Bluesky Made Me Prove I Was An Adult—Here’s How I Did It
Facial recognition is being used to estimate website visitors’ age
I’m 47 years old, it’s not often I’m asked to prove I’m old enough to do something anymore. But if you’re living in the U.K., you’d better get used to being asked to prove your age, as it’s now a legal requirement to access all manner of sites and apps, including X, Reddit and Bluesky.
The move is part of the U.K. government’s online safety push, which demands that sites or apps that “allow harmful content” must use “highly effective age gating methods” to ensure users are adults.
These restrictions will apply to a wide variety of sites. Pornographic sites are an obvious target for such measures, and the U.K. communications regulator Ofcom – which is overseeing the new regulations – claims that “the UK’s biggest and most popular adult service providers” have committed to deploying age verification.
But it’s not only porn sites that are being forced to deploy the age gating. Social media sites, dating apps and others are being caught in the net. Ofcom claims that platforms including Discord, Reddit, X and Grindr have agreed to deploy age gating, although I’m yet to see it on those sites, despite the deadline coming into force today.
The one service I have been asked to verify my age with is the social network Bluesky, and here’s how it was done.
Bluesky Age Verification
Bluesky users can choose from two methods of age verification
Ofcom isn’t prescriptive about which age verification methods sites should use, as long as it meets the wooly criteria of being “highly effective”. So, the methods deployed by Bluesky might not be the same as those used by other sites.
In Bluesky’s case, the age verification process started by being asked to enter my email address. This, Bluesky explained, would be sent to its partner Kids Web Services, who “will check if you have previously verified your age using this email address for other games/services powered by KWS technology.”
I was then sent an email in which I was told I need to verify as an adult, by clicking on a link. If this method isn’t being exploited by phishing firms already, it will be nothing short of a miracle.
The link whisked me to a website where I was given two options to prove my adulthood: I could take a face scan or enter credit card details, which would be authorized by the payment provider Stripe.
I opted for the face scan, which is powered by a company called Yoti. The Yoti system puts an outline of a head on your screen, and you then need to use your webcam to put your own head in the frame. Most browsers will ask for permission before a site is allowed to use your webcam, so watch out for the pop-up permission window, as it’s easy to miss this.
Once I’d got my head in the right position, the software took a few seconds to process the image and I was declared a legitimate adult! Yoti doesn’t reveal what age it thinks you are, merely that you passed the test. It then claims to wipe the image of your face from its system, adding that it doesn’t store any personal data.
The Yoti process was pretty straightforward for me, although fellow Bluesky users haven’t always found the system quite so simple. One Bluesky user told me that he had to remove his glasses to make the face scan work, even though the site tells you to keep them on. Another said that “the Yoti page won’t even accept my face as a face.”
The Privacy Question
Age verification to reach ostensibly adult sites also raises serious questions about privacy protections. A database of people who visit pornographic sites, for instance, would be a rich target for scammers and extortionists.
Thus, you’re putting a lot of faith in the companies behind these age verification services to keep personal data secure. The KWS privacy policy suggests that the information provided can be shared with others.
For example, it states: “We also share personal information in some cases with our professional advisers and other service providers who are sometimes independent ‘data controllers’, such as lawyers, accountants and insurers (e.g. when enforcing our contract with you or in the event of claims against us).”
It further adds that “we may share your information with our Epic Games family of companies, including companies that we may acquire in the future, but only to the extent necessary to fulfil purposes set out in this Privacy Policy, or otherwise as authorized by you.”
The privacy policy also states that personal information is encrypted and that “we work to limit access to your personal information to those employees, agents, contractors and other third parties strictly on a ‘need to know basis.”
There’s also the question of how effective such age assurance really is. If all it needs is an email and what appears to be an adult’s face to pop in front of a webcam, it’s not hard to believe that under-age children will use an older friend/relative to help them bypass the age gating. And once they’re in, they’re in. There’s no need to continually reverify.
Not to mention the fact that VPNs make it easy to appear as if you’re visiting from a different jurisdiction that doesn’t require age verification. And that it won’t be hard to find sites – even well-known sites – that aren’t yet complying with Ofcom’s edict.
The U.K. government may have good intentions to protect children from harmful content, but it’s doubtful whether they really will – and whether they’ve created new security risks in the process.