On-device av/aa
As you will have gathered from my recent blogs, there’s a new kid trying to get on to the age verification/age assurance (av/aa) block.
The new approach is called “on-device”.
That’s shorthand.
At the moment, typically, av/aa is done at the virtual door of the supplier or provider of an age sensitive product, App, service, or online environment. The av/aa process consequently begins and is explained in accessible language close to the moment a person seeks to engage for the first time with an age sensitive activity. Perhaps this acts as a reminder of a potential hazard ahead, gives pause for thought, or necessitates some level of parental engagement to grant permission.
Normally the verification or assurance will be carried out online by a specialist third-party on behalf of the provider or supplier of the age sensitive product, service or environment. The only information relayed back to them is a “yes” or a “no”, meaning the person does or does not meet the stipulated age criterion. If they do, the virtual door opens. If they don’t it closes. If the individual concerned thinks the door has been wrongly closed there are ways to appeal.
A different method
The new kid trying to get on the av/aa block wants the av/aa to be done upstream, on the smartphone, tablet, computer, game console or whatever other digital device might have found its way into the hands of a child. Hence the name.
On-device is therefore at least one step removed from the online space where the age sensitive activity, product or service is provided.
Under this approach an individual would arrive “ready-verified” at the virtual door. You can see why Meta, Snap, X (and others) find that an attractive proposition. It relieves them of the task, benefitting them significantly financially and in other ways. Let’s leave that small but important detail on one side for now.
Stumbling in?
But if a child is ready-verified on the device might they “stumble” into a space about which they ought to have been forewarned or put on alert? No slow-down button or halt? Parents unaware of the specifics? Maybe that could be fixed by requiring pop-ups or something to appear but that is sort of taking us back to where we are now.
No dispute about the tech involved
Please note almost nobody is saying av/aa can’t be done or that it shouldn’t be done, at least in respect of accessing various types of content, accessing certain online environments or buying a number of products or services intended only for adults.
Equally, there is no longer any serious dispute about whether av/aa can be done in ways which respect the privacy of any individual whose data are processed. A person’s real world identity, patterns of consumption or interests cannot be discovered or inferred from anything that occurs before, during or after av/aa when av/aa is executed properly via currently recognised methods
It’s also important to realise if the new kid was to make headway some of the same methods and technologies for carrying out av/aa currently in use would still be used, although others might struggle. As innovation continues doubtless new ways will emerge.
Thus, to sum up, the arriviste “simply” and “only” wants to change when and where av/aa is done, not “how”. That in turn affects who has the responsibility for doing it and therefore the legal liability. That said, if the kind of pop-ups I mentioned earlier were introduced into the stream would this dilute or change the line of liability?
At one level I am completely agnostic about much of this. As I said in my last blog, the only question that matters is
“does it work to protect children?”
On-device is still only a theory
While there are some brilliant individual child safety applications that work on a wide range of devices, the new kid’s promoters cannot point to an actually existing version of what they want to see. It is still a theoretical model.
Who would need to change their ways?
The technology which could be used to build the on-device approach to av/aa is commonplace. It “just” needs piecing together and putting in place. “Just” is doing a lot of heavy lifting in that sentence, as were “simply” and “only” earlier.
To get the on-device approach up and running will require several different actors to cooperate in ways they are not doing at the moment.
Operating systems
The first and most obvious changes would need to be made to the operating systems which drive the devices.
It is very hard to pin down a precise number but as far as I have been able to make out there are (at least) somewhere between 10 and 15 different operating systems in use on a range of devices that could end up in the hands of children. Some seem to be subsets of larger ones so, presumably, if the top level went for it the owners would follow-through with their offspring. To be confirmed.
The most commonly used operating systems are owned by Google, Apple and Microsoft, companies with substantial lobbying clout. But note a not insignificant number of devices work on operating systems owned by smaller entities.
Games consoles might warrant separate consideration. Microsoft, Sony and Nintendo are the market leaders here. Oddly enough, although games consoles ship in large volumes, the numbers are still relatively small compared with devices like smartphones, smart TVs, tablets and laptops.
Something entirely new needed
The on-device approach requires something new to be done to or inserted at the level of the operating system used on a device. The “something” will require or allow, or require and allow, an av/aa signal to be received and presumably stored on a device in such a way as to allow it to be transmitted to a relevant online entity when required.
Either way, simply writing new code is unlikely to be enough. There may be a need for new types of infrastructure and there will be customer support implications as well as, potentially, a host of other compliance, auditing and regulatory matters.
