Age Appropriate Design on the Internet: Time for a Rethink?

March 9, 2020
Alex Tweeddale

Alex Tweeddale from 2030 Group's IDWorks, discusses how Self-Sovereign Identity blockchain technology can help to protect children online to stop their data being processed and shield them from harmful content.

A recent report has suggested that 90% of 11-year olds in the UK currently own a mobile phone, with this figure being close to 100% when the children reach secondary school.

Even at the age of seven, more than 50% of children are reported to have smart phones, with access to the internet.

This development has only occurred within the last five years, meaning that regulation and technical safeguards are outdated.

It is time that companies put proper technical implementations in place to secure and protect children online to stop their data being processed and shield them from harmful content.

The internet is playing ‘catch-up’ when it comes to protecting child safety

To access inappropriate content online, the user is solely required to check a box saying: ‘I confirm that I am over 18’.

This is not age verification. This is not true age attestation. But a lacklustre and unacceptable technical solution.

Similarly, social media companies do not make special considerations for children, even though children are less aware of the risks and potential consequences of the processing of their personal data than adults.

When using social media websites, children give consent for the platform to use their data, process their data and target them with advertisements.

The only age verification that is in place is self-attested.

Social media platforms do not comply with the law

The law on protecting child rights is written directly into Article 8 of the European Union’s data regulation, known as GDPR.

It states it is only legal to process personal data of children over 16 years old without parental consent.

Companies must make reasonable efforts (using available technology) to verify that no one under 13 uses the platform and that someone between 13 and 16 does have valid parental permission to use the platform.

Generally, if a child signs up to these websites or platforms between the ages of 13 and 16, the site will require them to enter a parental email address to receive parental permission.

This, however, is a flawed mechanism because it is very easy for the child to simply create or input a second email address.

To get around this, most social media platforms contain a clause in their terms and conditions stating that ‘we do not knowingly collect personal information from anyone under 13’.

And, ‘Our services are not intended for—and we don’t direct them to—anyone under 13’.

This notwithstanding, I would argue that social media companies using clause like this in their terms and conditions, do not comply with the law on this issue.

The law requires these companies to takeactive steps to prevent children’s data being processed using technology.

Yet, the companies are passive on the matter and choose to take a reactionary approach.

The issue is that companies can get away with this reactionary approach because there is little enforcement of Article 8 GDPR in practice.

Enforcement… or lack thereof

The UK’s Digital Economy Act, drafted in 2017, sought to put proper age verification in place online to protect children against online pornography.

But there were questions raised about how the age verification would be implemented, with people worried that their sensitive personal data would be centralised and would become a target for hackers.

Mike Bracken, the former head of the Government Digital Service stated that: "the government relies on bulk data sets too often, instead of simply asking for the individual data set pertaining to the information needed".

Furthermore, the Open Rights Group suggested that this would simply push more people to using VPNs and TOR and would not act as a feasible block.

This Bill was therefore amended before being enacted by the UK Parliament to remove the age verification for pornography - but for now, we are left with a wholly ineffective system which does not attempt identity verification nor does not protect children at all.

This should not be the case.

The solution is Self-Sovereign Identity

In the last three years technology has however progressed to a point where now age verification may be added to the internet in a much less invasive way, whereby individuals can present proofs of their age to platforms without bulk data sets.

Self-Sovereign Identity (SSI) is a technology which allows individuals to hold verified attestations of their identity, issued by trusted sources.

If SSI is adopted for age verification, a child will have a signed packet of data on their mobile, issued by a teacher at their school, or a doctor attesting to their date of birth and identity.

Whenever this child tries to access an age-restricted website, the website could ask for an ‘age credential’ to be shared with the website.

If this child does not meet the age-requirements, and could not share a valid age credential, it would simply not be able to access the content on the website.

In another scenario, if the website requires guardian permission, the child’s device can be linked to their parents’ device and a push notification may be sent to the parent before access is granted to the child.

Credentials from the parent and the child can be combined to give the child access to the content.

This whole workflow occurs in a peer-to-peer, decentralised way, which means that no child’s identity data would ever need to be held centrally by an internet service provider or social media platform.

This solves the issue that the UK Parliament faced in 2017.

The main challenge now is how to get this technology implemented on a large scale.

The first step towards this is spreading awareness and educating people that there is a technology out there that can better protect children online.

It is time for people to hear about this and to push to change the regulators to implement SSI.

If you want to hear more about Self-Sovereign Identity and how IDWorks can help add a verified identity layer to the internet, contact us at: