The false dilemma of privacy versus online safety

As the internet becomes increasingly embedded in young people’s day-to-day lives, the potential conflict between protecting youth online safety and safeguarding the right to privacy is only growing in importance. A recent Ofcom report indicated that half of children aged 3-12 are already active on at least one social media app, whilst according to a survey by VerifyMy, of U.S. and UK teenagers aged 16-19, 9% reported having encountered Child Sexual Abuse Material (CSAM) content online - an alarming statistic. 

As regulators around the globe debate how best to ensure youth online safety, they are often confronted with growing concerns about privacy and data protection. While striking the right balance between these two priorities is essential, new technology means that safety does not have to come at the expense of privacy.

Age Assurance and the Risk to Users’ Fundamental Rights?

In the context of these concerns, legislation like the UK's Children's Code, the EU's Digital Services Act (DSA), and various state legislation in the U.S. all represent a growing consensus around implementing age assurance measures in line with the principles of necessity and proportionality. Online platforms have varying levels of risk depending on the services they offer and the potential consequences posed by underage access, and as such, the level of age assurance should be proportional to risks associated with the platform. 

Following a risk-based approach, the spectrum of identity authentication can be considered to vary from comprehensive Know Your Customer (KYC) measures at one end to self-declared age at the other. KYC checks require increased scrutiny and data collection to achieve higher assurance and mitigate greater risks associated with certain scenarios, such as opening a bank account. Age assurance measures, including verification and estimation techniques, have evolved greatly since the initial introduction of self-declared age checks and sit nicely in the middle of these two extremes. While age verification methods often use an official document to confirm an individual's exact age, age estimation techniques offer low-friction yet highly accurate alternatives. 

As well as implementing a level of age assurance proportionate to a platform’s associated risk, a variety of methods should be offered across different use cases to provide more choice and suit individual user preferences.

When requiring a minimum age to use an online service or platform, however, it can be more challenging to strike a balance between a user’s preference and tolerance for friction, data minimisation, and associated risks. Age assurance measures can raise concerns about their impact on privacy and the fundamental rights of adults and children alike. As a requirement, some criticise the measures as potentially restricting an individual's ability to freely express themselves and engage with others unless they provide personally identifiable information (PII) and have the capacity to go through an age assurance process. This could have a particularly negative impact on already marginalised populations who, for example, do not have access to an official form of government identification. It is, therefore, critical that we recognise that fundamental rights, including privacy, data protection, non-discrimination, and freedom of expression, may be at risk if age assurance measures are not implemented in an inclusive and privacy-preserving way.

Maintaining Privacy While Ensuring Online Safety: the Role of Age-Assurance Providers

There are several things that can be done to reduce the potential friction between safety and privacy. Using a trusted third party to prevent direct transmission of PII to the application, preserving trust among stakeholders while ensuring data protection. Third-party providers like VerifyMy offer a number of solutions that can issue a guarantee to the platform that the user is of the required age without the need to share any PII with the platform. This separation of roles between platforms and age verification providers makes it possible to have a structural guarantee that respects users' privacy while also allowing platforms to comply with robust safety standards.

The ongoing advancement of technology makes it possible to even further reduce the trade-off between the protection of privacy and online security. VerifyMy has developed a new method of age estimation using just a user's email address. Age estimation using email address is highly accurate and balances accessibility with the principles of data minimisation and privacy protection. Certified by the Age Check Certification Scheme (ACCS) to EAL Level 3, the highest possible level for age estimation, VerifyMy’s unique email approach is referenced by the Information Commissioner’s Office, the UK data protection authority, in their updated notice on age assurance for the Children’s Code.

Online Safety and Users’ Privacy: Striking A Balance With Age-Assurance Providers 

Driven by technological advancements, the age assurance industry offers new methods that are privacy-preserving, accessible, and seamlessly integrated to optimise the user experience and minimise business disruption. Companies like VerifyMy strive to offer service providers the means to create a safe and inclusive online experience while anticipating and complying with privacy regulatory standards. Given the evolving landscape and growing concerns about youth online safety, a nuanced discussion is needed now more than ever, ensuring both the industry and policymakers avoid getting caught up in a false narrative that safety inherently comes at the expense of privacy.