This page considers age verification mechanisms, ie tools
used by individuals to substantiate claims that they are
of a particular age (eg to access an age-restricted venue
or service) or used by an entry to deny access by the
individual to that venue or service.
It covers -
The preceding page highlighted questions about the use
of age verification mechanisms (in particular for online
versus physical access to venues and services) and inappropriate
expectations about the effectiveness of specific mechanisms.
In essence, there is no mechanism that is faultless or
that will work effectively in all environments. All mechanisms
have costs, whether to the person whose age is in question,
the entity concerned with verification or a third part.
Those costs may involve enrolment charges and administration
expenses. They may also involve erosion of privacy and
exposure to identity theft or receipt of unwanted marketing.
All mechanisms are susceptible to subversion.
There is little agreement within Australia regarding a
coherent approach to age verification per se. There is
no international agreement about online age verification
principles and mechanisms; it is unlikely that detailed
agreement will emerge in the near future, contrary to
fervent media releases from some solution vendors.
That poses challenges for social network services (SNS),
retailers and other providers of content or goods that
operate across jurisdictions where there are disparate
requirements regarding corporate, institutional, parental
and individual responsibility.
As the past we can accordingly expect to see use of baskets
of age verification mechanisms, with the contents of each
basket reflecting cultural expectations, political imperatives
and functional needs.
In practice much age verification online remains of the
'personal warranty' variety, ie the consumer ticks a box
or otherwise indicates that he or she is of the requisite
age and in the requisite jurisdiction and is telling the
truth. There is no external validation. Much verification
offline similarly relies on assertion by the individual
and whether that individual looks old enough to get in
the door (or too old to get an age-based concession).
national identity cards and passports
How can you authoritatively prove how old you are? Some
proponents of national identity card schemes, such as
enthusiasts for the Australia
Card, have argued for regimes in which all adults
bear cards that include a birth date, name and photograph.
Some envisage that minors over the age of 12, 14 or 16
would have individual cards rather than having to rely
on a parent's or guardian's card as a proxy identifier.
Entry to some entertainment venues and purchase of particular
goods/services would be dependent on the vendor sighting
the consumer's photo ID, which would substantiate the
bearer's claim to be of the requisite age and additionally
provide the vendor with other information of value for
customer profiling (eg as the basis of a blacklist of
people to be excluded from the specific venue or from
independent venues that use a networked identity service).
Such proposals have been criticised on several grounds.
The first, and most obvious, is that a photo identity
can be readily subverted, with an under-age consumer using
Photoshop to add a few years to his/her age. Few people
have detailed forensic skills and the situations in which
a photo ID is provided as proof of age (for example among
the hubbub of a queue jostling to get into a nightclub
at 11pm) are often not conducive to meaningful scrutiny
of what appears to be a legitimate identity card.
Critics, including the author of this page, have also
capture of data from identity cards by the operators of
entertainment venues, with questions about potential misuse
(including unauthorised provision to third parties) and
Others have noted that some people rely on passports
as the definitive proof of age or identity, claiming that
a passport is harder to forge or is simply so unusual
that most people will not bother attempting a forgery
where only a proof of age is required.
Both passports and national identity cards are useful
for physical verification but cannot be readily used online,
although the author is aware of one geek who persuaded
a network gatekeeper to provide access after he waved
his passport in front of his webcam and then offered to
email a scan of the relevant pages.
Birth certificates have been hailed as definitive signifiers
of age, given that they are official documents and provide
a specific date of birth (usually with a specific place).
In practice they do not provide a viable mechanism for
online age verification. Formats are often inconsistent
- a particular issue where verification is meant to take
place across jurisdictions and cultures - and subject
to forgery. They are paper documents that supply a name
and date of birth but do not provide a photograph or sophisticated
biometric information that ties the bearer to that document.
That is an issue because, as noted elsewhere on this site,
there have been numerous incidents where an identity thief
has readily obtained and then misused some else's birth
There have been proposals that parents would provide social
network service operators and other entities with hardcopy
(certified or otherwise) of birth certificates or email
scanned versions of the certificate to the service operator
or to an associated register.
Those proposals have been criticised as assuming that
parents will make the effort, operators will differentiate
between fake and genuine birth certificates, and minors
will not undermine the regime by providing photoshopped
documents in the guise of their parents/guardians.
One of the more meaningful criticisms of use of hardcopy
birth certificates as an online age verification mechanism
is simply the cumbersomeness of the mechanism, with suggestions
that there would be delays of weeks from when a minor
wanted to join a service such as MySpace to the time when
the service operator had received the hardcopy and accepted
the application. Given that the business model of most
SNS is predicated on large populations it is extremely
unlikely that operators will embrace any mechanism that
deters population growth.
For most young Australians the driver's license - in the
absence of an education department identity card or broader
proof of age card - is the mechanism for verifying that
the bearer is of age.
That reliance reflects the format of the driver's licence
(ie an officially-issued photo ID card that includes the
person's date of birth and an address, current or otherwise)
and wide acceptance within the community as being the
defacto national identity document, one that is recognised
in 100 Point Schemes by banks and other institutions.
Most entertainment venues will thus be satisfied with
provision of a licence (increasingly through scanning
of the card at the door). Proving age online is more challenging,
given that the retailer, service operator or other entity
typically does not sight the licence, particularly does
not sight the licence in a way that ties the bearer to
the image on that card.