Might there also be competition issues? Will owners of the operating systems be forbidden from carrying out av/aa for themselves or from having any commercial involvement with the company doing the av/aa for them? Will they be obliged to use more than one av/aa supplier?
With the multiplicity of operating systems and devices, will there be a need for a degree of standardization of protocols? If this gets drawn into the maw of the Internet Engineering Task Force my great-grandchilden may not live to see the day it happens. I am not up to date on how the equivalent standards bodies for telecoms work but last time I looked they could not easily be confused with Usain Bolt.
Older devices. Low income countries and families?
It is not clear what level of processing power or storage capacity would be required to allow an on-device approach to work.
One imagines the device manufacturers would happily comply with whatever new hardware requirements emerged from changes in the operating systems but that isn’t entirely the point and maybe it isn’t a given.
How far back would we have to go to find devices that cannot cope with the demands of a new on-device regime? I’m told with some older devices the danger of data leakage is already significant and if more was piled on it could get worse.
What happens to people using devices that cannot comply with the new requirements? How will it play out in lower income countries or with lower income families where regularly updating one’s hardware is not as common as elsewhere?
Multi-user households
Not every device is used solely by one person. Some may be used by an adult and a child. Some may be used by children of different ages, perhaps spanning different critical age bands.
Alternatively there may be “hand-me-down” devices. For the new approach to work we have to assume as devices pass between the hands of people of different ages, either temporarily or permanently, somehow the right age profiles will be activated and old ones disabled. Many actions on the device will have to be geared to individual profiles.
Need for greater clarity
On some explanations of how the on-device system would work, the device itself is rendered unusable unless and until at least one adult completes an av/aa process.
Even if the owner of the device never had any intention or practical possibility of going anywhere near a site or service that provides anything that is age sensitive, would they still have to jump through the av/aa hoop or else sit staring at a piece of metal and plastic that may not be able to do anything at all, or only be able to do a limited spread of things?
Some argue this is a point in favour of the on-device approach because it would “force” parents or guardians to engage with their children’s devices. That may be true but, er, to state the obvious, not every device will end up in a domestic or other environment where children are ever likely to be present or be users.
Or can we imagine a world where two types of devices will be manufactured and sold? Those that will never fall into the hands of children and those that will?
Me neither.
Could age verification become an easy get-out for companies who might otherwise seek to develop more context sensitive forms of support for children?
“The child was age-verified. We did everything we had to and could.”
But age will only ever be a proxy for an individul child’s evolving capacities.
I appreciate this is a pont that applies to both the current and future putative methods of doing av/aa but I thought I’d mention it anyway.
Numerous studies have shown how difficult many parents find engaging with child safety tools. Thus, if the on-device approach requires any significant engagement by parents in initiating the settings or changing controls there must be a worry about how that will work out.
Of course we all want to encourage parental engagement with what their children do with digital devices but this degree of compulsion does not sit well with me. Shifting the responsibility towards parents in such a draconian way is edging towards victim-blaming and parent-blaming. The vortex of algorithmically driven harms, the open access to violent or pornographic content is at the root of it. The internet should never have been allowed to become an obstacle race or a series of traps and diversions where children only “win” if their parents “get it”. Are parents now to be compelled to dig online businesses out of the hole they themselves created? That doesn’t feel right either, even if it is inevitable.
Reauthentication and lock outs
Then there’s the issue of “reauthentication”. Some systems or suppliers require periodic reauthentication of a user’s age. Not annoyingly frequently but….does that require a parent to re-engage?
For the sale of certain products and services av/aa has to be done every time. How would that work?
If one user failed to reauthenticate would all users be locked out of the device? It’s not hard to imagine ways in which all this could be addressed but it complicates things.
Proportionality?
As part of the wider internet ecosystem or value chain the operating system owners certainly help draw and deliver people to businesses providing age sensitive products, services or environments but, as compared with the owners of the substantive products or services, the financial benefits that accrue to these upstream actors are likely to be relatively small. It therefore raises issues of proportionality. It looks as if the operating systems and hardware owners are being asked to pay and be responsible so someone else can make the real money.
Living in an App-centric world
In our App-centric world promoters of the on-device approach suggest App Stores need to take on new responsibilities. Logically this cannot be a sine qua non for an on-device system but it is a very good idea anyway and it’s not before time.
People assume if an App appears in the App Store the Store is offering some sort of guarantee of quality and of legal and safety conformity. That is a reasonable assumption which cannot be wished or qualified away by the small print.
