pilots involving some 2,000 adults and children across 5 European countries.

We’ve now had further funding from Safe Online, the only global fund dedicated to protecting children from harms on the Internet.  We are using that to update the approach and then hopefully to use the network we’ve created to access real websites.  We’ve also extended the technology to handle apps on smartphones so that will also be tested in this phase of our work.

The pilot was well received by the users involved.  Some of them found the age assurance process a little complicated – and this was valuable feedback for the providers who operated it – but there were no reported issues with the core technology we had developed to allow a user to access another website without repeating the age checking process.

We have found that many of the most well-known platforms are very interested and supportive of what we are doing. They want their users to have the best experience, particularly when they first open an account, so making age assurance as painless as possible is important to them. They also want a level playing field, with all platforms adopting a similar standard – so they are enthusiastic about the international standards we drafted in Phase 1 being the common basis for all age checks.

While euCONSENT began in Europe, we have been dealing with interest from around the world. 

Australia is planning industry codes which will certainly include a requirement for age verification; their neighbours in New Zealand have also realised their legal system is falling behind other countries when it comes to protecting kids online so there is a lot of interest in adopting best practice there.  And in the USA, with 144 Bills at the state level last year, and a federal appeals court now finding that age verification can be required within the constraints of the constitution, there is very widespread interest.

The biggest issue is that governments and regulators are equivocating on setting a vision for online age assurance so they are sending mixed messages to an industry which wants to be compliant but is struggling to know what that would look like. 

Recently, we have seen some national regulators in Europe inventing novel approaches to age verification, and we welcome their efforts, but this has not been done in partnership with those currently providing age assurance services.  That has led to some uncertainty about the robustness of these new ideas – will they withstand attacks by hackers who want to help children to circumvent them; how will these solutions be funded – they will need a sustainable business model; how will users find them, given there does not appear to have been any largescale user-testing.  We’re certainly not closing our minds to new approaches – but we do have a lot of collective experience and expertise within our consortium and the wider age verification industry that could be very helpful through more proactive engagement by government authorities.

The system is actually pretty simple.  When you do your first age check with a participating age verification provider, they will ask if you want to accept a token on your device that will mean you need not repeat the process for many other sites and apps.

We’ve been speaking at a lot of conferences, and to particular stakeholders such as government regulators or professional advisors and trade associations.

We get very positive feedback on the concept of euCONSENT. Because it is a non-profit organisation, it is easier to gain the trust of those we are meeting because they are not worried there is any ambition to exploit this market for financial gain.

All that an euCONSENT token records is the fact that you did an age check with a particular provider. When you visit a new platform that also requires age assurance, its provider (or its own software if it does its own age checking) can spot that token so instead of demanding you do another check, it just asks the provider which has already checked you, to answer the question “is this user old enough for this new website?”.  

It is important to note that there is no personal information kept in that token – no name, no date of birth, nor even any other unique identifier that can be seen by the other providers in the euCONSENT network.  So, it is impossible to track which sites you are visiting.

Last year was the 100^th anniversary of the first general age verification law – it was passed in the UK and set a minimum age of 18 for drinking alcohol.  All we are doing is applying those same laws from the real world to the online world.  Technology is smart, and if we can put a man on the moon, we can certainly prove your age online without disclosing your identity.  In fact, that’s harder to do in real life, where we often show far more personal details from our passport or driving license than just our age or even just the fact that we are over a certain age.  But online we can do just that, simply sharing a “yes” or a “no” to a question about whether a user is over – or under – a particular age.

We also hear a lot that children will use virtual private networks to pretend they are located somewhere else in the world which does not require age verification – but that’s a dangerous game for the platforms, apps and websites to play because none of the laws we’re helping to implement include a get-out-of-jail free card when a child uses a VPN.  The laws still require the sites to protect tech-savvy kids.  So, they need to be very sure a user is where they claim to be if they are purportedly outside a jurisdiction that requires age assurance.

Safe Online has allowed us to keep the consortium that delivered phase 1 of the project together to prepare for another phase where we move from testing with dummy websites to a live trial with operational platforms.  To date, this has required us to extend the technological concept to include use by apps on devices, as the pilot was restricted to websites.  We have also been building the certification scheme required to qualify age assurance providers before they can participate in a live trial – that is essential to create a “trust framework” where providers rely on checks completed by their competitors when serving their own clients.  We are also now thinking about how liability for errors should be managed between providers in the network.

All the time, we are also keeping pace with developments in the market and new laws and regulations, seeking to influence  them to align with our vision for a standards-based, globally interoperable, open and competitive market in privacy preserving age assurance.  For example, we’ve met with Arcom, CNIL in France and AEPD in Spain, as well as engaging with British and Irish data protection authorities, and stakeholders even further afield, across the US, Canada, Australia and New Zealand.

This preparation will get us into a position to invite platforms and their existing age assurance providers to participate in the trial which we aim to deliver in Q4 of this year. At the Global Age Assurance Standards Summit in April, we will be providing an update on our approach the underlying technology, which seeks to incorporate concepts from innovative ideas that have emerged since our original pilot.

So watch this space to hear more about the AgeAware App…