Australia's eSafety says age verification not a panacea for protecting kids from porn

The Office of the eSafety Commissioner said other technological solutions need to be leveraged to ensure online harms are addressed in a holistic, and multi-faceted way.

Australia is hoping to introduce some sort of protective capability to prevent those that are underage from viewing pornography or partaking in online gambling activities, but the country's eSafety Commissioner is skeptical of there being a silver bullet solution.

The Department of Home Affairs has floated using its Face Verification Service and Document Verification Service to verify an individual's age before allowing them access to online pornographic material, and the Digital Transformation Agency (DTA) believes the Australian government's digital identity play would instead be a valuable tool to do the same.

But the eSafety Commissioner says there is no "out of the box technology solutions" that will solve this issue and therefore believes age verification should not be seen as a panacea.

"Technical interventions will never be able to completely eliminate the risk of children being exposed to online pornography, and it will certainly not prepare children to interpret and understand online pornography once they reach adulthood," the commission wrote in a submission [PDF] to the House of Representatives Standing Committee on Social Policy and Legal Affairs' inquiry into the matter.

"eSafety considers that risk and harms will more effectively be minimised through a combination and layering of technological solutions and other responses which includes education."

Pointing the committee to a list of functions that would need to be stood up in order for a digital age verification system to be used for such a purpose, eSafety said it is important to note that age verification is markedly different to identity verification, and that there are also differences between assessing age and verifying it.

One of the 10 dot points listed was the need for a legislative and policy structure that "carefully balances the fundamental rights of all citizens including privacy, security, and safety of citizens online, and that expressly addresses requirements of legality, proportionality, and necessity".

The establishment of a trusted age verification framework that's heavily wrapped in security and privacy protections was also on the list.

Instead of heading down the age verification process through an external provider path, eSafety used its submission to highlight other technologies that are currently being explored in this space.

One is age prediction based on "extractable biological, behavioural, or physiological characteristics that are embedded in individuals biometric data".

eSafety said two models currently exist: Unimodal biometric systems that utilise a single biometric feature for identity authentication and multi-modal biometric systems that combine two or more biometric features for authentication purposes.

"Whilst these systems are currently developing for identity verification and authentication purposes, there is growing research into their use for age prediction (particularly for jurisdictions where identity documentation is rare or non-existent)," the office wrote.

Another area was the use of artificial intelligence and machine learning to identify users via behavioural and online signals.

"How an individual interacts and engages online leaves traces that can be utilised to identify whether they are an adult or a child. For example, a handle or username, image tags, hashtag usage, gesture patterns, web history, content interaction, IP address, location data, device serial number, contacts -- all can be used to measure what age-bracket that you might fall under," the submission explained.

"These signals are sometimes used by social media platforms, alongside third-party verification systems, to flag users who might be underage on their site. There are a few examples of technology that utilise these signals for automatic age-gating purposes."

The office's submission expanded on remarks Australia's eSafety Commissioner Julie Inman Grant made during Senate Estimates last month, when she pointed to a similar project undertaken in the United Kingdom that had been abandoned, saying the nation would look to the successes and failures of that attempt.

Inman Grant said the British Board of Film Classification was planning on negotiating with the world's largest porn conglomerate around their age verification technologies. She said one idea was to use a credit card as the token.

"Credit cards weren't really developed for that purpose and there was a concern that there would be a honeypot of personal information that could create a different set of risks for children," she said.

eSafety in its submission added that given the research and evidence provided to the UK government, which has been corroborated by research in Australia, young people are frequently exposed to sexual content and online pornography on social media, not just via known pornographic websites.

See also: Opinion: UK porn block collapses and I couldn't be happier about it

"The fact that the UK legislation focused solely on commercial pornography providers was a grave concern for many," it wrote.

"The importance of balancing privacy, security and safety considerations is essential. Any age verification proposal in Australia that mandates the use of technology should include and make explicit reference to data protection, privacy, and safety."

It said further agencies such as the Office of the Australian Information Commissioner and Cyber Security Centre, amongst others, would likely need to play a pivotal role in the formation of any expectations or requirements in relation to age verification.

Should the Australian government wish to progress on developing and implementing age verification solutions or regulations, eSafety would advise that a review should be undertaken first that would include identifying and developing the components of a digital ecosystem to support an age verification trial.

It also wants to see work done around ascertaining the current capabilities and gaps in age verification technologies and what digital verification ecosystems could be leveraged for the purposes of age verification; similarly the development of a "proportionate and harms minimisation approach" to age verification to ascertain what age verification and age assurance technologies or techniques are required to ensure children and young people are adequately protected.

Consideration should be given to the development of a risk matrix that points to potential technological solutions that balances individuals' fundamental human rights in digital environments, eSafety said.

It's asked for discussion to be opened with other jurisdictions, particularly the UK and the US to "ensure consistency, harmonisation, and amplification of efforts".

As well as the development of measures for accountability and transparency over the security, safety, and privacy of existing and any proposed systems.

eSafety has also said education on online safety should be incorporated into school curriculum.

See also: The best tool for protecting your kids (or employees) from malware and porn (TechRepublic)

Meanwhile, Equifax -- which in 2017 suffered a massive data breach that saw the theft of over 146 million records containing information such as name, date of birth, and social security numbers of US citizens -- has provided advice to the committee on privacy in its submission [PDF].

The credit reporting agency recommended The Privacy Act be amended to allow for use of credit reporting information where an entity has a reasonable business need to verify identity or age.

The company, which claims to be the guardian of Australia's largest database of people aged 18-plus -- approximately 18 million of an estimated 18.9 million adults -- said such an amendment would be required to create a level-playing field in Australia's capability to conduct identity and age verification.

Similar changes should also be considered for the Commonwealth electoral roll, it said.

In the interest of protecting an individual's privacy, Equifax said 18-plus sites should not know who a viewer is, only that a person viewing or using the site has been verified as 18-plus.

"The age verification process should be conducted using the minimum details required to achieve a match," it also wrote. "In a more mature identity environment, people could choose to obtain a reusable age-verification token for them to provide when needed."

RELATED COVERAGE