Australia’s government trial of age‑assurance tech to keep under‑16s off social media says social media age checks can be done, despite errors and privacy risks

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨Pro@programming.dev⁩ to ⁨australia@aussie.zone⁩

https://ageassurance.com.au/report/

cross-posted from: programming.dev/post/36686657

Main Report.

12 Key Findings
1. Age assurance can be done in Australia privately, efficiently and effectively: Age assurance can be done in Australia – our analysis of age assurance systems in the context of Australia demonstrates how they can be private, robust and effective. There is a plethora of choice available for providers of age-restricted goods, content, services, venues or spaces to select the most appropriate systems for their use case with reference to emerging international standards for age assurance. 2. No substantial technological limitations preventing its implementation to meet policy goals: Our evaluation did not reveal any substantial technological limitations that would prevent age assurance systems being used in response to age-related eligibility requirements established by policy makers. We identified careful, critical thinking by providers on the development and deployment of age assurance systems, considering efficacy, privacy, data and security concerns. Some systems were easier for initial implementation and use than others, but the systems of all technology providers with a technology readiness level (TRL) 7 or above were eventually capable of integration to a user journey. 3. Provider claims have been independently validated against the project’s evaluation criteria: We found that the practice statements provided by age assurance providers with a TRL of 7 or above fairly reflected the technological capabilities of their products, processes or services (to the extent applicable to the Trial’s evaluation criteria). Some of the practice statements provided have needed to be clarified or developed during the course of the Trial, but we observed that they offer a useful option for transparency of the capabilities of the available age assurance systems. Those with a TRL below 7 will need further analysis when their systems mature. 4. A wide range of approaches exist, but there is no one-size-fits-all solution for all contexts: We found a plethora of approaches that fit different use cases in different ways, but we did not find a single ubiquitous solution that would suit all use cases, nor did we find solutions that were guaranteed to be effective in all deployments. The range of possibilities across the Trial participants demonstrate a rich and rapidly evolving range of services which can be tailored and effective depending on each specified context of use. 5. We found a dynamic, innovative and evolving age assurance service sector: We found a vibrant, creative and innovative age assurance service sector with both technologically advanced and deployed solutions and a pipeline of new technologies transitioning from research to minimum viable product to testing and deployment stages indicating an evolving choice and future opportunities for developers. We found private-sector investment and opportunities for growth within the age assurance services sector. 6. We found robust, appropriate and secure data handling practices: We found robust understanding of and internal policy decisions regarding the handling of personal information by Trial participants. The privacy policies and practice statements collated for the Trial demonstrate a strong commitment to privacy by design principles, with consideration of what data was to be collected, stored, shared and then disposed of. Separating age assurance services from those of relying parties was useful as Trial participants providing age assurance services more clearly only used data for the necessary and consented purpose of providing an age assurance result. 7. Systems performed broadly consistently across demographic groups, including Indigenous populations: The systems under test performed broadly consistently across demographic groups assessed and despite an acknowledged deficit in training age analysis systems with data about Indigenous populations, we found no substantial difference in the outcomes for First Nations and Torres Strait Islander Peoples and other multi-cultural communities using the age assurance systems. We found some systems performed better than others, but overall variances across race did not deviate by more than recognised tolerances. 8. There is scope to enhance usability, risk management and system interoperability: We found opportunities for technological improvement including improving ease of use for the average person and enhancing the management of risk in age assurance systems. This could include through one-way blind access to verification of government documents, enabling connection to data holder services (like digital wallets) or improving the handling of a child’s digital footprint as examples. 9. Parental control tools can be effective but may constrain children’s digital participation and evolving autonomy: The Trial found that both parental control and consent systems can be done and can be effective, but they serve different purposes. Parental control systems are pre-configured and ongoing but may fail to adapt to the evolving capacities of children including potential risks to their digital privacy as they grow and mature, particularly through adolescence. Parental consent mechanisms prompt active engagement between children and their parents at key decision points, potentially supporting informed access. 10. Systems generally align with cybersecurity best practice, but vigilance is required: We found that the systems were generally secure and consistent with information security standards, with developers actively addressing known attack vectors including AI-generated spoofing and forgeries. However, the rapidly evolving threat environment means that these systems – while presently fairly robust – cannot be considered infallible. Ongoing monitoring and improvement will help maintain their effectiveness over time. Similarly, continued attention to privacy compliance will support long-term trust and accountability. 11. Unnecessary data retention may occur in apparent anticipation of future regulatory needs: We found some concerning evidence that in the absence of specific guidance, service providers were apparently over-anticipating the eventual needs of regulators about providing personal information for future investigations. Some providers were found to be building tools to enable regulators, law enforcement or Coroners to retrace the actions taken by individuals to verify their age which could lead to increased risk of privacy breaches due to unnecessary and disproportionate collection and retention of data. 12. Providers are aligning to emerging international standards around age assurance: The standards-based approach adopted by the Trial, including through the ISO/IEC 27566 Series [Note 1], the IEEE 2089.1 [Note 2] and the ISO/IEC 25000 [Note 3] series (the Product Quality Model) all provide a strong basis for the development of accreditation of conformity assessment and subsequent certification of individual age assurance providers in accordance with Australia’s standards and conformance infrastructure.

