Bypassing age verification measures on social media apps is easy as pie
The measures that popular social media apps use to verify age during the sign-up process are basically ineffective. According to research supported by the EU-funded projects CyberSec4Europe and ASAP, children of all ages can completely bypass these mechanisms by simply lying about their age. The study in question was conducted at Lero, the Science Foundation Ireland Research Centre for Software. The researchers sought to determine how the top 10 social and communication apps used by children apply age limits. By analysing the age verification procedures of Discord, Facebook, Houseparty, Instagram, Messenger, Skype, Snapchat, TikTok, Viber and WhatsApp, they found that all the apps allowed users to create accounts by initially stating they are 16 years old.
Ineffective age verification and its implications
The project team assessed how robust the apps’ age verification measures were. “Our study found that … some apps disabled registration if users input ages below 13, but if the age 16 is provided as input initially then none of the apps require a proof of age,” stated lead author Dr Liliana Pasquale of University College Dublin in a news item posted on the ‘EurekAlert!’ website. However, using an app for which they are underage can have serious consequences for children. “This results in children being exposed to privacy and safety threats such as cyberbullying, online grooming, or exposure to content that may be inappropriate for their age,” observed Dr Pasquale. The possible solutions to the problem the project team examined were found to have limitations. For example, age verification through speech recognition could easily be bypassed with voice recordings. Additionally, current data protection regulations were also found to be ineffective, Dr Pasquale reportedly remarked in the news item. “In reality, the application of substantial financial penalties was the main trigger for app providers to implement more effective age verification mechanisms,” she went on to say. Based on the results of their study and their investigation of biometrics-based age recognition techniques, Dr Pasquale and her team recommended the following measures to app providers and developers. First, apps should provide a clear and age-appropriate summary of the relevant parts of the app’s terms of use for under-18 users who are signing up. Secondly, the most restrictive privacy settings should be applied by default for users who declare they’re under 18. Third, users should be given incentives not to lie about their age. As stated in the news item, “providing mechanisms that deter a user from installing an app on a device on which they have previously declared themselves to be underage is currently the most sensible solution and the hardest to circumvent.” Last but not least, minimum-age requirements should be backed up by robust verification mechanisms. The results of the study supported by the CyberSec4Europe (Cyber Security Network of Competence Centres for Europe) and ASAP (Adaptive Security and Privacy) projects were published in the journal ‘IEEE Software’. ASAP ended in 2018, while CyberSec4Europe concludes in July 2022. For more information, please see: CyberSec4Europe project website ASAP project website
Keywords
CyberSec4Europe, ASAP, social media, app, age verification, children