An age assurance tool for Europe and beyond

Parents and young people alike look to companies like Google to create safe, educational and enriching spaces online. Core to achieving this goal is age assurance: a term for the variety of methods used to determine or estimate the age of a person visiting a site or app.

Just as a playground needs different equipment for different ages, different sites and apps need tailored protections. Companies like Google use age assurance to:

• Protect young people from content that may be inappropriate for their age
• Offer relevant features and settings tailored to age groups
• Empower parents with supervision tools such as Family Link
• Comply with child protection regulations

For many years we’ve deployed age assurance methods on our sites and apps, enabling us to deliver built-in digital protections for kids, teens and parents. But across the internet, the lack of a secure, interoperable solution has been a persistent challenge.

Supporting European efforts

This is especially relevant today in Europe given a range of efforts to help companies commit to effective age assurance. The European Commission, for instance, is working on a continent-wide technical solution for digital IDs issued by governments or other trusted sources. And its new Article 28 guidelines under the Digital Services Act offer a policy framework to tie it all together.

We endorse the Commission’s efforts on age assurance. By acknowledging the need for a variety of methods, either on their own or in combination, they propose precisely the kind of risk-based approach that can help every company meet its responsibilities.

Credential Manager: age assurance technology, now available on Android

Google’s Credential Manager API creates a secure pipeline for sharing identity information, including age. Sites and apps can use this tool to “call” a visitor’s credential holder, such as a mobile wallet or digital age verification app, and secure only the necessary age information — cracking one of the most daunting challenges standing in the way of universal online age assurance today.

Credential Manager is backed by Zero-Knowledge Proof technology for age verification. This cryptographic method enables visitors today to prove they are over 18, without revealing any additional information, including who they are.

Looking ahead, it offers the promise to adapt to more age sources and specific age bands, including for those under 18, contingent on further work to define standards and specify appropriate protections. We urge age assurance providers and app and web developers to build on this secure infrastructure for Android devices.

Taking responsibility for age assurance

Other companies have proposed different approaches. One proposal would require device operating systems to take care of age verification on behalf of websites — reengineering the protocols that have defined the decentralized web in ways that are hard to fully predict.

Another would require mobile app stores to verify visitors’ ages on behalf of mobile apps. Billed as “simple” by its backers, including Meta, this proposal fails to cover desktop computers or other devices that are commonly shared within families. It also could be ineffective against pre-installed apps, as Meta’s often are.

Even more worryingly, it would require the sharing of granular age band data with millions of developers who don’t need it. We have strong concerns about the risks this “solution” would pose to children.

Looking ahead

The online landscape is ever-evolving. Tools like Credential Manager show how protections for children can evolve with it. We look forward to supporting cooperation among experts, regulators, and families to refine age assurance and expand the offerings that make it possible.