20. Age Assurance – Decision Time!
Age Assurance is upon us - decisions will and must be made. We are woefully prepared, but we still have an opportunity to get it right if we 1) recognize the situation and 2) ask the right questions.
Age Assurance is the big Digital Identity issue right now. The Australian Government has legislated that Age Assurance for social media must be in place by December 2025 and are running an Age Assurance Technology Trial. In New Zealand a members bill may also legislate Age Assurance. The French President Macron is demanding social media controls for those under 16, and the US Supreme Court has supported state age-based restrictions on access to pornography in Free Speech Coalition, Inc. v. Paxton. By any measure, Age Assurance is the hot topic in Identity.
So we have demand – do we have a solution?
Hardly. We have underestimated the national importance of this opportunity and we lack understanding of the challenging context? Because of this we do not ask the correct questions. In this newsletter I describe why Age Assurance
is a strategic national issue,
has an extremely challenging context, and
must answer some extremely difficult questions.
A Strategic National Issue
A national digital infrastructure is as important as national physical infrastructures.
We spend more of our lives in the digital world than we spend driving our cars.
Digital Identity is central to a national digital infrastructure (the above diagram does not aim for completeness, but it shows Digital Identity as being the missing piece of the puzzle). Other digital infrastructure decisions, such as the nature of digital communications and the design of the Internet, have been made by technology companies, but decisions about Digital Identity are likely to be made by nations. And Age Assurance, a subset of Digital Identity, is the first major Identity decision for many countries.
Such Age Assurance decisions will either:
set a future direction for Digital Identity and digital infrastructure,
if narrowly focused, delay any progress on a broader Digital Identity solution, or
create chaos if unsuccessful
And it is decision time right now!
The Challenging Context
The context is hugely challenging:
Significant public issue. Identity processes are frustrating for people and costly for organizations. But these problems have been tolerated for a long time. Now the major problem is a lack of online identity services that results in social harm and fraud. Social harm results from a lack of online age assurance for social media, alcohol sales, and adult entertainment, and fraud results from a lack of online organisational authentication services for investment schemes. These are not just frustrations. This is a crisis.
Size! While this might seem like stating the obvious, size is important. Take the Australian Age Assurance example – there is an expectation that this solution will enable around 25 million people to continue to use social media while keeping the under 16s safe. Note that means that the 25 million need to prove they are over 16. That is a lot of users, a lot of education, and a lot of infrastructure. These are not trivial decisions – the scope is all of society.
No obvious solution. Identity is not simply an issue of applying a technique we know to new subject matter. Rather, Identity is a problem we are still struggling with. At its very basis is an individual proving to an organization who they are. Most other IT challenges involve collection and manipulation of data. Identity it is different – Identity is an inherently difficult problem.
High Performance Bar. As I previously described in my newsletter Why Identity Systems Might Collapse, Age Assurance failures will not be tolerated. Even if a death is statistically negligible, if the solution that allowed it is perceived to be functionally negligent, then all hell will break loose and the discredited solution will be turned off. I agree – solutions cannot have error margins that allow for and expect collateral damage. That does not mean that age assurance solutions must be perfect, but it does mean that solutions must be designed for optimal performance.
Immature Technology Environment. How mature are Identity technologies? As per IT’s general modus operandum, we are regularly bombarded with tales of brilliance and breakthroughs. Notwithstanding all this good news Identity is, by any count, an immature technology environment that lacks any common language and lacks any agreed approaches. For example, the Australian Age Assurance Technology Trial names possible technologies of Age Estimation, Age Interference, and Age Verification whereas New Zealand’s avowed path is Decentralized Identity. What a strange dichotomy. The EU is hoping that its Digital Identity Wallets pilots will converge on a common solution but it looks more like a fishing trip than a technical strategy. Apologists will find ways to justify the lack of a common language and suggest that current developments try to solve the same problem, but where is the compelling design? Identity, currently, is more noise than substance.
Evolving standards! Why does a majority of the tech world now think that standards breed solutions? For discrete problems, such as USB standards, an industry can jointly design a solution. For complex problems, commercial players develop solutions and the industry later converges onto standards (e.g. payments). But for a large systemic problem like Identity, committee approaches are fraught. Trying to arrive at a design through standard development is simply nuts. For example, the travesty of mDLs (mobile Drivers Licenses) that do not include an authentication method! Standard-based approaches simply make Identity development so much harder. Standards do not breed solutions!
