On 20 June 2025 the preliminary findings of the Australian Government’s Age Assurance Technology Trial were presented.
The major talking point from the consultancy team managing the trial was this claim:
“Age assurance can be done in Australia and can be private, robust and effective”.
While this makes a great sound bite for our Prime Minister and Communications Minister, things could not really be further from the truth.
John Pane, EFA Chair joined the Age Assurance Technology Trial Stakeholder Advisory Board as a privacy expert. This was an important decision for the EFA board to make as there may be potential concerns about digital rights society organizations’ participation in these sorts of forums. Consequently, the EFA Board took the view that “if you’re not at the table, you soon find yourself on the table.” And this was a wise decision as we soon found out.
The Stakeholder Advisory Board was stacked with online safety and child safety representatives (as you might expect) but there was a dearth of civil society privacy experts or advocates. In fact, there were none. It became clear to the EFA Board that it was imperative to get our voice heard. And it certainly was.
Starting with the first claim that “age assurance can be done in Australia and can be private, robust and effective.” EFA found this claim strong on hype, rhetoric and difficult to reconcile with the evidence. When EFA asked what “private”, “robust” and “effective” each meant (and what evidence was used to reach those conclusions) the project team found it challenging to support the claim in a logical, evidence based manner. “Private” was used to imply “privacy.” But when asked to explain what “privacy” meant, the only substantive explanation offered was “confidentiality.” To us at EFA, this seemed more a case of ‘selling the sizzle and not the steak.’ Or… privacy washing perhaps?
The EFA Board concluded that several claims made by the Age Assurance Technology Trial project team did not hold up under close scrutiny. We break them down here:
- The project team’s evaluation “did not reveal any substantial technological limitations” but the data to support or refute this claim is not publicly available. There remains a question around the maturity of this technology or aspects of it. So, what has really changed since late 2023 when the government classified this technology as immature?
- The project team described a “vibrant, creative and innovative age assurance service sector” but makes contradictory commentary about the maturity and efficiency of various technologies, plus a significant dependence on pipeline (unreleased) technologies. Who remembers vapourware?
- The project team found a “robust understanding of internal policy decisions regarding the handling of personal information by trial participants” but seemingly came to this conclusion by noting the presence of a privacy policy or privacy statement by trial participants. The bar for privacy assurance has been set incredibly low by the project team. To EFA, this shows all the hallmarks of tick box compliance behavior, and not privacy by default as it should be. Could this be evidence of “privacy washing”? It remains unknown how privacy compliance and assurance was really measured.
- The project team claimed that “the systems were generally secure and consistent with information security standards” but the bar for information and cyber security risks also seems low and indicative of tick box compliance. What remains unknown is the organizational security posture and capabilities of each vendor participating in the trial. Do the security standards cited by the project team refer to the age assurance technology product offering in isolation or the vendor’s enterprise as a whole? What was the evidence for that?
- The project team found “Concerning evidence that in the absence of specific guidance, service providers were “over-anticipating the eventual needs of regulators about providing personal information for future investigations. Some providers were found to be building tools to enable regulators, law enforcement or coroners to retrace the actions taken by individuals to verify their age.”
From a privacy and information security perspective this is an absolute nightmare! This indicates a failure by the Age Assurance Technology Trial to understand the what, why and how for operationalising Australian privacy law requirements. Worse still, is the fact some vendors were creating regulatory backdoors or pathways to grant future access to personal data because of an unknown or non-existent legal obligation. This is horrifying!
In addition, this excessive storage of personal data will become a honeypot for bad actors.
Questions remain also if trial vendors might use this personal data for unrelated purposes. Whilst a coroner’s court can certainly make orders for the production of documents, EFA has never heard of any legal obligation mandating the retention of personal data on the basis that it might, one day, be needed by a coroner’s court. This suggests some of these vendors have an appalling understanding of privacy laws. Even more worrying, by retaining personal data for longer than necessary, these vendors are exacerbating cyber and information security risks. In other words, no matter from which angle you look at this, it amounts to a honeypot of personal and (potentially) biometrics data. What could possibly go wrong?
EFA also sought undertakings from the Age Assurance Technology Trial that they, and all vendor participants, would immediately securely destroy or permanently de-identify all personal data (including biometric data) collected from test subjects. EFA further requested that vendors provide a certificate of completion once all personal data is destroyed. EFA was surprised this foundational rule of data sharing was overlooked by the project team. It simply is not enough to have a clause in a contract requiring a third party to do something like securely destroy data. This sort of third party risk must be managed from cradle to grave.
The Age Assurance Technology Trial has now concluded. The final report – comprising ten volumes, including individual assessments of each age assurance method evaluated – was submitted to the Australian Government on 1 August 2025. EFA has not seen it and do not know if the assurances we sought were kept.
What now? You can expect EFA to utilise knowledge gained from the Age Assurance Technology Trial to counter any spin coming from the government on the efficacy or alleged success of this significantly flawed initiative. Join us in our efforts here.
Image credit: Unsplash