This guidance describes age assurance and how it’s achieved using the identification standards and guidance.
What is age assurance?
Age assurance is the process of establishing the age of an Entity (especially a person) for the purposes of eligibility for, or exclusion from, a product or service.
There are 3 main ways to establish an Entity’s age.
Deriving age
Age can be derived from a known date of birth or creation by calculating the time that’s elapsed since that date and another point in time, such as today.
For example, if someone was born on , then on a total of 26 years and 3 months will have elapsed.
Or if a company, machine or piece of software was created on , then on a total of 15 years will have elapsed.
Depending on what the Relying Party wants to know, this could be expressed in various ways.
Examples of different ways to express a derived age
For a person born on , on :
What is their age in years and months? 26 years and 3 months
What is their age in years? 26
Are they over 18 years old? Yes
Are they over 65 years old? No
Is their age between 15 and 25 years? No
For a company created on , on :
How long has it been operating in years? 15 years and 0 months
What is its age in years? 15
Is this company over 10 years old? Yes
When an age is derived from a known date, the level of information assurance (LoIA) for the derived value will be the same as the information used for the calculation. If a date of birth has an LoIA3 value, the derived age will have the same LoIA3 value.
The controls for levels of information assurance are contained in the Information Assurance Standard and its implementation guide.
An inferred (or deduced) age takes 1 or more pieces of information and assumes an age from these. As many other things could influence the assumption, these values are more subjective and less certain.
Often inferred age is not directly related to the information being used for the assumption.
Examples of inferred age values
A person has a credit card, so they’re over 18 years old.
A person needs to be 18 years old to be enrolled to vote, so people on the electoral role are at least 18 years old.
A person has a driver licence, so they’re over 18 years old.
A photo of a street taken in 1990 includes a recognisable shop brand that is still there today, so this shop must be at least 35 years old.
While using more points of reference can increase the likelihood of the value being accurate, it cannot be assumed that it’s accurate.
Inferred values, like derived values, inherit the level of information assurance value (LoIA) of the information that’s used for the inference.
Care needs to be taken when there are exceptions or conditions associated with the information from which the value was inferred. For example, learner and restricted driver licences can be held by people under 18 years. A full licence could also be held by someone under 18 if they’ve completed an approved advanced training course.
When there are exceptions or conditions that impact the accuracy of the inference, the lowest level of information assurance (LoIA1) is applied to the inferred value.
Estimating age
Age can be estimated using statistical analysis.
An estimated value may come from large sets of information such as financial, biometric (physical or behavioural), social or locational information.
Age estimation using biometric information has the benefit of also binding it to the Entity, especially a person.
Examples of estimated age values
By analysing a facial image against known parameters, it can be estimated that this person is between, over, or under certain ages.
By aggregating a person’s social media posts and content consumption, and analysing the general behaviour trends and language used, the approximate age of the person could be estimated. For example, a person’s history of consistently watching videos of toys and popular video games can be benchmarked against typical behaviours for various ages and this could estimate that a person may be a child.
In general, estimated values are considered as LoIA1 for accuracy. This is because it’s based on a probabilistic calculation. The estimated value result can include false positives and false negatives.
As estimation solutions evolve and more test data becomes available about the degree of accuracy these solutions provide, higher levels of assurance could be achieved.
For example, an automated biometric age assurance system based on facial recognition could produce an outcome of sufficient accuracy that a Relying Party is willing to accept it as equivalent to a higher level of assurance.
Currently, there are no specific criteria or guidance to help a Relying Party to assess an estimation solution’s capability to produce higher level of information assurance.
A Relying Party will need to implement additional risk mitigations where the risk indicates that a higher level of assurance is needed.
The level of information assurance (LoIA) is an indicator of the accuracy of the age value only. Entity binding expressed as a level of binding assurance (LoBA) is still needed to ensure the value relates to the person that’s claiming it.
Age assurance providers
The Identification Management team would like to develop some guidance for age assurance providers.
