Monthly Archives: April 2008

Age Verification Research

As an identity and age verification provider IDology continually monitors the market to stay up to date on the issues surrounding online identity and age verification. Today I thought I would share with you what we have recently compiled for age verification. This (very long) post presents age verification by industry and country and gives some background on what is going on in the market. I hope you will find this useful.

Examining Age Verification in Other Countries:

United Kingdom & Europe

Mobile Operators

In January 2004, the UK mobile market set a precedent for self regulation of new forms of content on mobile phones by developing a Code of Practice. The Code of Practice was developed by mobile operators Orange, O2, T-Mobile, Virgin Mobile, Vodafone and 3. The Code specifically covers new types of content, including visual content, online gambling, mobile gaming, chat rooms and Internet access but not peer to peer communications, although assurances were made to combat illegal, bulk and nuisance communications.

The Code of Practice addresses 8 categories. It called for an independent classification body to provide a framework for classifying content commercial content that is unsuitable for customers under the age of 18. The classification will be equivalent to material in magazines, films, video and computer games. Content classified as 18 will only be available behind access controls and is made available to only those consumers who have been age verified.

The specific definition of the Code’s term for age verification is:

a process by which reasonable and practical steps are taken to verify that a customer is 18 or over. Acceptable methods of age verification include:

a) at point of mobile device sale for new customers; inspection of document containing customer’s date of birth (e.g. drivers license, citizen card, etc; visual check (is the customer clearly over 18?)
b) “customer not present”: a valid credit card transaction for the customer; age confirmation using 3rd party agencies (e.g Experian, Dun & Bradstreet, etc.)
c) documents and/or process used for contract mobile phone customers, combined with a process by which customers can manage access controls

The Code also addresses that mobile operators have no control over Internet content and therefore can not insist that it be classified following the framework described above. Because of this, the Code addresses offering parents and caregivers the opportunity to apply a filter. In addition, the mobile operators agreed to provide advice to customers, including children, parents and other caregivers through relevant media literacy activities and will post information on the Code on their web sites.

Age Restricted Ecommerce

Last year in the UK, a bill was introduced to Parliament to require age verification for the online purchase of age-restricted goods and services such as alcohol, cigarettes, pornography or gambling. Currently retailers in the UK handle age verification by relying on the honesty policy. Since early 2000 numerous articles and studies have been published about the ease of underage consumers to access gambling sites and as such the gambling industry has been the most proactive in establishing age verification techniques to prevent underage access.

Last fall the UK Government commissioned Dr. Tanya Byron to look at the risks to children from exposure to potentially harmful or inappropriate material on the internet and in video games. The Byron Review was released in March 2008 and includes recommendations for the UK government to undertake that will help parents feel confident that their children are using new technologies in a way that is appropriate for their age and development. The ultimate conclusion calls for reforms in the structure of how government, industry and others engage in e-safety and specifically recommends that a UK Council on Child Internet Safety be established that reports to the Prime Minister. Recommendations for the function of this Council are:

• That this Council should lead the development of a strategy with two core elements: better regulation – in the form, wherever possible, of voluntary codes of practice that industry can sign up to – and better information and education, where the role of government, law enforcement, schools and children’s services will be key.
• That the Home Office and Department for Children, Schools & Families (DCSF) should chair the Council, with the roles of other Government departments, especially Department for Culture Media & Sport (DCMS), properly reflected in working arrangements.
• That the Council should have a properly resourced cross-government secretariat to secure a joined-up Government approach to children and young peoples’ safety online.
• That the Council should appoint an advisory group, with expertise in technology and child development, should listen to the voices of children, young people and parents and should have a sustained and rolling research programme to inform delivery.
• The Council investigates where the law around harmful and inappropriate material could be usefully clarified (including suicide websites) and explores appropriate enforcement responses.

Several items are reviewed and discussed in this report including filtering software, search limitations, restricting access, and also age verification which Byron recommends to:

• Keep research and practice on age verification under continuous review, and disseminates good practice, such as placing a “cookie” onto a user’s computer where they have registered with under age details to prevent them from reregistering with false age details.

interactiveAge Check

In 2003, OUT-LAW News, which tracks the latest legal stories in IT and e-commerce, reported on an on-line program called “interactiveAgeCheck (iAC) designed to prevent fraud and protect children. iAC is offered by CitizenCard, a non-profit organization and UK’s largest photo-ID scheme, and allows accredited web sites within the program to check the details of users before allowing them access to the site. If the user is not recognized then access will be denied. Each application is verified stringently using several measures to counter fraudulent application. The program is supported by government, the police and retail groups and was developed in conjunction with a credit data provider.

Mobile Signatures: Anonymous Age Verification

This past February, Valimo Wireless issued a press release titled Wireless Mobile Signatures to Provide Age Verification with Certification on Demand or IDP Services.

Valimo’s wireless signature services are accepted by financial banks as a secure authentication method. Within the press release Valimo states:

”Mobile signatures also provide age verification and anonymous access control. Proof that these partial authentication processes are in demand is the German government’s announcement that their electronic ID cards will feature a function to use pseudonyms to authenticate oneself to an online service without revealing one’s full identity.”

The press release further explains how this process works:

“When using Valimo’s mobile signature solution: Consumers receive authentication requests to the mobile phone. Valimo uses public key cryptography and an authorization process that allows only a bona-fide service provider to reach the user’s mobile phone. Consumers do not need to manually copy text out of the received short message. They confirm the login or transaction by returning a digitally signed message via SMS. For each authentication event, there is an electronic record (i.e. digital signature) that can be verified by a third-party process.”

Content Classification within the European Union

As recently as April 22 of this year, Reuters published an article about the European Union Executive Body’s decision to give videogame makers and shops two years to come up with a code of conduct that has wider industry backing than the current one. The industry is also being asked to spend more on advertising its symbols denoting the age suitability of games. The industry’s age classification system — Pan European Games Information (PEGI) — is sponsored by more than 200 industry members and used in 20 of the 27 EU states. There is also an online version but with far fewer industry backers.


In January 2008, new rules went into effect from the Australian Communications and Media Authority (ACMA) for restricting access to age restricted content (commercial MA15+ content and R18+ content) either hosted in Australia or provided from Australia. These new rules were made in accordance to Schedule 7 to the Broadcasting Services Act 1992 and are specified in the Restricted Access System Declaration 2007, and
the Explanatory Statement to the Declaration.

The rules specifically address age verification and the quality control measures the providers of the content must follow to ensure that the applicant is the person they claim to be and meets the age requirements of the content access being requested. The rules do make provisions that consumer verification will be different for each content rating group. For MA15+ provisioning requires:

• a warning about the nature of MA 15+ content; and
• safety information about how a parent or guardian may control access to
MA 15+ content by persons under 15 years of age.

Before provisioning access to R18+, the system must satisfy a risk analysis which means considering:

• the risk of whether the proof of age evidence could be held or used by another person, or someone younger than the age which the form of evidence attributes to the person being identified; and
• the kind of evidence provided and the manner in which it is provided.

The Explanatory Statement delves into the intent of the RAS Declaration and addresses why the RAS Declaration does not prescribe a specific method for verifying age to access R18+ content, which is both to recognize the breadth of current methods of age verification used across various content platforms, and to ensure that there is flexibility now and in the future to allow designated content/hosting providers to develop systems that best suit their business models.

ACMA is aware of a number of different methods of age verification currently operating that range from submission of proof of age in person and actual sight of the applicant and the proof of age (which may be a driver’s license, passport etc) to reliance on credit card verification. Access-control systems are required to keep a record for 2 years on how the age of the applicant is verified while also following Australia’s National Privacy Principles contained in the Privacy Act 1988.


In May 2007, Google announced its plans to implement an age verification solution on adult themed searches to those 19 years of age or older to its search engine in Korea. According to an InfoWorld article:

Users will have to enter their name and national resident registration number, which will be checked against a database to verify the user — or at least the person whose data has been entered — is old enough.

