Why the ICO’s Age Appropriate Design Code needs to start at the very beginning

Philipp Pointner, Chief Product Officer at Jumio, considers the issues relating to age appropriate design code

At some point in time, we’ve all probably all opted for the easy gift option of a bottle of wine, or perhaps something a little stronger, for a friend’s birthday. It’s easy to purchase and for the most part, gratefully received. However, assume you’re 17 years old and you want to buy your parents a nice bottle of whisky for their anniversary. You search online for the best bottle and the online merchant asks for you to enter your date of birth to verify your age. Can this really constitute age verification? This method relies solely on trusting the individual not to manipulate their age.

The fact is, the ability to access content, products and services online has, to date, been so easy that organisations have struggled (or simply chosen not to) to accurately prove that a user is of legal age for that product or service. As a result, we’ve seen youngsters access dating sites with horrific consequences, a rise in underage drinking and a sharp rise in underage gambling. Put simply, self-reported online age verification is not cutting it.

However, with the launch of the Age Appropriate Design Code by the Information Commissioner’s Office (ICO), the requirement for organisations to protect minors from accessing such services, products and content has been firmly set.

But while the code is a great steppingstone, access to age-restricted sites is still too easy for minors. Unless they are 100% honest when signing up, anyone could easily manipulate their age by simply changing their year of birth.

Take the analogy of a nightclub, where bar staff are serving drinks to partygoers. If the bouncer doesn’t check each person’s ID to verify their age and that it does belong to the person presenting the ID, the bar staff may be guilty of serving alcohol to underage customers and suffer grave consequences. The onus for age verification falls on the gatekeeper (in this case, the bouncer).

The same applies to the online world. While there are a few different ways to perform age verification, one of the most trusted ways is to have the online user capture a picture of their government-issued ID (e.g., a driver’s license or passport) and take a corroborating selfie. It’s a high bar for minors impersonating a parent or other adult — and a self incriminating one to boot. But, for legitimate users, it’s a relatively painless way to prove one’s age with a high level of assurance.

How to balance age verification and successful account sign-ups

Organisations have utilised all manner of age verification techniques over the years, from requesting a scanned passport image to having prospective customers visit their local high-street bank branches in order to sign up for an account. However, every time an organisation adds a layer of complexity to the initial sign-up process, the abandonment rate increases. Up to 40% of European customers abandon the sign-up process due to clunky and time consuming verification processes. It is expected that this percentage would be significantly higher for customers trying to access an e-commerce site that offered age-restricted products. For instance, if someone was prohibited from buying a bottle of whisky because they needed to provide a scanned image of their passport and send it to the company in the post, it’s likely they would take their business elsewhere.

Thankfully, companies with age-restricted products and services can now balance age verification, ongoing authentication and customer satisfaction thanks to face-based biometric services. With half the world’s population now owning a smartphone, any online organisation with age-restricted products or services can simply request the user takes a picture of their government-issued ID and a corroborating selfie during the initial verification process. Moving forward, to add an additional level of security, the website can authenticate the user through leveraging that 3D face map developed at initial sign up and comparing it to the current user’s face in a new selfie. Not only is this fast, as it only takes a couple of seconds, but it stops children accessing age-restricted products or services.

 Why AI is imperative to a seamless onboarding process

This seamless and easy to use process wouldn’t be possible without incorporating informed AI.

When determining whether a user is eligible to access a site, it is imperative that the software doesn’t offer up “maybes”. Thanks to informed AI, the verification software is able to learn from the thousands of previous verifications and also identify when someone is trying to trick or coerce their way into a website.

As long as the organisation with age-restricted services invests in a verification software provider that has experience in verifying the majority of government-issued IDs in existence around the world, and can leverage an extensive data set built up over time, they can rest assured their valid customers won’t encounter a “maybe” and be rejected from entering into the site. What’s more, the system will also be able to categorically approve or reject those IDs that may have been created illegally or manipulated to raise the age.

Think of the aforementioned nightclub example. The bouncer, who now vigilantly checks that the government-issued ID matches that of the person entering the club, still wouldn’t be able to detect whether the Belgium passport in front of him is legitimate, especially if he is in the UK and has never seen this type of ID before. Whereas, an informed AI system would be able to instantly detect this and prevent the underage reveler from entering the establishment. The same process goes for all age-restricted websites.

This isn’t the first time an industry has tackled the issue of underage access. Back in May 2019, the UK government introduced new age verification rules to curb online gambling growth, imposing a new 72-hour window whereby gambling organisations had to verify the name, address and date of birth prior to access. This naturally had a detrimental effect on those would-be players who saw an opportunity to make a quick pound, but it also stopped minors from gambling.

If we apply this logic and combine biometric face-based verification software with the ICO Age Appropriate Design Code, together we will be able to prevent underage access to age-restricted products and services in many other industries.