Verifying Ages Online Is a Daunting Task, Even for Experts
Just how hard can it be to verify the age of a person online?
After all, privacy experts have been complaining for years about how much advertisers know about people who use the Internet.
The answer, it turns out, is very hard. Despite attempts by privacy advocates, academics, law enforcement officials, technologists and advertisers to determine a person’s age on the Internet, the reality is that, online, it is extremely difficult to tell whether someone is an 11-year-old girl or a 45-year-old man.
The question arose last week after Skout, a mobile social networking app, discovered that, within two weeks, three adults had masqueraded as teenagers in its forum for 13- to 17-year-olds. In three separate incidents, they contacted children and, the police say, sexually assaulted them.
In response, Skout suspended its app for minors, appointed a task force of security specialists to investigate and find solutions and said it would not resume the service until it could find a better way to vet users’ ages online.
Skout said it had vetted its users ages through Facebook, which officially prohibits members under 13, but has acknowledged that children find ways to enter. Facebook said recently that it was experimenting with age verification tools that would allow people younger than 13 to join.
The resounding response from those who have studied age verification technologies, and, in some cases, put them in place, has been: good luck.
The problem is that everyone — not only sex offenders — has an incentive to lie. Children want to enter websites and forums where their older peers are.
The methods the pornography industry uses to confirm online identities of its customers, like credit cards and drivers licenses, cannot be used to identify minors, because the absence of those things does not necessarily mean the person is a child. Federal privacy laws also make it illegal for Web companies to knowingly collect personally identifiable information about children younger than 13.
And on social networks, where people can expect a degree of anonymity, the task of verifying someone’s age is even more difficult. In most cases, all it takes is an e-mail address to set up an account, and children can lie about their ages.
A serious effort to evaluate age verification technologies was made in 2008. At that time, when Facebook was one-ninth its current size, child safety advocates and law enforcement officials expressed concern about sexual predators pursuing children on Myspace, then a Facebook rival. An Internet Safety Technical Task Force was convened, and experts from academia and Web companies set to work examining various ways of verifying ages and sequestering children and adults online.
The task force met with 40 companies that said they had solved the problem. They included an ultrasound device maker that scanned users’ fingers to determine their age; a vendor that asked users for voice responses to questions so a team of voice analysts could listen for an “intent to deceive”; and a company that traveled from school to school persuading educators and parents to submit children’s personal information — sex, address, school, birth date — to an online database that would be accessible to Internet companies.
The first two ideas do not appear to have made it past the demonstration stage. The third lost momentum after privacy advocates questioned whether it was intended to protect children from predators, or sell them out to advertisers.
Four years later, members of that task force sound, at best, deflated.
“I began to learn that age verification technologies would not address any of the major safety issues we identified,” said Danah Boyd, a senior researcher at Microsoft and co-director of the task force.
An informal survey of major figures in the artificial intelligence industry revealed that little, if any, research is being done on age verification. The Defense Advanced Research Projects Agency, the technology financing arm of the Pentagon that has initiated many Silicon Valley wonders, said it was not pursuing any research on age verification. Microsoft, which has done some of the more ambitious research in identity management, is more focused on hiding users’ identities online than on exposing them.
“There has been very little progress, which is astonishing given recent incidents,” said Senator Richard Blumenthal, Democrat of Connecticut and a major advocate for age verification dating from his days as his state’s attorney general. “You would think, if we can put a man on the moon, we could verify whether someone on the Internet is 13,” he said.
“You never want to say never, but age verification has serious conceptual difficulties,” said Oren Etzioni, an artificial intelligence specialist and computer scientist at the University of Washington who has founded several technology companies. The problem, Dr. Etzioni and others say, is that the available options — establishing a national identity database, tracking users’ behavior or knowing the data on a person’s phone that might suggest an age group — are considered violations of privacy.
“Unlike Germany and South Korea, we don’t have a national ID system because we don’t like the idea of a big government database knowing everything about us from birth to death,” said Stephen Balkam, chief executive of the Family Online Safety Institute, a nonprofit group. “So we muddle through, using a variety of methods to discern how old people are, but they’re not exactly foolproof.”
A few start-ups are, again, experimenting with new technologies that could help verify ages online. Jumio Inc., in Linz, Austria, developed a technology that turns the Web camera on a personal computer or smartphone into a credit card or identification card reader and lets merchants scan ID’s online.
But technologists who have put age verification technologies in place say there is always a way to outsmart the system and that such technologies are, at best, a deterrent.
“Companies do age verification because they know they’re supposed to, but everybody knows it doesn’t really work,” said Hemanshu Nigam, the former chief security officer at Myspace who now runs SSP Blue, an online security consultancy. “The truth is, there is no silver bullet.”
The consensus is that the most effective solution for now is not the technologies, but good old-fashioned education and parental vigilance.
“Sequestering age levels will never be the solution online — it’s hard enough to do it in the so-called real world — and there will always be a work-around,” said Anne Collier, who served on the 2008 task force and runs NetFamilyNews. “Really, the single most important thing we can do is to educate parents and young people about what is happening online.”