Adults must show ID to use social media

The stories in the press are "Children must show ID to use social media".

This is totally misleading.

"Passes please": All adults must show ID to use social media.

That is the real story here!

Children (under 13) are actually the ones that won't have to show ID as doing so won't help them. But for this to work, everyone will have to show ID to use social media!

P.S. This is my proposed email to ICO, if this ends up covering Mastodon.

Dear ICO,

I understand that under new rules, as the operator of a social media platform, I have to advise you how I check the age of my user. I have used two methods.

1. Looking in the mirror and seeing I look well over 18.

2. For around 55 years I have meticulously counted the number of birthdays I have had, that number being 60, which is more than 18. I did rely on my parents to confirm the first few.

I trust you find this meets the requirements.



  1. The depressing thing is that this could be solved in a (only slightly Orwellian) way using some off the shelf open standards.

    1. Establish a system of Approved Age Verifiers (DVLA, Passport Agency, Citizen Card, Shops etc)
    2. AAVs can issue tokens (JWTs to be specific) indicating that the holder of the token is over 13/18
    3. Apps can accept these tokens as proof of a user's age

    * The App has no visibility of the actual requester of the token, so you've got no information disclosure there. There could be a token identifier should law enforcement or whoever need to track the token back to the requester.
    * The AAV has no visibility of where the token is used, so there's no information disclosure there.
    * Each app would be responsible for making sure each token is only used once, and the tokens could be time limited. You could probably implement some form of transparency-log style system to log the hashes of used tokens (so you'd check that list first before accepting it, like a revocation list) but that may be overkill.
    * Apps that absolutely require single use tokens could request that a certain reference be included on the JWT that the issuer could be informed of.
    * AAVs would need to impose rate limits to prevent someone from creating them to pass on.
    * Make it illegal to sell / transfer the tokens

    The system isn't going to be perfect, but it's probably the closest you can get to solving a "people problem" using technology while maintaining privacy.

    This works for "in-person" transactions as well. I don't necessarily want the person in the shop to have access to my name and address when I'm buying something age restricted.

    1. Unfortunately the powers that be won't go to this sort of effort. They don't recognise privacy as valuable.

      I'd be in favour of everyone having to carry ID if it worked something like that.
      Let us prove a specific thing to person who needs to know that thing, without revealing needless extras.
      Do you have a license to drive this type of vehicle? Are you > X years old?

  2. So according to this, when this comes into force, Ofcom will need to assess and categorise every user-to-user service. There are thousands of Mastodon instances out there so I guess they'll be kept busy for a while!


  3. I don't own id except a birth certificate. Make of that statement how you will

  4. It seems the reality is a little more nuanced than the headline suggests.

    For a start, showing actual ID is only ONE of the suggested methods for confirming age. Using a third-party service (as suggested by Matthew above) would also be perfectly legal. I don't believe for a minute that "face recognition" is going to work, because age restriction requires an exact cut-off (if you are one day before your 13th birthday you are still under-age), and no facial analysis is capable of measuring age to the exact day.

    Secondly, Ofcom are not actually introducing any new age limits (according to the article text, they don't have the authority to do so). They are only requiring that sites which ALREADY ban under-13s introduce a more effective way of enforcing their own rules beyond the hilariously pointless "click this box to confirm you are not under-age". Sites aren't required to ban children, but if they allow children they are supposed to take extra steps to avoid those children coming into contact with adult content.

    Presumably one of the ways Facebook could comply with the rules is to remove their age restriction altogether, and just require the whole site to be child-friendly. Or just block it in the UK entirely, which I suspect will be the ultimate consequence of all these efforts to make the UK the "safest place to be online" (i.e. the most government-censored internet in the developed world).


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

ISO8601 is wasted

Why did we even bother? Why create ISO8601? A new API, new this year, as an industry standard, has JSON fields like this "nextAccessTim...