Children of all ages can completely bypass age verification measures to sign-up to the world's most popular social media apps including Snapchat, Instagram, TikTok, Facebook, WhatsApp, Messenger, Skype and Discord by simply lying about their age, researchers at Lero, the Science Foundation Ireland Research Centre for Software have discovered.
And even potential age verification solutions identified by the research team can be easily sidestepped by children, according to the team's most recent study: Digital Age of Consent and Age Verification: Can They Protect Children?
Lead researcher Lero's Dr Liliana Pasquale, assistant professor at University College Dublin's School of Computer Science, said children could easily bypass the mechanisms adopted by apps to verify their age.
"This results in children being exposed to privacy and safety threats such as cyberbullying, online grooming, or exposure to content that may be inappropriate for their age," she added.
The study which examined Snapchat, Instagram, TikTok, HouseParty, Facebook, WhatsApp, Viber, Messenger, Skype, Discord apps scrutinised age verification procedures in April 2019 and repeated it in April 2020 ¬- it found all ten apps permitted users, regardless of age, to set up accounts if they first gave their age as 16.
Dr Pasquale said the widespread use of age of 13 as the minimum age for accessing social media services derives from the Children's Online Privacy Protection Act (COPPA), effective in the USA since 2000. Europe's General Data Protection Regulation (GDPR) requires children below the age of digital consent (13-16) to have verifiable parental consent for the processing of their data.
EU member states are also free to set a different digital age of consent, between 13 and 16 years, leading to a range of age limits across Europe. For example, Ireland, France, Germany and The Netherlands have opted for 16, while Italy and Spain have set the age at 14; while the UK, Denmark, and Sweden have set the age at 13.
"Our study found that while some apps disabled registration if users input ages below 13, but if the age 16 is provided as input initially then none of the apps require a proof of age. Providing mechanisms that deter a user from installing an app on a device on which they have previously declared themselves to be underage is currently one of the most sensible solutions not to incentivise users to lie about their age," Dr Pasquale said.
The team looked at existing age recognition techniques using biometrics such as speech recognition and fingerprint characteristics as possible solutions to implement more robust age verification mechanisms. However, these were also found to have limitations with speech recognition, for example, easily bypassed by playing voice recordings.
Dr Pasquale said their study found existing data protection regulations to be ineffective.
"In reality, the application of substantial financial penalties was the main trigger for app providers to implement more effective age verification mechanisms. Based on our study and on our survey of biometrics-based age recognition techniques, we propose a number of recommendations to app providers and developers," she said.
Recommendations:
- Clarify the minimum age and treatment of data: Existing apps should ensure that a clear, concise and age-appropriate summary of the relevant parts of the app's ToU (terms of use) is displayed to users who sign-up and declare their age to be under 18.
- Enable the most restrictive privacy settings: Apps should apply the most restrictive privacy settings by default for any user that declares themselves to be under the age of 18. For example, photos, posts and messages should only be shared with "friends", location data should not be collected at all. It should also not be possible to override privacy settings without explicit parental consent.
- Encourage users not to lie about their age: Despite the presence of a minimum age requirement, many underage users continue to use social and communication apps. Users must be incentivised to be honest about their age, with minimal data collected. Providing mechanisms that deter a user from installing an app on a device on which they have previously declared themselves to be underage is currently the most sensible solution and the hardest to circumvent.
- Implement Robust Age Verification Mechanisms: Where a minimum age requirement is in place, it should be backed up by appropriate age verification mechanisms. Using age recognition techniques based on biometrics factors, such as facial features, may not be sufficient considering that these can be circumvented. Age verification should be an ongoing process that does not terminate after sign-up, to assess whether a user lied about his/her age at the moment of sign-up, to counteract evasion measures.
###
This study was commissioned by Cyber-SafeIreland, an Irish not-for-profit organisation that aims to empower children, parents and teachers to navigate the online world in a safe and responsible manner.
This work was partially supported by Science Foundation Ireland grant 15/SIRG/3501, EU H2020 CyberSec4Europe project grant 830929, and the ERC Advanced Grant no. 291652 (ASAP).
Source: The Apps studied were downloaded from the Irish Google App Store
Publication: The peer-reviewed paper was published in IEEE Software on 15 December 2020.
Citation: L. Pasquale, P. Zippo, C. Curley, B. O'Neill and M. Mongiello, "Digital Age of Consent and Age Verification: Can They Protect Children?," in IEEE Software, doi: 10.1109/MS.2020.3044872.
About Lero:
Lero, the Science Foundation Ireland Research Centre for Software, brings together expert software teams from universities and institutes of technology across Ireland in a co-ordinated centre of research excellence with a strong industry focus. Lero's research spans a wide range of application domains from driverless cars to artificial intelligence, cybersecurity, esports, fintech, govtech, smart communities, agtech and healthtech.
Hosted by the University of Limerick, Lero's academic partners include Dublin City University, Trinity College Dublin, University College Dublin, Maynooth University, National University of Ireland Galway, University College Cork, Dundalk Institute of Technology, Waterford Institute of Technology, Limerick Institute of Technology and Munster Technological University.
As the world's second-largest software exporter, Ireland is recognised internationally as a leading location for companies in the software sector and Lero is a key pillar in the sector. Fifteen out of the top 20 global technology firms have strategic operations in Ireland. Since its foundation in 2005, Lero has become one of the best-known, and most highly regarded, software research centres in the world.
Journal
IEEE Software