source

Comments

Sort:hotnew top

theroff@aussie.zone ⁨15⁩ ⁨hours⁩ ago
The outcome was already predetermined when the legislation was passed, and the report is being written with that in mind. The report basically has to push it forwards. If this had been done by the ALRC it would have looked quite different.

source
Zagorath@aussie.zone ⁨1⁩ ⁨day⁩ ago
What a load of bullshit. 6 should not be a concern that needs to be looked at. 11 should not even be possible. If it was actually done in a privacy-preserving way, no website would end up retaining any private user data.

source
- Nath@aussie.zone ⁨1⁩ ⁨day⁩ ago
  I’m stuck on one (“Age assurance can be done”). My oldest is turning 14 in a couple of months. It’s a weird age: I think several of them could fool an AI that they’re over 18 (they’d fail instantly as soon as they spoke to an actual person), while half of them look the same as they did five years ago. I have a little faith in AI as being a reliable way to tell age.
  
  Personally, I have always looked a lot younger than my age. It sucked when I was a teenager/early 20’s, but it has been awesome for the last couple of decades. I don’t know that I’d have passed an AI check at 20. I certainly failed human checks: I was routinely ID’d everywhere I went until I was about 30.
  
  Then point four goes and says:
  
  We found a plethora of approaches that fit different use cases in different ways, but we did not find a single ubiquitous solution that would suit all use cases, nor did we find solutions that were guaranteed to be effective in all deployments.
  
  Translation: this really is not simple at all and we shouldn’t have opened the report saying it was doable straight-up.
  
  It sounds like they’re expecting the emergence of an age verification industry here. They list a pile of companies already who appear prepared to step into that role. You somehow identify to companyX that you are over 18, they provide you with some form of token and you can then use that token to be allowed to make accounts on sites. It’s not clear who funds companyX’s operations, however.
  
  I’m not reading all 160-odd pages of this tonight, it’s advisory at best. I’m still totally stuck on how you’d stop a 14 year old from installing an off-the-shelf Lemmy container into his/her homelab and started using it. And that assumes the report is right and do have a perfect way to verify everyone.
  
  source
  - shirro@aussie.zone ⁨17⁩ ⁨hours⁩ ago
    
    I’m still totally stuck on how you’d stop a 14 year old from installing an off-the-shelf Lemmy container into his/her homelab and started using it.
    
    Things rarely proceed to the extremes as they get harder and more pushback the further you go. But the logical extension of wanting access to all public communications and verification of everyone’s online identity is that access to general computation has to be outlawed. Access to a programmable general purpose computer trivially defeats any restrictions you place on commercial services.
    
    We do need to think about how for profit companies forgo their social responsibility and mess with people’s heads in pursuit of profits and if that should be regulated and how. But there are clearly some creepy people online, who might be funded, but aren’t necessarily motivated solely by profit but by ideology who will find ways to target people whatever the government does. Kids need to be prepared to live in that world and be very skeptical and it just isn’t happening. Today’s kids are just as fucking stupid as we were and they can’t afford to be.
    
    The government have leapt straight to regulation, in my opinion likely pushed by some players in the tech industry and possibly five eyes without fully educating themselves. Potentially they are going to do more harm than good. I suspect a lot of kids are going to drift to less regulated and more extreme alternatives and we save a few kids from Tik Tok memes at the expense of more neo-nazi Christchurch shooters.
    
    source
  - No1@aussie.zone ⁨19⁩ ⁨hours⁩ ago
    Shhhhhhhh!
    
    That’s what I was thinking ot doing!
    
    source
    -> View More Comments
- No1@aussie.zone ⁨19⁩ ⁨hours⁩ ago
  ‘We found robust, appropriate and secure data handling practices’
  
  Note they didn’t say they didn’t find any slack, inappropriate and insecure data handling practices?
  
  It’s a case of only being as good as the weakest link. It will be a matter of time before they are hacked and the data stolen
  
  source
indomara@lemmy.world ⁨1⁩ ⁨day⁩ ago
Gross

source