Age Verification on registration

Alpha1

Alpha1

Well-known member
The current age restriction for XenForo is outdated and does not work. We need a reliable Age Verification system.
My suggestion is to implement integration with one or more Age Verification services

The EU writes about the current method:
Self-declaration: this most common of all methods has been shown to be easily bypassed by children. Examples include self-declaring one's date of birth. (see attached file for reference)
This is why I posted this related suggestion in the past: https://xenforo.com/community/threads/improve-minimum-age-function.87298/

New legislation in the UK has already caused XenForo sites to shutter or to announce shuttering. More in this thread here:
lazy llama

Thread 'UK Online Safety Regulations and impact on Forums'

The UK regulator OFCOM yesterday announced a set of regulations which will come into effect on 17th March 2025

www.ofcom.org.uk

Time for tech firms to act: UK online safety regulation comes into force

People in the UK will be better protected from illegal harms online, as tech firms are now legally required to start taking action to tackle criminal activity on their platforms, and make them safer by design.
www.ofcom.org.uk www.ofcom.org.uk

These have broad implications for all forums which "have links to the UK" - including those which accept UK users.

I've not yet had the chance to read all the guidance, as there are thousands of pages of it in multiple volumes. From what I can see the key items are strong age verification and content scanning.

I've already seen some...
  • Like
  • Wow
  • Sad
www.telegraph.co.uk

Hamster forum and local residents’ websites shut down by new internet laws

Scope and scale of Online Safety Act likened to China’s ‘great firewall’ as small websites struggle to comply
www.telegraph.co.uk www.telegraph.co.uk

My suggestion is to implement integration with one or more Age Verification services. Some considerations for choosing Age Verification services are:
  • Cost: It can quickly become costly if the webmaster will have to pay a significant amount per signup.
  • Ease of use: Age Verification should not be too obstructive in the registration process.
Here are some possible Age Gate services:
ageverify.com

AgeVerify - Website Age Verification - AgeVerify

AgeVerify is a free website age checker, pop up splash entry page & age verification pop-up script that easily integrates in to your existing website with a single line of code.
ageverify.com ageverify.com

Google 0auth may have something:

Access age-restricted content & features - Google Account Help

Some content and services are subject to age verification. To access age-restricted content or services, we may ask to confirm your age with a valid government ID, or a valid credit card.
support.google.com

verifymy.io

Age and identity verification

Explore Verifymy's safeguarding solutions for online platforms, ensuring trust and compliance with age and identity verification.
verifymy.io verifymy.io

Building the world's trusted identity platform • Yoti

Our comprehensive suite of customer verification tools make it easy for businesses to be compliant and safe for people to prove who they are.
www.yoti.com www.yoti.com

There are also payment services that allow the user to verify their age by payment. i.e. paid registration.

Some more options here:
expertinsights.com

The Top 9 Age Verification Solutions

Explore age verification solutions offering comprehensive checks, identity validation, and compliance with age-restricted regulations to maintain age-restricted access.
expertinsights.com expertinsights.com

I think that adding such integrations would help some webmasters keeping their websites online and avoid shutting them down.
 

Attachments

Upvote 22
zappaDPJ said:
That's not my understanding. I believe there are a multitude of content types that might require effective age verification depending on a) the level of perceived harm (categorised 'primary priority content', 'priority content' or 'non-designated content') and b) whether the site is likely to attract a 'significant number' of children.

I'm quite happy to be corrected if any of this is wrong.
Click to expand...
It says quite clearly somewhere. They assume children can see any site. Even partially. And then you are required to do a childrens assessment UNLESS you have age verification. I started reading through the childrens assessment and risk assessment and they urge you to "veer" on the side of caution when ascertaining risks and how you would mitigate them. So any site that doesn't have good moderation all the time and a spam porn link slips through ............. it's a big headache. If you have age verification software you don't even have to start with child assessments.
 
Basically, if you don't have age verification software, how do you know that you don't have children on your site? What's odd is, children can still view the site even if they're not registered, but then you don't need to do the child assessment as long as they're not registered and you have age verification id. It doesn't quite add up,

The risk assessment guidance says you have to consider that children of ALL ages might see your site - age 2 upwards. And

"You need to consider any other characteristics that may increase or decrease risks of harm to children, including the risk of children experiencing cumulative harm."

There is more in the bigger document but I can't access that right now. Graphics driver issue I think

www.ofcom.org.uk

Quick guide to children’s risk assessments: protecting children online

This page summarises proposals we are consulting on – we will update this information when final documents are in place. Please note that this quick guide is intended to introduce your children’s risk assessment duties. Our guidance will set out your legal responsibilities in full.
www.ofcom.org.uk www.ofcom.org.uk
 
I can read that now after updating my graphics driver. So - this is what I mentioned on the other thread about children seeing injured hamsters. In the Child Risk assessment there are "Primary priority content" (ie all the serious stuff like porn etc) and there is also "Priority content" which includes a whole load of other stuff they think is risky for children to see. Screenshot below. So from my point of view I would rather have age verification than go through another whole risk assessment and paperwork on children and think it could take a lot to avoid ALL harms from any 2 year old upwards. Essentially I think they want you to have age verification or go offline. Unless it's an educational or childcare site.

The hamster site would be a risk for point 6 b "depicts the real or realistic serious injury of an animal in graphic detail". While our rules said no - graphic images of injured hamsters - it did happen - when people are in a crisis and want to know what to do.

That is just one example. Obviously other things could be mitigated but there is a huge scope of harms in a childrens risk assessment. Link in post above.

Stunts - all kinds of non nasty stuff could be interpreted as harmful to children or them copy it. And they're thinking about 2 year olds.

It would be a much bigger risk assessment process than the initial risk assessment that everyone has to do IMO.

Priority content.webp
Priority content 2.webp
 
Comments would have to be highly censored. They mention teenage girls and risks they could be exposed to as well. There is a whole piece somewhere about misogyny ..............

To avoid all of this stuff you need age verification software. In my opinion.
 
Last edited:
Someone already posted this earlier but it makes it clear. Age verification software yes? No Child Assessment. Age verification no? You need to do a child assessment. Personally I draw the line at doing the initial risk assessment, complaints procedure etc. Not going down the whole child risk assessment as well - bearing in mind the age range they are talking about (age 2 upwards) and the wide ranging risks they are talking about - which means needing age verification software.

Also bearing in mind Ofcom says all sites should consider they could be viewed by children of any age (will try and find that quote).

But it says "you can only conclude it is not possible for children to access the service if you have highly effective age assurance"

Figure.webp
 
I think to some extent we're going to just have to see how the OSA pans out. I mean you can get into all kinds of crazy what ifs otherwise - what if a parent is logged into my age-assured forum, but leaves their phone unlocked and their toddler picks it up and views a post about ... etc. At some point I would hope UK courts might start to suggest that until children become adults maybe a degree of parental responsibility is taken by the parents rather than by 1000s of random webmasters attempting to remotely parent those children! Not to say that broadly speaking I don't think that forums should try to avoid being cess pits of foulness, but beyond making some reasonable adjustments )and having an robustly integrated age verification option for XF would be a nice option to choose if wanted) there is no way to prevent all dangers.

Turning back to XF Age verification services. A generic solution is going to be a bit of a faff, although all the companies seem to work in similar fashions you're certainly going to need a plugin-type model for different providers.

The way I see it there are realistically only a few options given the limited number of players in the market at present. So if you're forum is onboarding a few hundred users every month then you are probably in the position to be able to afford to employ a developer to code a solution with one of the "enterprise" suppliers. So odds are any built in solution probably wouldn't be a big attraction to choosing XF since it'd be a feature they couldn't afford to use. That leaves you with only a few who offer either pay per check or more modest minimum thresholds per month.

So another plausible scenario would be if someone like XF Ltd decided they needed age-checks as part of their cloud hosting offering and were brokering the costs - then splitting the costs over all their cloud clients and perhaps extending that offering out to the wider XF community. However that brings with it a whole extra overhead of managing another digital service on top of their day to day development service, so unless it were generating a healthy income I can't see that happening. Obviously another third party could offer a similar service, but is the demand really there? So hard to tell.

Finally you get down to the handful of PAYG offerings or those with lower monthly requirements. Somehow missed it before but BenFF pointed it out on another thread there is a https://xenforo.com/community/resources/stripe-identity.8832/ which uses the Stripe solution. Then to be honest it'd only take someone familiar with the XF framework a few days to knock out one supporting VerifyMyAge. I doubt the code I wrote (ruby gem that sits outside XF) too me more than a day or two of total effort to crank out.

My best guess is this will be a suggestion that XF will think is better met by third party add-ons rather than core.
 
That is a good point - integrating one of these services with a XF site. Without an addon to achieve that, it would incur more costs.

Incidentally does this XF community forum have some kind of age verification?
 
To be honest I think a lot of this is a non issue for most sites. Unless your site regularly features adult content, the current age verification for Xenforo works perfectly. Registering an account with an email, ip address, and date of birth is valid verification for most websites. The age verification in particular is pushing back against the type of "Confirm you're 18+" popups that appear on porn sites..

You need to be making sure there's no spam porn links on your site. That shouldn't be staying up for more than a minute tops. It's not a factor.

My forum is one that is effected by this actually, but our forum is restricted from public view and we have addons that handle restricting adult content and we already follow most of the guidelines listed as a matter of basic ethics and morals. The average Xenforo forum though is not going to need a higher level of age verification.
 
But without Ofcom accepted age verification, you need to complete a further child assessment risk, keep records and state how you're mitigating every risk. Just to comply with the act.
 
I've seen it yes. It doesn't go into the next stage - the child assessment. Although it mentions it. The initial compliance needed to be done by 17th March and the risk assessment and mitigations. The next stage is by April - child assessment, then by July, Child Risk Assessment documentation done. I linked the child risk assessment guidance earlier. Where it's clear that if you have age verification you don't need to do a child risk assessment. If you don't have it - you need to read through and comply with all the child risk assessment factors. Which are greater than the initial risk assessment.
 
