Introduction

For platforms that host content that is stated within the Act as harmful to children, the Act requires the implementation of a "highly effective age assurance." The previous standard where the user ticks a box to say they are over 18 and it is legal for them to access this material in their location, is correctly no longer sufficient.

To comply, many websites are turning to third-party age verification services. These services can use various methods to confirm a users age including;

• ID Document Verification: Uploading a photo of a passport, driver's license, or other government issued ID.

• Facial Age Estimation: Analysing a user's face in a live photo or web camera to estimate their age.

• Other Digital Identity Checks: Using bank or mobile provider data to confirm a user's age without sharing other personal information.

This summary has been checked by AI and deemed accurate.

Lets take by far the biggest example of sites affected by this part of the Act, Pornography. Sometimes they can host the most hardcore and fetish content that attracts millions of users from around the world. So, in our opinion, they are not the most trustworthy of individuals when it comes to adopting moral methods of making money.

The use of either their own validation or third-party age verification services will lead to a central repository of sensitive personal data, including IDs and biometric information. While these companies will promise to protect this data, a single data breach could be catastrophic, exposing millions of people to identity theft. There are legitimate concerns that the data collected for age verification could be sold or used for other markting purposes. The data could even be sold to data brokers with biometric data, banking information, driving license or passport details ending up on the dark web.

You may recall a number of high profile data breaches have occurred in the last few years including;

• Twitter (2023): In a massive breach, the data of an estimated 200-400 million Twitter users was put up for sale on the dark web. The data included email addresses, usernames, and other information that could be used for targeted attacks.

• Facebook (2021): The personal data of more than 533 million Facebook users from over 100 countries was leaked online. This included names, phone numbers, birthdates, and email addresses.

• Yahoo (2013-2014): While a bit outside the 5-year window, it's worth noting the scale of the Yahoo breaches, which affected all 3 billion of their user accounts. It remains one of the largest data breaches in history and underscores the long-term impact of such events.

There is a well established global industry of 100s of "data brokers" that collect and sell personal information. Critics of the Act argue that even if the law doesn't explicitly require websites not to sell data, the data collected for age verification could be a valuable target for these companies, either through legal loopholes or illegal means.

If we were bad actors, we would have seen a financial opportunity to create a plethora of pornographc websites advertising the most depraved content but needing age verification and build our own validation with the purpose of performing mass fraud and then sell the data on the dark web. We are sure somone will have done this somewhere and no doubt the victims may not know or if they do then they are likely to try and keep this discreet.

These are opinions of UbiquitousReach.org.