There should be a binding obligation on all App Stores to ensure the Apps to which they provide access, at the very least, comply with legal standards of age appropriateness and any child safety and privacy regulations applicable in the jurisdiction in which the App is downloaded. For example, if a law says 13 is the minimum age at which something is allowed the App should not appear and be described as suitable for 3-year olds.
In addition to ensuring the Apps they make available are properly described and vetted, there is a growing demand (see below “Who is verified”) for App Stores to ensure av/aa is carried out on whomsoever wishes to download an age sensitive App, or is it all Apps?
Evading the age rules?
If it would have been impossible for a given individual to download an App because they did not meet the stipulated age, should we demand the App’s technology is configured so as to ensure it cannot be passed on to anyone below that age? Several games consoles and platforms will not allow games that are rated, say, 18+ to be played or purchased by anyone whose age profile is set below 18 ( although there are override mechanisms).
Whatever view one takes, App and software developers more generally would need to tweak relevant programmes to require or respond to a request for an av/aa signal received from or generated by the operating system on the device (even if it is only to say “no av/aa issues arise so please allow me to proceed”.
Otherwise, if a site, App or service had not bothered to configure itself in this way e.g. because it only contained pictures of or discussions about butterflies, what would happen? Would it be rendered inacessible to everyone? Perhaps AI or some on-the-fly technology could sort this out without having to try to construct an enormous database of ok sites and services that are known not to have av/aa in place?
Who is verified?
Largely because of the political paralysis in Washington DC over the past few years, individual US states have been getting busy trying to address a range of online child safety issues. I applaud this state-based activism although few can doubt a Federal solution would be better for all concerned. Instead, a highly fragmented set of measures are emerging but practically all of them are being challenged in the courts so the final outcome of what will happen in the USA remains far from clear.
For example, under Utah’s Social Media Regulation Act (S.B.152) everybody has to be age verified before they can use social media. There is no requirement for social media platforms to carry out any kind of risk assessment but all persons under the age of 18 must have their age verified by a parent or guardian before they can join. The rules or methods by which one is identified as a parent or guardian must comport with the provisions of the Children’s Online Privacy Protection Act 1998. In principle under Utah state law it is possible for a parent to give permission for their 8 or 9 year old to join a social media platform if the platform’s own rules allowed it.
Utah has not sought to mandate an on-device approach but under the Children’s Device Protection Act (S.B.104) it will be mandatory for all smartphones and tablets sold or activated in Utah to have a password protected filter pre-installed which blocks access to obscene material.
Then there is the App Store Accountability Act (S.B. 142) which requires App Stores to verify users’ ages and obtain parental consent in respect of all under 18s. Nine other US States have introduced or are considering new laws which impose obligations in respect of App Stores.
Utah and other US states have clearly been busy. Some of what they have done will seem a little strange to Europeans but there you go.
Willing or unwilling actors?
Nobody I know believes the different actors will, on a voluntary basis, work together to deliver an on-device solution. This is why some people are calling on legislators to step in and make the new approach compulsory.
It must be open to doubt whether or not the political stars will ever align to make that happen, at any rate not any time soon Sadly, that is precisely why some interests are getting behind the call.
They don’t want to be seen to be opposing av/aa but by disparaging the current dominant form of doing it while bigging-up the on-device approach, they believe it will help sow confusion, encourage calls for further studies, consultation and research. That will lead to the can being kicked down the road, ideally a long way down the road, with any luck completely out of sight.
The status quo has made them rich. For as long as the status quo remains in place, or as much of it as possible, they can carry on as before. More to the point, they are fearful that if effective av/aa takes off, far from creating new income streams or boosting existing ones, it is more likely to shut off or reduce them.
A blend is better
We should not feel we have to choose between on-device and the current ways of carrying out av/aa. They are not, or certainly need not be mutually exclusive. A blend may well work to everyone’s advantage but I think it is clear on-device alone will not adequately cover all reasonably foreseeable use cases.
The fact that completing the age verification process might minimally delay or inconvenience an adult trying to gain access to something is not or ought not to be a material consideration. Adults are momentarily detained and asked to prove their identity or age in all kinds of environments. It is justified because of the wider benefit to society.
The benefit here revolves around a child’s fundamental right to a healthy and safe environment in which to grow up. Av/aa is meant to contribute to that in the all-pervasive communications medium that is the internet. 1 in 3 of all internet users in the world is a child. Children are present online in vast numbers. That is not going to change in any reasonably foreseeable future. Driven largely by commercial concerns, what was originally often called “The Information Superhighway” has transformed itself into “The Information High Street”. An extremely mixed environment. We are simply adjusting to that.