Age verification checks are popping up on major sites all over the internet for UK-based users. The government’s new Online Safety Act means that social media and sharing platforms – as well as gaming consoles – are now required by law to enforce age restrictions before granting access to content considered potentially harmful.
Most of the time, the service provider will ask you to provide a government-issued ID to verify your age, but there’s currently no standard practice on how your ID is subsequently handled.
Below, we’ll explore how major providers use your data and whether it’s possible to prove your age in a privacy-friendly way.
How is age verification data collected?
Ofcom, the UK government’s regulator for communications services, compares sharing your ID with an online service to showing a cashier your ID to purchase age-restricted goods such as alcohol and cigarettes. This is not entirely accurate, however, seeing as the cashier doesn’t take a photo of your ID and send it away for a third party to verify.
There are several different methods used for age verification online, each impacting your privacy in different ways:
- Using existing data to estimate your age has the lowest impact on your privacy. Sites are allowed to make an estimate based on the age of your account or your email. They’re also permitted to make soft checks – for example, whether you have an online banking account, a credit card or a mobile phone number that doesn’t have age checks associated with it. While invasive, these methods aren’t as big a threat to your privacy as submitting your ID.
- Biometric estimation involves uploading a photo of yourself so that the service provider can guess how old you are. Having a selfie associated with your accounts can be a headache, but the amount of damage this can do to your online privacy is limited.
- Full photo ID matching is the biggest cause for concern, as service providers can potentially store a scan of your passport or driving license for a significant period of time.
Spotify uses Yoti, a third-party verification service, to match your ID to your account, and claims that data is deleted as soon as the age check is completed. Reddit uses Persona, which claims it only stores this information for seven days. The most egregious example we’ve seen so far is X, which uses AU10TIX to store age verification information for up to 30 days. (Concerned users can check out our guide to safely verifying your age on X without risking your personal data.)
What are the biggest privacy risks associated with age verification?
The Online Safety Act doesn’t make any special provision for the handling of age verification data by online services. Each website you visit could be using a different age verification provider, some of which may be based in privacy-unfriendly jurisdictions.
Possible data breaches are therefore a concern. While some verification companies claim they delete your data immediately, others hold onto it for a period of time (often 30 days) in case you wish to dispute the outcome. The issue here is that if the age verification provider ends up being hit by a data breach, a scan of your government-issued ID could end up in the hands of cyber criminals.
The normalisation of age verification could also result in better phishing attacks. Phishing attacks prey on the fact that we don’t think too much about normal processes we carry out on the internet every day, such as logging into services with a password. Before the Online Safety Act, providing your ID was an exceptional task that you’d only do while signing up for services that require KYC (Know Your Customer) checks, such as banking or crypto apps. But, if you’re now expected to use a government ID every time you want to use a new internet service, the chances of having an off day and accidentally submitting your ID to a phishing site increase dramatically.
It’s unclear, too, how much profiling takes place on the back-end of these companies. When you hand over your ID, you’re effectively saying, “My name is X and I want to use Y service”. Accessing adult services could be a source of embarrassment, but the potential privacy concerns go way deeper than that. Mental health and LGBTQ+ resources can also be protected by the Online Safety Act, so there could also be issues if you’re accessing content you wouldn’t necessarily want to be made public.
What can I do to protect my data?
The implementation of the Online Safety Act reflects a trend towards an internet that’s becoming increasingly privacy-unfriendly. The European Union is considering introducing similar legislation, and age verification schemes have been rolled out for some adult sites across America. This issue goes far deeper than online safety, however.
The policy has created a minefield for digital privacy. Even if you’ve been visiting a site for years, you now have to verify the data protection policy of each age verification provider, as well as go through the hassle of handing over your ID.
If you’re worried about where your data ends up, there’s no substitute for carrying out your own due diligence. If you’re not comfortable with handing over your ID, you may have to give up on using a service completely if you’re browsing from the UK.
That said, if you’re simply worried about your data being scooped up by a third-party snooper, there is an answer: use a VPN.
By encrypting your traffic en route to a foreign server, a VPN ensures your data can’t be viewed by your ISP or anyone else on your local Wi-Fi network.
You might also like
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.