Effective Age Verification in the Digital Age

Public Health Warning

Recently I assisted someone that received a warning from “Public Health England” that they would be deregistered and not allowed any cross-border sales unless they can demonstrate how they verify their client's age on their website. Their website links were removed from the list until such time they could demonstrate the process.

Panic Stations

Now that was a real honest WTF moment. As things stand at the moment, there are no guidelines what-so-ever on the requirements for age verification in the UK, EU that will guarantee your potential client is who they say they are. Even the suggested legislation for porn websites has been moved to the back-burner or scrapped as it is simply not achievable without running into privacy and data protection issues.

Now Public Health England wants us to fix this problem that no-one else can fix…

Original Age Verification

Original Age Verification methodology that was in place was:

• the standard “pop-up” that asked the visitor to confirm they are 18+ years of age by clicking a button. That is recorded in a cookie and expired once every 7 days. Short of actually having a video link to see the visitor clicking the button, there is no real way to verify the age.
• The only payment method available on the website is “PayPal”. That is clearly advertised on the website. Everyone that has a PayPal account knows that the minimum age for opening a PayPal account is 18 years of age. Altho PayPal can not guarantee that the account holder is actually 18 years of age, the moment you want to add funds to the account they need to verify your identity to safeguard themselves against international money laundering.
  
  Ok, so you can use a PayPal account without any funds in it by paying with a debit/credit card. Some banks would allow account holders at the age of 11 to hold a debit card. Usually 16+. I have personally seen people using children accounts to move funds to save on banking fees. The question then arises, how does PayPal verify the age to still comply with money laundering legislation…?
• Account Registration is a requirement and a valid phone number is part of the “required” fields on the website to ease communication if the delivery is delayed. Easy to use to confirm an order is made by someone older than 18 years of age. Or is it…?

What to do?

The first thing we did was to visit the “Public Health England website to find the list of registered cross-border sales businesses to see how the rest of the businesses are doing it. With them still, on the list, we assumed they obviously doing it right and expected to find some indication on what steps to take.

Surprise, surprise…
Every single one of the websites, both locally and internationally, approached age verification in exactly the same way we did. I managed to buy things from websites with fake names, fake date-of-births and fake addresses without a problem. So clearly they do not have any controls in place.

Public Health England.

The following is a guide to possible steps and precautions that retailers could adopt to assist with age verification. However, it should be noted that these may not be suitable for some situations and retailers will need to assess what steps are suitable and appropriate to their individual circumstances. Retailers may be able to develop other methods of age verification.

Nice!! It says absolutely nothing. We are still nowhere closer to solving the problem we did not know we have or even know what we are missing. At one stage we even suspected the email was a phishing attempt by some scrupulous guy in his mom's basement. Turned out it was not the case but every email sent to Public Health resulted in the same thing. “Fix the Problem”.

Well, it would be helpful if you can say what you want. What box needs to be ticked or what needs to be written or said by who to who…

The “penny drop” moment

Following many back-and-forth emails, reading and wondering, looking at what, looking at various options like;

• PayPal offers.
  Unverified vs Verified Accounts.
• Looking at Electoral Registers
  Not practical, even if there was a way to automate the lookups. Not everyone is registered to vote and the rest most probably ticked a box to not allow 3^rd party access to their information.
• Credit Reference Agencies
  erm yea ok, if you have the money to pay for access.

Problem is still that anyone can enter a parents information and be underage. Where do you draw the line and where does your responsibility ends?

Then an email came back from someone at Public Health England saying “Onscreen Age Verification is not sufficient” and “Please submit a new registration”

Fine, whatever… Fact is the websites I visited has no, none, zero-age verification other than onscreen…

Anyway, let's visit the online cross-border registration form. This page stood out… Obviously…

Now, whether the red-underlined (that was my edit) parts were there 4 or 5 years ago. Who knows. But what I understand was that it does not really matter what you have implemented on your website. It comes down to what you enter in this box.

Red tape and bureaucracy at its best.

What we wrote for a successful application.

Following is a screenshot of the actual application form with the important bits underlined.

An email was received shortly following the application stating it was successful and the website links restored on the Public Health England website as an approved Cross Border Distance Seller.

I am not saying Public Health England will not spot check and test your actual Age Verification process at some stage. So make sure you actually do the right thing and follow your own procedure if you have any doubts.

I hope this could be useful to someone else out there that run into this problem.