The system will be combined with a localized version of the SafeSearch system that is already used on Google’s main English-language search engine to ascertain the context of the search so that queries for, for example, “rape” are challenged but those for “rape shelter” are not.

Examining Age Verification in USA Industries

CTIA – the International Association for Wireless Telecommunications Industry

Wireless carriers in conjunction with CTIA have voluntarily adopted the Wireless Carrier Content Classification and Internet Access Control Guidelines in an effort to provide consumers with the information and tools they need to make informed choices when accessing content using a wireless handset. According to the CTIA website, these guidelines are as follows:

Carrier Content Classification Standards – a significant component of the Wireless Carrier Content Guidelines is the voluntary content classification standards for carrier content—those materials that are offered specifically on the carrier’s managed content portal, also known as the carrier’s “deck”, or any third-party content whose charges are included on a carrier’s bill. Carrier Content is divided into two classifications: “Generally Accessible Carrier Content” and “Restricted Carrier Content.” Generally Accessible Carrier Content is available to consumers of all ages. Restricted Carrier Content is accessible only to consumers age 18 years and older or to a consumer less than 18 years of age when specifically authorized by a parent or guardian.
Providing Parental Controls on “Restricted Carrier Content” – The wireless industry has pledged not to offer any “Restricted Carrier Content” until it has provided controls to allow parents to restrict access to this type of content, based on the content classification standard. Each carrier is responsible for its implementation of access controls, including age-verification mechanisms. Additionally, the industry will undertake an education campaign to inform and educate consumers on how they can prevent unauthorized access to age-restricted carrier-controlled content.
Content Rating Standards – Wireless carriers are working to define content rating standards to more fully inform consumers about the characteristics of carrier content and its suitability for particular audiences. The content rating standards will leverage existing rating systems familiar to consumers such as movie, television, music, and gaming rating systems.
Internet Access Controls – As with carrier content, the industry is developing “Internet Access Control” technologies that will enable wireless account holders to limit access to specific websites. Currently, all major carriers provide consumers with the ability to completely block Internet access on their devices. Although carriers have no control over content generally available on the Internet, providing filters and tools is an important step intended to give consumers, particularly parents, the ability to limit the Internet content that can be accessed through their family’s wireless devices. Wireless companies are aggressively researching technological solutions and are implementing them on a carrier-by-carrier basis.

Wine Industry

In 2005, the Supreme Court opened up the direct shipment of wine on a state by state basis. As part of this wineries and direct shippers must verify proof of age at the time of purchase. Industry organizations such as WineAmerica and The Wine Institute continue to educate members about the compliance tools available including how to verify age when consumers are not present. Both organizations have partnered with providers to offer these services to their members.

In 2006, the State of Michigan passed a bill that allowed direct wine shipments into the State provided that the Direct Wine Shipping Requirements of the Michigan Liquor Control Commission are followed. The requirements specifically state:

“You must verify that the person placing the order is at least 21 years of age through obtaining a copy of photo identification issued by the State of Michigan, another state or the federal government or by utilizing an identification verification service.”

As part of this, the Michigan Liquor Control Commission conducted a review of identity and age verification services. To provide these services within Michigan a provider must be an approved vendor. This is the first legal governing body to test and approve electronic age verification solutions.

Tobacco Industry

The Master Settlement Agreement was signed in November 1998 which strictly prohibits the marketing of tobacco products and promotional merchandise to anyone under 18. As part of this, tobacco companies must age verify consumers before they are allowed to enter a tobacco website or receive any direct marketing materials.

Entertainment Industry

The motion picture, music recording and electronic game industries have adopted a self-regulatory program to address violence, sexual content, language, drug use and other explicit content that may be of concern to parents.

