The OSA guidance it quite clear over what it considers acceptable age assurance. I'd say the main issue is age re-assurance if we're getting fussy, since once an account is setup we have no control over who is actually using that account, so I'm half expecting to find something in the OSA docs about periodically checking age.
Anyhow the guidance says:
- confirms that any age-checking methods deployed by services must be technically accurate, robust, reliable and fair in order to be considered highly effective;
- sets out a non-exhaustive list of methods that we consider are capable of being highly effective. They include: open banking, photo ID matching, facial age estimation, mobile network operator age checks, credit card checks, digital identity services and email-based age estimation;
- confirms that methods including self-declaration of age and online payments which don’t require a person to be 18 are not highly effective;
- stipulates that pornographic content must not be visible to users before, or during, the process of completing an age check. Nor should services host or permit content that directs or encourages users to attempt to circumvent an age assurance process; and
- sets expectations that sites and apps consider the interests of all users when implementing age assurance – affording strong protection to children, while taking care that privacy rights are respected and adults can still access legal pornography.
Requesting a self validation is not considered effective (well we did know that). I don't think requesting a date of birth would either be considered effective (who are these people using their actual dates of birth on random website registrations?) by their measure (although interesting to hear it's been effective in practice). Ofcom have not decided to put a threshold on what they consider "highly reliable", but they have said they may in the future. Realistically that leaves you with either figuring out your own solution (which may well be something manual like video chatting with every member and looking at their ID - if they have any) or:
- open banking
- photo ID matching
- facial age estimation (now you'll be cursing that youthful look you've kept)
- mobile network operator age checks
- credit card checks (ie a soft credit check)
- digital identity services
- email-based age estimation (3rd parties basically check to see if the email has been used for other services like banking and credit cards and so forth and thereby tie the user to those services and by implication they are such and such age)
Typically access to any of these checks will be through a third party "identity" type service, which we will A) need to integrate into our registration processes and B) need to pay for. Not many of the providers I've seen publish prices, but from the few I have you're probably looking at £0.50 to £2.00 per check assuming you have sufficient volumes to interest the third party. I've been thinking about contacting
https://www.verifymyage.co.uk/pricing to see what their API integration prices are and to see how that might integrate.
There may be some milage in using oAuth type logins to offload the process to someone else - eg you assume that Facebook do indeed ensure no one under (what is it 13?) can have an account so if you require a Facebook login then that
maybe covers you (although last time I looked there seemed to be a lot more hoop jumping to tie into facebook auth). Still that might be one route - although you are rather tying yourself to someone else and it doesn't help your existing members. Facebook use
https://www.yoti.com/ to do their age verification FWIW.
You might be able to say require a recurring membership fee payable via PayPal. So PayPal require you to be 18+ to have an account so as long as you could be sure the payment was coming from a PayPal account then in theory they are 18+. Certainly one off payments via PayPal can be done as guests and you can use debit cards for that so no guarantee there. I'm hoping (fatal mistake) that subscriptions will require an account, so in theory 18+. We might look at this as we already rely on donations so maybe a £1 a year membership fee would be considered acceptable even for members who just register to ask a few questions. Still this seems worth looking at to see if my assumptions are robust.
A lot of the "roll your own solutions" will have issues being global. For instance in the UK you can share
driving licence information securely with a third party. That would prove you were 16+ (since you need a national insurance number 16+ and a provisional licence 15y9m+), but of no use for anyone outside the UK. So hence you're probably going to be pushed to the handful of third parties and their APIs where they have had to tackle this already.
This all said age assurance is really only there for two reasons:
- To ensure no children are using your service so that the (presumed) harsher degree of preventing harm can simply be ignored. You still have to have suitable tools to deal with all the other harms, but retrospective reporting (which is basically what we have) may well be considered enough. I'm not sure if that would be if you have child users, my fear is you may have to be more proactive.
- To ensure you know the ages of your members and can filter and present the site content to them in age appropriate ways. For instance maybe anyone under 18 can't use private messaging or can't see certain forum nodes, etc.
And technically unless we're constantly doing "selfie checks" or some other madness once the check is done and the account created we're back into no-mans-land again technically. However I suppose much like doing the risk assessment, due diligence has been ticked off.
www.theverge.com
Though younger folks might be naive to use their real DOB
(I suspect I will either have to contact them or associate an account with the email) but it seems that wont be an easy win solution for us at least. Shame I'd been rather hoping it might be. 