Critics have noted that not all people have driver's licenses
or indeed a proof of age card. A fundamental criticism
for online sorting of minors, where parents and services
may wish to restrict access by people who are over 12,
is that driver's licenses are typically not granted to
minors under 16.
proof of age cards
Governments and even some commercial entities have sought
to sidestep some of the above problems by providing minors
and adults with what are variously described as 'proof
of age' or 'proof of identity' cards. Those cards are
typically in the same format as a driver's license, featuring
a photograph, the bearer's name and date of birth, and
sometimes address or other details (such as a tage for
In Australia the cards have served as surrogates for driver's
licenses in many environments, for example gaining concessional
fares in public/private transport and access to age-restricted
venues. Their utility is restricted by familiarity, particularly
where the card was issued by another jurisdiction or a
commercial body whose authority/format is not recognised.
As with driver's licenses it is difficult to conceptualise
a proof of age card as a useful mechanism for identifying
people online, particularly young minors who simply lack
a card and will not gain one until they reach 16 or thereabouts.
In practice credit cards (or surrogates such as adult
content 'payment cards') are one of the two dominant mechanisms
for age verification online. The expectation is that the
card will only be used by the person to whom the card
has been issued, with that person of course being an adult.
An online retailer or service provider will be able to
interact with the issuer of the card, seamlessly and instantly
validating the cardholder's identity.
Reality is of course more complicated and credit cards
provide a weak proxy for effective age identification.
That is because mere possession of a credit card - or
of the information on the card - is not a reliable assertion
of identity or age. Some minors are given or lent credit
cards by their parents, siblings or older peers. Some
borrow use of or steal credit cards from people around
them, consistent with comments elsewhere on this site
that much credit card fraud involves your nearest &
dearest rather than the Vladivostok mafiya.
Other critics have noted more subtle concerns. One is
that many financial institutions and service providers
levy a nominal charge for electronic verification, with
checking simply involving a match with the relevant location
and to verify that the card account is still active (ie
has not been closed or is flagged for suspected idetity
fraud). There is no meangful check of name, age or signature
and little checking of consumption pattern.
Given anxieties about phishing some parents are reluctant
to provide credit card details simply for the purposes
of identity verification (ie where there is no purchase
or subscription fee) and are even more hesitant about
letting the kids have the details for provision whenever
requested by a SNS operator ... or by a scammer.
In the US the federal Child Online Protection Act
1998 sought to restrict access by minors to online adult
content, with site operators being able to use the defence
that they had made a good faith effort by requiring a
credit card, adult personal identification number or similar
age-verification. That legislation, as noted in the discussion
of censorship elsewhere on this site, quickly became embroiled
in legal challenges and has not proved effective in restricting
access to instant messaging, chat or newsgroups.
Developers of biometric
solutions have inevitably turned to questions of age verification,
with critics commenting that vendors are simply asking
the wrong questions and providing the wrong answers in
dealing with challenges about restricting access by minors
to adult sites.
One approach has been the notion of thumb or even retina
scanning, with the captured data being matched with a
register on the specific device, held by the operator
of an adult site or by a third party gateway service specialising
The approach, unsurprisingly, has not found favour. That
is because some consumers are anxious about "gifting"
their biodata to an organisation, particularly one that
is online and that may be susceptible to the large-scale
data loss recurrently highlighted in the mass or specialist
media. It is also because there is insufficient infrastructure
at the end-user or network operator/service provider ends.
Finally, it is because many parents recognise that the
technology can be outwitted, eg if mum or dad forgets
to go offline and a minor can thereby piggyback on that
parent's verified identity. If it is to be an effective
tool for excluding minors the biodata must be either tied
to 'permissions' on a specific device or to an external
register than features validated age information.
A handful of vendors have adopted a different approach,
promoting biometric tools that use physiology to directly
identify that someone using a machine is a minor rather
than to identify a specific individual. One proposed solution
involves electronic measurement of the the size and structure
of the bones in a hand or individual fingers, on the basis
that young children have more cartilage than teens and
that adults are determinable by bone density - the same
measures used in some forensic post mortem examinations.
i-Mature (now Verificage) claimed in 2005 to have
an innovative technology that can determine, through
a simple biometric bone-scanning test, whether a user
is a child or an adult - and thereby control access
to Internet sites and content. AGR technology could
help prevent children from accessing adult Internet
sites and prevents adults from accessing children's
sites and chat rooms.
"i-Mature's solution provides a means of guaranteeing
the identity and age of young Internet users today,
in contrast to other solutions available which can exacerbate
the problem," comments Burt Kaliski, vice president
of research and chief scientist at RSA Laboratories.
"With AGR, the burden of administration would be
removed altogether, and the credential could not be
abused if lost, borrowed or stolen.
Verificage was busy promoting its "mouse-like PC
peripheral" in 2008 as providing a "predator
free internet experience", one that
children with a safe internet experience by blocking
contact with online predators and filtering out inappropriate
content without hindering your child's learning, social
networking and exploring opportunities.
have noted that expectations about safety may be unrealistic,
because a predator may go online using a valid identifier.
One comment was that
must not be forget that some child predators have children
of their own and could defeat the device by forcing
their children to use it so they could go online as
an "age-verified" child. Again, this would
give rise to a false sense of security online.