Following the Columbine tragedy in 1999, President Clinton asked the Federal Trade Commission and the Department of Justice to conduct a study of whether the movie, music recording, and computer and video game industries market and advertise products with violent content to youngsters. The results of the study were published in September 2000 and concluded that these industries routinely target children under 17 as the audience for material they themselves acknowledge are inappropriate for children and warrant parental caution which undermines their own programs and limits the effectiveness of the parental review programs. Furthermore, retailers were making little effort to restrict access to children of products with violent content. Within the report certain calls to strengthen self regulation were made:

• Establish or expand codes that prohibit target marketing and impose sanctions for violations
• Improve self-regulatory system compliance at the retail level including avoiding sales of R-rated,M-rated/advisory-labeled products on Internet sites unless they use a reliable system of age verification.
• Increase parental awareness of the ratings and labels.

The sixth follow up to this report was released in April 2007 and found:

…with few exceptions, general compliance with existing voluntary standards but insufficient attention to the development and application of these standards to evolving market trends…

The practice of marketing R-rated and M-rated movies and explicit content labeled movies to media with teen audiences is particularly evident in the industries marketing on the Internet. Although the video game industry has adopted limits on Internet advertising, the relevant standard – ads cannot appear on a site where more than 45% of visitors are under 17 – is so permissive that advertisements for M-rated games can reach large numbers of young teens and children. Moreover the Commission’s review found many examples of noncompliance with even that limited restriction. The movie and music industries have adopted no standards restricting Internet advertising or R-rated movies and explicit-content labeled music.

An article published last year in USAToday discusses the issue of red band trailers. While some movie studios, like Sony, Universal and Paramount have implemented age verification to watch online “red-band” trailers, or movies that USA Today refers to as “heavy on raunch or violence” many of these same trailers be seen elsewhere on the web including the popular video sharing site, YouTube.



Filed under Age Verification, Identity verification, protecting kids online

OK..lahoma Identity Theft?!

I stumbled on an interesting article today about data privacy, or really the lack thereof, for registered sex offenders in Oklahoma (and ultimately the State’s government employees as well). It seems that anyone on this list, or any other offender list in OK, has had their SSN numbers exposed on the Internet for the past 3 years.

…The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed – and possibly, changed – any data within the DOC’s databases.

What I find interesting is that a feeble attempt to protect this information was made at first. It wasn’t completely corrected until the writer of the article pointed out to the Department of Oklahoma Corrections that it wasn’t just criminals whose SSN numbers were exposed but also private data on the government employees could be found and downloaded easily.

Shortly after discovering this problem (thanks to reader AJ, who hesitantly pointed it out), I spent the following day working my way up the DOC’s call tree. Eventually, I found my way to George Floyd and explained how bad of an idea it was to have a SQL query as a parameter…

The following day, both the SVOR and Offender Search were taken down “for routine maintenance”. Great, I figured, they discovered an overlooked hole and were working to patch it up. However, when the sites came back up, I noticed that the “print-friendly page” still had a SQL query in the URL. Putting the “social_security_number” in, however, no longer displayed social security numbers. It took me all of ten seconds to figure out a way around their fix. This slightly-modified URL brought back all 10,597 SSNs once again.

…I emailed again, this time explaining the problem much more clearly and advising in BOLD, RED, CAPS that the “roster page” should be taken down immediately. I also demonstrated the power of the ALL_TABLES table, the contents of an “interesting” table named MSD_MONTHLY_MEDICAL_ACTIVITY, and how even their information was available for all to see…. That, apparently, did the trick. Soon thereafter, the sites underwent “routine maintenance” and the “roster pages” were no more. I guess they weren’t too thrilled about having their personal data up on the ‘net for all to see

Leave a comment

Filed under identity theft, Internet Safety

RSA Conference Recap

I’m back from the RSA conference and how exhausting. Understandable considering there were 17,000 people at the show—all focused on the security industry.

In case you didn’t see it, we made an announcement during RSA about our partnership with Upek, a biometrics company based in the Bay area. What I find exciting about this partnership is that it shows just how complimentary our solutions are with other authentication technologies. In a whitepaper we published over a year ago we showed a diagram of where identity verification fits in the puzzle and how it is central to other verification tools.

Verification Tools

Biometrics in an online environment falls into this sphere and requires a proofing solution because what good does it do to enroll someone’s fingerprints if the fingerprints aren’t those of the person he/she is claiming to be? This is why we decided to show the power of our two technologies working together through a joint demonstration.

