Day 3 of Global Age Assurance Summit: Decentralized Digital ID, Industry Adaptation, and Regulatory Landscape

The Global Age Assurance Standards Summit featured speakers discussing the use of decentralized digital identity for parental consent, the biometrics industry's response to regulatory demands, the open identity exchange approach, and other key topics for the age assurance and age verification industry.

Day Three of the Global Age Assurance Standards Summit: Exploring Decentralized Digital Identity, Industry Responses, and Regulatory Landscape

Day three of the Global Age Assurance Standards Summit showcased presentations from industry experts delving into the transformative potential of decentralized digital identity for parental consent, the evolving landscape of the biometrics industry in response to regulatory demands, the vision for a universally trusted identity, and the latest developments in age assurance and age verification standards.

euCONSENT 2.0: Empowering Parental Consent with Decentralized Technology

In a pivotal presentation, Iain Corby, Executive Director of the Age Verification Providers' Association (AVPA), unveiled the roadmap for the second phase of the euCONSENT program and introduced the AgeAware App. Financed with a €1.4 million grant from the European Commission and supported by the United Nations through UNICEF's Safe Online initiative, euCONSENT 2.0 seeks to revolutionize age assurance practices.

Corby emphasized a fundamental shift away from publisher-based age assurance towards a decentralized, app-based approach. The first phase of euCONSENT utilized a device-based token system for age verification. However, the new system employs a more sophisticated metaphor of a chocolate wrapped in foil. The raw ingredient is the user's age, which they must prove when accessing age-restricted websites via the AgeAware app. This "thin application" serves as a technology-neutral client compatible with various software and hardware options.

Upon age verification through biometrics, facial age estimation, or other traditional means processed through a provider, AgeAware issues a token, representing the foil-wrapped chocolate. The token encloses the ingredients (personal information), while the external public product, confirmed by AgeAware, establishes that the contents meet the age verification threshold.

As users accumulate tokens from different websites using various age verification providers, AgeAware interrogates them, selecting the most optimal token for the relying party in question. The content provider may have specific pricing preferences or accept the published price of the verification provider, accessible to anyone seeking to use the token. A default price mechanism is in place for parties without an established verification agreement.

"This means that the relying party need only find a token, even in the absence of prior knowledge or a contract with the age verification provider," explained Corby. "They can seamlessly utilize the token to verify the user's age, which is provided anonymously through a dedicated service." The tokens have a finite lifespan.

A tallying service overseen by euCONSENT monitors the reuse of age verification provider tokens and reports to an orchestration scheme to charge and distribute fees accordingly. This eliminates the burden on relying parties to report their own numbers.

Corby identified areas of improvement in phase one, particularly concerning parental consent and linking parent and child identities. Phase two priorities thus address this "unfinished business," including advancements in zero-knowledge proof, enhanced untrackability, compatibility expansion to apps, and exploration of integration with the EU digital wallet. The plan also involves refining underlying ethical principles, deepening the involvement of international standards organizations, and updating certifications.

Despite its European regulatory origins, euCONSENT envisions a global impact. Its governance is entrusted to euCONSENT ASBL, an NGO with members from industry, academia, and the legal profession.

Ver.iD Demonstrates Parental Consent through Decentralized Digital IDs

Showcasing the potential of digital credential wallets, Roger Olivieira, Co-Founder of Amsterdam-based Ver.iD, explained how the Dutch government issues verifiable personal information retrievable through apps like the one provided by Ver.iD. The government is piloting a decentralized digital ID system that would enable digital verification of relationships, such as that between a child and their guardian. This would empower guardians with a "parental dashboard" to provide consent by confirming the age of minors ("wards") attempting to log into age-restricted apps or accounts (e.g., video games, social media).

EU Age Assurance Report Highlights Need for Regulatory Guidance

Martin Sas from the KU Leuven Centre for IT & IP Law presented an upcoming report on the trustworthiness of age assurance systems for the EU Parliament. The report aims to map the legal requirements for age assurance under European law, identify potential risks to fundamental rights, and evaluate the risks of specific methods.

The report emphasizes the imperative to consider necessity, proportionality, and the best interests of the child when implementing age assurance measures. It promotes the delicate balance between child protection and digital rights. Regarding biometric age assurance methods, age estimation is deemed less reliable than age verification, but verification is perceived as "more intrusive."

The report expresses concerns about privacy and security risks, potential discrimination, and exclusion of individuals with limited access to ID documents, technology, or developmental disabilities. It thus underscores the urgent need for regulatory harmonization, increased pressure for conformance testing, and adaptation to the burgeoning use of age assurance systems.

Open Identity Exchange Outlines Universal ID Vision

Nick Mothershaw, Chief Identity Strategist for the Open Identity Exchange (OIX), presented the organization's perspective on the symbiotic relationship between digital identity and age assurance. OIX's aspiration for a "simple, universally trusted ID" hinges on educating relying parties about the benefits and intricacies of biometrics and digital identity through initiatives such as events, consultations, and resource dissemination.

Mothershaw emphasized the significance of trust frameworks and trustmarks in ensuring that the security equation is addressed from both sides. OIX has meticulously analyzed trust frameworks worldwide, including the UK Digital Identity and Attributes Trust Framework (DIATF), eIDAS 2.0, the NIST version 4 draft, and the DIACC Pan-Canadian Trust Framework.