Protecting children is not the same as preventing fraud
In the design of every customer facing service there is a trade off between ‘ease of use’ and the countermeasures incorporated into the system to prevent misuse. We are regularly told by User Interface specialists that any friction added to their checkout process provides a reason for their customers not to complete their transaction. However for those services that sell age sensitive content or goods, higher levels of friction maybe a good idea, but how high?
Normally the level of friction in your service is determined by your organization’s risk appetite. You assess the chances that your service will be attacked by a fraudster, determine if you can stop them and whether the cost of such countermeasures will mitigate the chance of an attack to a level acceptable to your business. At Consult Hyperion we focus on the fraudster’s ROI – will they obtain more money from the fraud than it costs them to do it and what are the chances that they will get caught? We assess potential countermeasures to determine if they are cost-effective in reducing fraud to an acceptable level. Generally, people are happy with this model. Sections of the blue-light services would prefer that financial fraud is reduced to zero as it tends to fund other more harmful crimes.
Within the age assurance sector, this discussion is not so simple. Parents giving their offspring their first mobile phone would prefer that they know the true age of everybody that their children talk or chat to in the various social media and games that their kids load onto their device. Such strict Age Verification is only achievable through a validation of foundational documents, such as birth certificates, passports or driving licenses.
Currently these are paper-based and issued with different levels of inconsistency outside the main economies. When deploying a system for disbursement of aid in Northern Nigeria, Consult Hyperion found that 40% of the local population shared the same driving license. There are initiatives, such as eIDAS in Europe and mobile driving licenses in North America. However, at the moment, these identity documents are not issued to people under 15, so cannot verify that everybody in the chat room is the same age as my nephew.
Due to the difficulties, delays and costs of remotely checking foundational documents internet companies are falling back to age estimation solutions, such as the analysis of photographs, voice, and hand geometry. Such solutions can assess an individual’s age within agreed levels of tolerance. Thus they can tell that I am over 21, but might have difficulty differentiating between, say, a 12 and 14 year old. The team at ACCS, with the support of the Information Commissioner’s Office (ICO) and Ofcom in the UK have recently launched a project to assess the accuracy of the various age estimation solutions on the market, which will help in assessing the level of risk to the company deploying them. But are they sufficient for your business?
This is the type of conversation Consult Hyperion regularly has with our clients. We understand the technology, how it is being used in other sectors globally, its limitations, and how our clients can use it to deliver market changing services to their customers. Regulations such as COPPA in the USA and the proposed Online Safety Bill in the UK, as well as the pressure to focus on more than the environmental objectives within their ESG goals has raised child protection near to the top of their corporate objectives. They are looking to us to tell them whether they are ready to be certified by ACCS and we are enjoying the challenge. Please let us know if you would like to join in the conversation.