Principles and Implications of Age Assurance: Towards a Common International Approach

Bad Privacy Blog by Claudiu Popa
7 min readSep 23, 2024

When the Office of the Privacy Commissioner of Canada announced its recent Exploratory Consultation on the implications of modern age assurance mechanisms, it began with a simple question: “how can an online service determine whether a user is a young person, and thus subject to <…> restrictions?”.

The opening assumption is two-fold: that the restrictions in question are in place to prevent certain content from being available to young people or that their personal information must not be collected, used or disclosed unlawfully.

According to Canada’s Privacy Commissioner:

Age assurance can be one important way to protect children, both from inappropriate or harmful online content, and the risks that may arise from the collection and processing of their personal information” — Philippe Dufresne

The request for comment defined age assurance as “a variety of processes by which the age (or age group) of a user is determined with varying levels of specificity and certainty. Age assurance can be an effective technique to promote online safety for young people. As well as restricting access to harmful content, age assurance could be used to direct young people to a version of a service that uses data practices tailored to youth and children. However, this technique can also have impacts on privacy and other fundamental rights. Given this, the Office of the Privacy Commissioner of Canada (OPC) intends to undertake policy and guidance work on the development and use of age-assurance technologies.”

As a technologist, I appreciated the OPC’s transparent approach outlining its preliminary opinion, thoughtful constraints and established shared language around related terminology, including age declaration, estimation and verification.

On the final day of the Exploratory Consultation, I took the opportunity to respond to the request for comment under the auspices of the Knowledgeflow Foundation, an independent non-profit organization I co-founded a decade ago with the objective of having a generational impact on the adoption of cybersafety at a societal scale.

I was particularly drawn to apparent contradiction in terms related to the “varying levels of certainty” related to age assurance and said so: “Assurance implies a guarantee of accuracy and a promise of consistent control effectiveness”. That said, I recognize the need for consistency in addressing digital policy discussions, particularly precedents have been set for its use by the UK’s ICO and Ofcom.

The OPC was helpful in guiding contributor answers along the lines of:

  • supplying additional context and suggested resources in shaping the OPC’s future work on age assurance
  • comments on the preliminary views
  • identifying other significant privacy considerations
  • expressing an interest in complementary steps the OPC should take to promote the online safety of young people

I was able to craft a response congruent with the aforementioned points, which can be summarized as follows:

  • High-Risk Situations: Age assurance mechanisms should be limited to high-risk contexts, and risk should be clearly defined.
  • Risk Proportionality: Risk proportionality must be easily understood by the public, avoiding complex legal or technical language.
  • Monitoring Global Standards: Continue observing developments in technology standards, particularly in AI and privacy.
  • Minimize External Dependencies: Prioritize internal development, limit reliance on cloud services, and avoid untrusted code libraries.
  • Collaborate with Child Advocacy Groups: Partner with reputable organizations like UNICEF, Common Sense Media, and 5Rights Foundation.
  • Address Privacy and Data Retention: Focus on data retention, ephemeral identifiers, and pseudonymous identification to mitigate risks.
  • Utilize Blockchain for Secure Storage: Explore blockchain, tokenization, and network coding for secure data storage.
  • Third-Party Oversight: Apply compliance and certification processes, emphasizing standardized transparency and oversight.
  • Involve Diverse Stakeholders: Create advisory boards with diverse representatives, particularly from vulnerable sectors.
  • Resource Development: Develop resources for different audiences, including student programs, public-private partnerships, and technology testing sandboxes.

