Part J – Tech Stack

Technology stack deployment offers potential for systemic and interoperable age assurance. Theoretical models indicate that placing age assurance mechanisms at different layers of the technology stack - such as on the user's device, within the network infrastructure or at the app-store level - could provide consistent and cross-cutting protections across services. Interoperability across components will be essential to realise this potential.

App-store based models are being developed but lack critical adoption and verification features. While app-store based models were the most fully conceptualised, they currently rely on self-declared or parent-set age information. Without independent age verification and without adoption by key operators such as Apple and Google, these models do not currently meet the criteria for robust age assurance.

Deployment at the network or device level raises privacy and control considerations. Implementing age assurance at the device or ISP level could enable broader coverage, including services accessed through browsers or third-party platforms. However, these approaches raise significant concerns regarding user privacy, autonomy and data protection compliance.

Interoperability solutions are emerging but remain early-stage and non-standardised. Several Trial participants proposed mechanisms to support interoperability across different age assurance systems. These are still nascent and varied in design, making it difficult to generalise about their functionality or maturity.

Technology Readiness Levels (TRLs) vary widely, with many solutions overstating maturity. A significant number of Trial participants reported higher TRLs than could be substantiated. Some conceptual solutions were rated as TRL 3 or higher without evidence of analytical validation or testing. Most interoperable tech stack models remain at a conceptual or early prototyping stage. 

Functionality, performance, privacy and acceptability present critical implementation challenges. Even theoretically promising models face practical threats to performance and adoption. Key concerns include latency, data handling practices, user transparency and public trust - particularly where technologies operate beyond the user's immediate control.

Responsibility and liability in a distributed tech stack are unclear and require further definition. Where age assurance functions are spread across multiple technical layers and actors, accountability becomes diffuse. Without clear regulatory or contractual frameworks, there is a risk of ambiguity in liability, weakening enforcement and redress mechanisms.

Proximity to risk is an important factor in assessing effectiveness. The location of the age assurance mechanism within the stack affects its ability to respond to harmful content or risky interactions. Solutions closer to the user or service (e.g. device-level or in-app) may offer more accurate contextual control but may also have narrower coverage.

Geolocation services can play a role in detecting and preventing circumvention via VPNs. Some participants highlighted the potential for software to support age assurance systems by identifying when users attempt to mask their true location - such as through Virtual Private Networks (VPNs) - to bypass regional age restrictions and can then be required to use geolocation software to prove their real location. While promising, this approach raises its own challenges related to accuracy, evasion tactics and the implications for user privacy and cross-border service access.