At this time we personally have no intentions to submit anything. If you are out of compliance with Ofcom, you are not immediately fined. Their approach will be to communicate first and try to help . And you'd have to be reported for that.

"If you’re found not to be complying with the OSA, Ofcom will generally aim to engage with you and ask you to fix it first.

If you’re still in breach, they will open a formal investigation. The outcome of this may be a “provisional notice of contravention”, which will detail the steps you must take, or fine you up to a maximum of 10% of worldwide revenue or £18m, whichever is greater."

If the following is true about your site. And your forum isn't full of predators or porn. You'll be alright. For now.
  • easy-to-find, understandable terms and conditions;
  • a complaints tool that allows users to report illegal or harmful material when they see it, backed up by a process to deal with those complaints;
  • the ability to review content and take it down quickly if they have reason to believe it is illegal; and
  • a specific individual responsible for compliance, who we can contact if we need to.
Things could change obviously. I personally am disgusted by the idea of forced internet ID. It's not there yet but in the meantime the current verification is ok for 99% of sites.
 
Last edited:
Empty said:
At this time we personally have no intentions to submit anything. If you are out of compliance with Ofcom, you are not immediately fined. Their approach will be to communicate first and try to help . And you'd have to be reported for that.

"If you’re found not to be complying with the OSA, Ofcom will generally aim to engage with you and ask you to fix it first.

If you’re still in breach, they will open a formal investigation. The outcome of this may be a “provisional notice of contravention”, which will detail the steps you must take, or fine you up to a maximum of 10% of worldwide revenue or £18m, whichever is greater."

If the following is true about your site. And your forum isn't full of predators or porn. You'll be alright. For now.
  • easy-to-find, understandable terms and conditions;
  • a complaints tool that allows users to report illegal or harmful material when they see it, backed up by a process to deal with those complaints;
  • the ability to review content and take it down quickly if they have reason to believe it is illegal; and
  • a specific individual responsible for compliance, who we can contact if we need to.
Things could change obviously. I personally am disgusted by the idea of forced internet ID. It's not there yet but in the meantime the current verification is ok for 99% of sites.
Click to expand...
Agree for the current stage yes, although you're still legally required to have your risk assessment in case they ask to see it.

But there is a further stage in process beyond the first risk assessment and that is the child access assessment and child risk assessment. So you either need to do one of those or have age verification.

Child access assessment has to be done by April and child risk assessment by July. You only have to do those (and all the record keeping and risk assessments and mitigations for those) if you don't have age verification. Regardless of the topic of the site.

The Child Risk Assessment documentation has only recently been released from what I can see.
 
Last edited:
The point being, if some disgruntled member did report you to Ofcom and they engage with you first and ask you to fix it - they can still ask to see your record keeping and risk assessment documentation. And if that hasn't been done you'd be in breach - and could well be fined. So it isn't even so much about ensuring there are no risks on the site, as about having complied - by doing all the record keeping and risk assessment paperwork - showing what mitigations you've done for each risk, with evidence of the measures taken.

So while the onus is on the forum owner to comply - by having all the record keeping and risk assessment documentation. That paperwork exercise could be very much reduced by having age verification software - as in. You only have to do the initial 17 risk risk assessment (plus record keeping - there;s a downloadable pdf to fill in they provide for that). As opposed to treble the amount of paperwork. Which to my mind, is significantly more time consuming and a much bigger headache generally, for a lay person than it is for a lawyer.

I think what is needed is low cost, affordable face scanningn age verification. It's one of the least intrusive to someone registering, and it's acceptable by Ofcom. Or alternatively, email verification, which is also unobtrusive to the person registering but only has an 84% success rate.

Or ANY Ofcom accepted age verification solution would be good - if something could be implemented for Xenforo.

Because what it does is - make the whole legislation less onerous to a forum owner, both in terms of time/paperwork and in terms of peace of mind. You don't need to worry about any possible child risks on your site - because it's an 18 plus site. And the child risks are extremely wide ranging. Whether your site is likely to have any of these risks or not, is not the issue. The issue is that you need to mitigate for all these potential risks. If kids can't register - you're sorted, You're complying and have a lot less to worry about.

If DM's were turned off and age verification implemented - the whole thing is much simpler. Although I know some people don't want to turn off DM's but a few sites have done that.
 
Last edited:
Although inbuilt age verification in Xenforo would no doubt be a big task to implement and costs involved, it could make many more forum owners choose xenforo over the free forum software options - purely because of that one age verification option - to enable them to comply more easily. In other words, it could increase sales for xenforo.
 

Similar threads

Saphira
Add on for age verification?
Replies
9
Views
200
Alpha1
Alpha1
ForumFan
18+ age verification pop-ups and new laws?
Replies
17
Views
1K
dunowat
dunowat
kankan
  • Suggestion Suggestion
Not planned Email verification on registration
Replies
10
Views
888
Biker
Biker
RaymondCC
Add-on Email Verification on Registration
Replies
4
Views
1K
HWS
H
Back
Top Bottom