One particular area of focus for me is the anticipation of harm. I said:

“With respect to privacy considerations, I would focus on anticipating the behavioural impact of each of the major proposed methodologies for age assurance, with an eye towards mitigating the risk of behavioural change that poses additional risks and associated harms to data subjects. The spectrum of possibilities here is vast, but I suspect that extremes can be readily contemplated. ... For that purpose, I propose mapping them against derivatives of privacy harms (i.e. Citron/Solove, 2021)”

As risks and harms go, the topic of behavioural impact and/or modification is a complex challenge, particularly in technology and cybersecurity, where any hurdles to usability can motivate users to bypass insufficient controls, leading to a false sense of security.

https://www.priv.gc.ca/en/opc-news/speeches/2024/js-dc_20240919/

A few days later, the OPC, UK ICO and the privacy regulators of other nations including Mexico, the Philippines, Argentina and Gibraltar published their “Joint Statement on a Common International Approach to Age Assurance”, a thoughtful and clear initial statement the privacy implications of age assurance methods. In it, the signatories made several points that are in full accordance with the views and opinions of the KnowledgeFlow Foundation, and no doubt any number of other privacy professionals. These include adopting:

  • Risk-Based Approach: Both your comment and the joint statement emphasize that age assurance mechanisms should be applied in high-risk situations and that risk assessments should be conducted. You advocate for clear definitions of risk, while the joint statement insists that age assurance be implemented in a proportionate way, especially when children’s safety is at stake.
  • Data Minimization and Privacy Preservation: You both stress minimizing data collection. Your focus on limiting reliance on untrusted code and the necessity for secure data storage mirrors the joint statement’s principle that any personal information collected for age assurance must be limited to what is necessary, lawful, and privacy-preserving.
  • Collaboration with Trusted Groups: You recommend partnering with reputable child advocacy groups. Similarly, the joint statement mentions the involvement of international regulatory groups like ISO and IEEE to ensure that age assurance technologies are up to standard.
  • Transparency and Accountability: Both documents emphasize the importance of transparency in how age assurance methods are applied. You highlight the need for clear communication with the public, and the joint statement insists on transparency and accountability from providers regarding the methods they use.

I found these conclusions — and their associated Principles — to be a very articulate step towards the adoption of clear standards and facilitation of collaborative methods going forward.

In particular, for the benefit of my reader, I would summarize the Working Group’s 11 Principles as follows:

  • Compliance: Must align with data protection laws and be risk-based.
  • Lawfulness: Use personal information lawfully, fairly, and transparently.
  • Best Interests: Focus on children’s best interests and their rights to access information.
  • Accountability: Providers must be accountable for privacy-preserving and effective methods.
  • Certainty: Ensure reasonable certainty of children’s access to platforms.
  • Risk Assessment: Document and assess potential data protection risks.
  • Balance: Weigh data protection risks against the child’s best interests.
  • State-of-the-Art: Use effective, up-to-date methods and review them regularly.
  • Self-Declaration: Avoid relying solely on self-declaration where high risk exists.
  • Appropriate Methods: Match age assurance methods to data protection risk levels.
  • Comprehensive Approach: Combine age assurance with parental filters, education, and privacy-by-design.

Based on this foundational set of Principles, regulators and contributors — in my opinion — should focus on the technical feasibility, adequacy and sufficiency of age assurance controls, such as specific technical innovations and secure coding standards for privacy and data security.

Additionally, I suggested that broader ethical considerations will play a big part in the discourse going forward, particularly the adoption of strict codes for vendor due diligence, proactive cybersecurity practices (such as active testing and bug bounties), and exclusion of AI systems with ethical violations.

I was very pleased to see that the Foundation’s insights into the necessity of risk assessment, privacy, and collaboration align well with the principles outlined by the international regulators in their Joint Statement. Our suggestions were also intended to offer complementary technical and forward-looking approaches to controls, practices and technical implementation. As such, I believe our contributing efforts have not been in vain and look forward to future globally applicable insights from the International Age Assurance Working Group.

Following this strong effort — which built on equally solid work by the UK ICO et al (CNIL, AEPD, IEEE, etc). — we wish the OPC and the rest of the Working Group continued momentum in the effective design of compliant age assurance mechanisms, regulatory convergence and coordination, development of thought leadership, and implementation of a vast spectrum of potential technologies that will advance the field of age-appropriate access controls.

--

--

Bad Privacy Blog by Claudiu Popa

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, written & edited by Claudiu Popa; author, educator, booknerd.