Taking age verification seriously – not


Outside of the family, with few exceptions, children tend to mix with other children of roughly the same age. They do so within environments which, similarly, are likely to consist principally of their peers.  The adult world is not so very different although, obviously, there is more scope for mixing. Where we find adults drawn to children’s spaces, or children gravitating towards adult ones, we rightly see this as a potential marker for problematic behaviour and risk.

In the real world societies across the globe have constructed well defined lines of demarcation between adults’ and children’s places. Certain types of retail establishments will not allow under 18s on the premises. Many pubs and clubs are the same. Where children gather, for example for sports activities, unaccompanied grown ups are often barred. Then there is a whole raft of items which sub-18s may not buy. Alcohol, tobacco, pornographic movies and violent video games are perhaps the most salient in this context.

Age related rules are meant to be taken seriously

We have attached legal sanctions to many of these age-related rules. A breach can land the offender in prison.  These regulations were relatively easy to enforce when the item or service was secured by walking up to a counter and asking for it. Proprietors had a legal obligation to satisfy themselves as to the person’s age. If there was any doubt and proof could not be provided there and then they had to halt the transaction.

But not on the internet

By contrast the internet has created spaces which are open to everyone with equal facility. With a single, important exception in the UK (online gambling), content and services which are very obviously intended for adults in practice are just as easily available to kids. Few people try to justify or celebrate such a state of affairs by referencing a mission to improve inter-generational understanding. Instead the message sent out to some is that the real world rules are not meant to be taken that seriously after all.

Why is age verification only working with gambling?

The answer to that question I’m afraid is very simple. Despite many of the online gambling companies repeatedly saying they took the issue very seriously the fact is the problem of under age betting online wasn’t solved until the law changed and everyone was compelled to introduce age verification as a condition of getting a licence to run a site. Up until that moment, with a small number of honourable exceptions, none of the major companies had wanted to make a move because they were worried they would lose business to less fastidious rivals. They changed when everyone else did, and everyone else did because they had no choice.

If 18 is the benchmark 

Thus, as with gambling, where the sale or provision of any product or service is legally limited to persons aged 18 or above there is simply no excuse for companies getting it wrong. However, because they do not need to obtain a licence far too many companies knowingly continue to break the law every day in the belief that the possibility of being prosecuted is small and, if found guilty, the consequences are negligible.

But what about other online spaces, where the law is silent but companies themselves designate their services for persons aged 18 or more? Recommendation 5 of the Bailey Review reads as follows

…..those providing content which is age-restricted, whether by law or company policy, should seek robust means of age verification…..

I do not know of a single online business that has followed Bailey’s recommendation.

So why isn’t it happening?

I have already given one reason: no one feels under any pressure. Other or additional explanations are also occasionally aired by various voices e.g. the enforcement of age related rules on the internet would require online businesses to be even more intrusive, to collect even more information about us than they already do.

The idea that the key online businesses would, as a matter of principle, be against collecting more information about their customers is implausible in the extreme. They know practically everything else about us as it is. Their businesses depend upon it.

It’s all about the ads

At one level, of course, companies have no interest in knowing who you actually are, much less your real age. You are a data point. You generate behavioural information that is utilised to present you with targeted advertising.  Everything else is superfluous or a cost which also adds to the complexity of the operation.

Security concerns

It has been suggested that collecting information about children would necessitate building large databases which could become magnets for paedophile hack attacks or create similar security threats. Hmmm. That too stretches one’s credulity. Either companies are confident they can keep their data secure or they aren’t, and if they aren’t they shouldn’t be in business anyway. I’m sure such concerns are genuine but if I was a customer of a company that said something like that I’m sure I’d want to know they were taking just as much care of my data as they were any child’s or group of children.


Not every country has the available online databases which would allow the policy to work as smoothly as it does in the UK with online gambling.  Or so I’m told. Maybe there are even legal obstacles in some jurisdictions. But even if either or both these things are true, and they could be, that’s no reason to refuse to do it where it could work.

For sub-18 groups it’s different 

18 is an important cut off point in every country. It generally marks the arrival of adulthood and with it full legal competence. But in many countries, including the UK, there can be other age levels below 18 which also have legal significance. The problem here is the online databases to allow these to be verified just aren’t there. So that does present a challenge but it is one which is well within the collective and probably also the individual reach of a number of large internet companies. And once more the fact that you cannot do it for everyone right now is not a reason to refuse to act where it could be done.

Other alibis for inaction

Companies might be concerned that if proof of age is required people will be afraid this means they may also have to offer up other details of their true identity. They might be too embarrassed to do that for certain types of goods or service or on certain types of site. It could cost the business some customers. 

Alternatively,  businesses might think age verification systems are expensive, clunky and time consuming. They would put people off and again cause them to lose customers.

Wrong on all counts: at scale age verification for persons aged 18 or above can be very inexpensive, the processes can be completed in sub-two seconds without the client ever leaving the web site. Systems are also available which allow accredited third parties to vouch for a person’s status as an over 18 without them having to surrender any other personally identifiable information. A digital token or something similar  could be attached to a log in to flag that this person has been confirmed to be over 18. In fact you could view a policy of this kind as being consistent with broader principles of data minimization.

However, if big internet players don’t like the available methods of age verification they have it within their means and power to develop their own. 

Current framework of engineered uncertainty cannot last

Unless and until the dust has settled over the Edward Snowden revelations I doubt this question will get much of an airing in public policy circles but it is only a question of time and timing. Everybody in the business privately acknowledges the current arrangements are unsatisfactory and are not sustainable in the long run.

All we are waiting for is the spark which will bring about the necessary and inevitable change. In the meantime a disproportionate burden is placed on the shoulders of parents. Keeping kids safe on the internet is a shared responsibility but that implies all the partners in the joint venture pull their full weight. At the moment they do not.

This blog is based on one that appeared in the Winter 14 edition of Outlook magazine

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com
This entry was posted in Age verification, Consent, Default settings, E-commerce, Internet governance, Privacy, Regulation, Self-regulation. Bookmark the permalink.