Email-based age estimation: A privacy preserving solution?
Lina Ghazal of Verifymy on the newest kid on the age assurance block
Age assurance is in the news again, thanks to Australia’s new law that will see under-16s banned from social media.
In the US, where several states are mulling age-verification laws, Apple says it is introducing a new way for parents to privately share the age of a child.
There have also been moves closer to home, too, with Ofcom publishing guidance last month on effective age checks as it starts to implement the Online Safety Act (OSA). By July, says the regulator, all online services that “allow pornography” must introduce processes to check the age of users, and these processes must be “accurate, robust, reliable and fair.”
What is age assurance technology?
For clarity, age assurance refers to both age verification and age estimation, verification meaning checking the exact age of users of a regulated service – for example when opening a bank account.
Ofcom says it’s technology-neutral when it comes to age assurance so long as the solutions are effective. It’s up to individual platforms to choose the one that best fits their compliance needs.
Among those that might fit the bill are open banking, photo ID matching, facial age estimation, mobile network operator age checks, credit card checks, digital identity services and email-based age estimation.
Some of these methods require uploading ID. These obviously present a higher risk and a greater management burden than those that don’t. Troves of data could become a target for hackers; unscrupulous companies could flout data protection laws and sell the data or use it for profiling users.
But a social media site is not a bank. It has no need to know who you are, just whether you are old enough to be on there. For that and other use cases, there are less risky alternatives. One of them currently being investigated by Australia is email based age estimation.
Email-based age estimation
Lina Ghazal is head of regulatory and public affairs at Verifymy, a UK company that specialises in age and identity verification. She told Computing about the advantages to platforms and users of using email to indicate age.
Email-based age estimation tech is the new kid on the age assurance block. Fear not, it doesn’t rummage through your inbox but instead checks the digital footprint your email has made as it is used to login to sites, as tracked by third parties such as Experian. The user inputs their email, and, following a spoofing check, is sent a one-time password. The email’s online footprint is then analysed.
A new burner email account set up by a kid trying to purchase a knife on eBay will have a very limited footprint and will be rejected. Neither will an account used mostly to log into a school system and Minecraft servers pass muster if, for example, the cut-off age is 18.
“We can check if the email was used, for example, with a bank or a mortgage broker or on a gambling site,” said Ghazal. “These signals then help us to estimate the age of the of a user.”
It is pretty accurate too, if the company’s figures are anything to go by. In tests only around 0.3% of under-18s passed as 18-plus using this method, while in the other direction only 2.4% of over-18s were judged to be younger than 18.
Asked about the privacy implications, Ghazal said no extra data is collected for the footprint beyond what’s already out there. “What's important to say is that it uses data that has already been collected by the site. So it doesn't create additional data or proof points, and the whole process is completely anonymised. We don't need to know who you are in order to process an age check.”
What’s more, Ghazal insisted, Verifymy’s technology is built to avoid traceability and fraud and is fully compliant with GDPR, using encryption and zero-knowledge proofs to protect sensitive data.
Most large sites, including social media, online markets, gaming, dating and adult sites, already use a variety of age assurance technologies, including those listed above. According to Ghazal, email-based estimation is the least intrusive, being frictionless, anonymous and unbiased.
Gaming the system
Several criticisms have been levelled at age verification and assurance schemes over the years. In fact, in 2022 the French authorities found that none then available were sufficiently reliable or privacy-preserving. There’s the issue of storing sensitive data and risk of profiling already mentioned, and the lack of recognised standards. Then there’s the slippery slope argument, where estimation becomes a demand for verification and then identification. Eventually, to misquote the old joke, everyone knows not only that you’re a dog but which dog you are.
Ghazal acknowledged the regulatory deficit, saying it’s due to age assurance being an emerging field. She added that she is one of those working towards global standards and interoperability as part of the Age Verification Providers Association’s (AVPA) executive committee. She expressed regret that it’s being used as a political football.
“What we're trying to do here is to protect users online, and I think that's very important.”
She insisted the technology has improved greatly in terms of privacy, security and accuracy, but cautioned that age assurance will never be the complete answer to protecting children. Parents and teachers will need to continue to promote media and digital literacy, because there will always be bad actors trying to game the system.
An Ofcom spokesperson told Computing that the regulator is “aware of the scams and fraud risks that the implementation of age assurance may bring,” adding that the watchdog is working with the ICO and National Crime Agency to minimise the risk and ensure platforms comply with their legal obligations.
Another criticism is the cost. Some small site owners believe they will be unable to afford the time and expense of complying with the OSA. It is the responsibility of the regulator to ensure small businesses are not adversely affected, but so far as the technology is concerned, Ghazal said prices are falling. “The technology needed for compliance has become increasingly accessible and affordable, with age checks costs in pence not pounds. Safety providers also typically offer scalable solutions that are tailored to different risk levels.”
Meanwhile, platform providers are trying to shunt the legal obligation for age assurance elsewhere. Meta, X and Snap said recently that age assurance should be the responsibility of app stores (although where that would leave web apps is anyone’s guess) or device OSs. This is a distraction, said Ghazal.
“I'm not saying that shouldn't be considered, because honestly I don't think that there's a silver bullet here.
“But what we're trying to do is to see how the technology can help with the challenge that we have right now. And right now, the technology exists at the platform level and it’s efficient, it's robust and it's privacy preserving.”