Profitable incumbents. The Identity Verification industry (Know Your Customer / Anti-Money Launder / Countering the Financing of Terrorism) are established and profitable. Cash cow? They have no need to change. They are comfortable with their cashflows – a reusable identity solution, one which would solve the Age Assurance problem, is not desired. Identity incumbents will resist change.
Big Tech is hovering. One cannot ignore big tech, as the major players have huge identity databases (mostly unverified) and control the technology base of Identity. To date, their initiatives have been restricted to leveraging their databases for low assurance identity (federated identity) and extending the reach of device-based identity for authentication (passkeys). While it is difficult to see how big tech can provide an optimal solution for high-assurance application-level Identity, they will no doubt try to extend the influence of their user databases and device/OS control. This is a question of sovereignty, and clearly every nation should be aiming to keep control over its citizens’ identity information. National control of identity is at stake.
So there is a large, societal crisis requiring a high-performance solution. There is no obvious solution and an immature industry that is either entrenched in current methods or bumbling around in standards while Big Tech waits for an opportunity to take control over critical national digital identity infrastructures.
The context is challenging!
Decision Questions
When making a strategic decision, keeping all these contextual issues top of mind is not practical, so I refine the context down to some practical questions that can focus minds and that are sufficiently representative of the context. So this is a restatement of the context in questions:
Is a national Identity infrastructure possible, and if so, is it desirable?
Currently the assumption, which I think is correct, is yes. But the question should be explicitly considered to ensure that nations do not simply unknowingly fall into a national infrastructure scenario that cannot then be exited.
Can an Identity solution be rapidly implemented for a country?
Age Assurance cannot evolve like Payments has over 50 years – we have a crisis and we need a revolution. And revolutions must happen quickly to be successful. No matter what political pressures exist to start a project, taking 5 years to implement a national solution to a current crisis is not acceptable.
Will the solution last?
2 years, 5 years, 10 years, or more? Considering the opportunity cost and development cost, surely 10 years is a minimum. Countries do not go through such major changes very often, so it needs to stick.
Will the solution be both useable and secure?
The current Identity scenarios are zero-sum trade-offs. That is, if you want security, then you take a less useable process. And if you want a highly useable process solution, you accept lower security. Age Assurance will require highly useable processes and high security. Solutions now need to provide both aspects.
Will the solution be publicly acceptable?
And still there will be a question of public acceptability. The question needs to be asked: ‘will the public accept this?’ And if the answer is no, then do not proceed!
How will the industry be organized?
Possibilities are 1) technology focused (e.g. Passkeys), 2) a central controlling membership body as there are for credit card schemes, and 3) every variant in between? This is a non-trivial question and needs to be answered up-front. It may be that a magic technology solves everything, but I do not remember this ever happening. So we will probably need some form of organizing.
How will the Government be involved and will it actively manage the solution?
Unfortunately, in many common-law countries, Identity development has started with the Government creating an Identity regulatory framework based upon the assertions that 1) a regulatory framework will lead to solutions, and 2) a regulatory framework can be devised that efficiently covers all possible solutions. Both assertions are obviously wrong. However, if the question is asked once a solution has been designed, the role of Government can be defined.
Is the solution a long-term strategic Identity solution or a short-term tactical Age Assurance solution?
This question is placed last in the list but should be a standing question throughout any design and development process, allowing the flexibility to both aim for a long-term solution and to revert to a short-term solution to meet the current Age Assurance Crisis.
Decision Makers – Here are your questions to ask
I started this newsletter by stating that we lack awareness of the national importance of Identity and the Age Assurance opportunity, and that we lack awareness of the current context.
Let’s hope that we can get past lame positivity and move on to pragmatism and critical thought. Let’s hope that decision makers include these questions:
Is a national Identity infrastructure possible, and if so, is it desirable?
Can an Identity solution be rapidly implemented for a country?
Will the solution last?
Will the solution be both useable and secure?
Will the solution be publicly acceptable?
How will the industry be organized?
How will the Government be involved and will it actively manage the solution?
Is the solution a long-term strategic Identity solution or a short-term tactical Age Assurance solution?
All the best
Alan