Online age verification will have to involve biometrics: Former eSafety chief

The former head of the Australian Cyber Security Centre (ACSC), former eSafety Commissioner, and now chief strategy officer at CyberCX, Alastair MacGibbon, has told the House of Representatives Standing Committee On Social Policy And Legal Affairs looking to age verification for online wagering and online pornography, that any form of online age verification would require a biometric component.

"I think biometrics -- with all of the problems associated with biometrics, and they are not a silver bullet -- is the only way you could really have an online system," MacGibbon said.

The former ACSC chief said a scenario relying solely on Home Affairs' Face and Document Verification Services to provide proof of age would not work on its own, due to the ability for children to be able to take, for instance, a driver's licence and verify it with the system.

"What will be harder for the child is to get my face in front of the camera and use it for the purposes of proof of age," he said on Friday.

"I'm not advocating for it to be used as such ... but it could be used as a way of saying, 'This face that's now in front of this camera is attached to a driver's licence and a passport in Australia, and that person is over the age of 18'."

MacGibbon added that even if such a system were in place, there would need to be some compulsion for overseas providers to use it.

On the issue of trying to find a mechanism for age verification, MacGibbon said in the offline world, it is accepted that systems are imperfect and edge cases will slip through, yet online, the perfect becomes the enemy of the good, and claims are made it'll be ineffective anyway.

"As a consequence, let's just leave it to providers to work out out amongst themselves," he said.

"And I think we see the consequences of that market failure today in a whole range of things, whether it's online safety, online security, or privacy."

Australians need to accept that there is no such thing as a completely secure connected device, that there will be failures, and everything in life is about balancing value and risk, he said.

"I don't think we should be looking for bulletproof system[s], because there are none," MacGibbon said.

"I think the Australian public generally, while it can react quite viscerally to certain things, is reasonably realistic, and when you hear people saying, 'Well, I'm not going to have My Health Record', for example, you'll see they'll still enroll, they'll still engage in it, and they'll see the benefits associated with e-health records."

The former ACSC chief admitted that if an age verification system became operational, it could have an "unintended consequence" of pushing certain citizens into unregulated spaces.

"You do run the risk that Australians who have a privacy concern will be forced into darker parts of the web to avoid online verification and that will be an unintended consequences any such scheme," he said.

On Thursday evening, the committee heard from British Board of Film Classification (BBFC) head of age verification Amelia Erratt.

Erratt said the UK age verification scheme was postponed due to an administrative error that it needed to inform the European Commission about, and it also ran up against "timing and parliamentary processes".

There would be underaged people that would be able to circumvent any system, Erratt said, and while BBFC research found only 14% of 11 to 13 year olds knew of a way to get around the formerly planned block, such as using a VPN, it would go a "really long way" to stopping children from stumbling across pornography online.

Erratt described a potential UK plan that would have age verification cards available for sale at retailers. These cards would need to be purchased in person and be activated online without personal details being kept. The age verification chief could not answer how the system would prevent a purchased age verification card from being handed to a minor.

Meanwhile, Australian government agencies have been lining up to promote their technology to provide a solution to the age verification question.

The Digital Transformation Agency said its digital ID could work if it was extended to the private sector, while Home Affairs is pushing for its Face Verification Service and Document Verification Service.

Last month, the Office of the eSafety Commissioner said technological solutions need to be leveraged to ensure online harms are addressed in a holistic and multi-faceted way.

Related Coverage

• 'No such thing' as cyber warfare: Australia's head of cyber warfare
• Now the DTA wants its digital ID used for porn age verification
• Home Affairs pushes its face-matching service for porn age verification
• Australian House Committee to look into age verification for porn
• Australia's eSafety says age verification not a panacea for protecting kids from porn
• Australian Christian Lobby thinks NBN or telcos should do age verification