Another observation from RSA is that there continues to be a lot of interest and discussion about age verification and social networks. If you recall, last year there was a panel session called Pandora’s Box discussing child safety and the Internet. Admittedly this year I didn’t attend the sessions as much since we were an exhibitor, but based on the questions and discussions on the show floor, it is clear people are concerned and also aware of the Internet Safety Technical Task Force.

Leave a comment

Filed under Age Verification, authentication, child safety, identity, identity proofing, Identity verification, Internet Security, security, social networking

A Good Perspective on Social Networking Identity Verification Issues

Zach Martin, editor of CR80 News recently published an article about the identity and age verification issues we are facing in social networks. You definitely should check it out but in case you don’t have time here are some important highlights:

When trying to get into a bar or club there is typically someone at the door checking IDs. But on social networking sites there is no bouncer, which means there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man.

It’s the same no matter where you go. MySpace, Facebook, and professional networking site LinkedIn, do little to make sure people are who they claim to be. “There is a general feeling that social networking is the wild west of identity management and a lot of bad things happen because proper controls haven’t been put in place,” says Roger K. Sullivan, president of the Liberty Alliance Project management board.

The stories range from the tame to the tragic.

A student not happy with an administrator at school creates a profile on a social networking site. Even though the student is a woman she creates a profile that is a man and then flirts with the administrator in order to cause her embarrassment later.

At a Catholic school in the Chicago suburbs, an administrator monitors the popular social sites on a regular basis just to make sure nothing out of the ordinary is happening. She has run into instances where students create accounts in other peoples’ names – people who actually exist – and then make false statements. For example, one student set up an account as a real person from another school and made statements about the student’s sexual proclivities while giving out her real phone number.

In 2006, a fake profile led to the suicide of a 13-year-old Missouri girl. A classmate’s mother originally created the profile to find out if Megan Meier was saying anything bad about her daughter. But then it was used to gain Meier’s confidence and then to tear her down. Angry messages went back and forth, and it ended with Meier hanging herself.

There’s also the need to prevent pedophiles from contacting children online. MySpace has agreed with different states’ attorney generals to adopt better technologies that will help identify underage users so they can be protected from predators, but the social networking site hasn’t figured out how it’s going to do it.

The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.

But this may all change. As sites become more scrutinized they will have to take steps to make sure people are who they say. “There will be a trend to use a third party that leverages database information that will be able to vouch for you and provide a more certain level of identification,” says Eric Skinner, chief technology officer at Entrust, an Addison, Texas-based digital identification vendor.

There are a handful of vendors that are offering online identity vetting. Most are working with financial institutions, but they see business opportunities with the social networking sites.

The article goes on to describe some social networks and their use of identity verification including one of our clients FunkySexyCool and their use of our system. It also discusses the privacy concerns related to age verification of minors and provides a possible solution the Liberty Alliance is discussing essentially related to ID 2.0

Liberty Alliance’s Sullivan, who is also vice president of Oracle Identity Management, says it’s only a matter of time before social networking sites offer tiers of identification assurance, which could be used to confirm a minor’s identity. For example, if a 14 year old wanted to sign up on MySpace without a parents’ permission they would be placed on the lowest ID tier. “They would be put into a question mark bucket,” Sullivan says.

But if one parent went online and confirmed his child’s identity they would be raised up a tier. If both parents did it they would go up two tiers. The parents would be authenticated through public records and online databases.

Eventually there would be a fourth tier as well. A minor would physically go to a trusted source with documents that prove their age and identity. These identity assurance sources don’t exist, but it’s something the Liberty Alliance is working toward, Sullivan says.

The next task force meeting will be later this month and I’m looking forward to seeing how the conversation progresses. I firmly believe we can find several ways to combat the issues at hand including both an educational approach and technological approach.

On another note, I’m off to the RSA Conference next week. IDology has a booth this year so if you are in San Fran, stop by and see us.


Filed under Age Verification, Identity 2.0, Identity verification, Internet Safety, MySpace, protecting kids online, security, social networking