Though we’ve had a full year to contemplate the idea of age-restricted social media platforms, in some ways it feels as though certain questions are only being asked and answered now, with less than a week to go until Australia’s world-first laws come into effect. And foremost in the minds of many is the idea of facial age verification.

Why is the government asking social media companies to scan our faces? How does the tech work? How safe and secure is it? Are there any major downsides? And, importantly given the reports of under-16s circumventing the measures using the faces of their parents just days after the first apps put age verification in place, will it actually work as intended?

Facial age estimation is just one form of technology that will be used to comply with the social media ban. As part of the new laws, social media companies will be legally required to keep Australian under-16s off their services to the best of their abilities. But the government has also been clear that they’re not to rely solely on government-issued photo IDs, which are by far the most reliable and accurate way of verifying someone’s age.

It’s not that it’s impossible to safely verify your age online with a photo ID. We’ve all provided our passwords, credit card information and other important data to websites millions of times, and the amount of it that ends up in the wrong hands is relatively small, because the services we trust use systems that verify and discard — or encrypt securely and store — that data. Similar systems work for age verification from photo IDs as well.

But people don’t trust social media companies. And we’re not just talking about huge multinationals here; the government’s age restrictions apply to any service that meet its content guidelines, meaning much smaller apps as well. If it allowed them to ask every Australian for a photo ID as a condition of entry, some of the data would undoubtedly end up in places it shouldn’t be.

As long as they offer a reasonable alternative to photo ID, social media companies are being allowed to choose which methods they use to verify ages, though the office of the eSafety commissioner has provided extensive guidance on technology types and safety standards. So it’s not necessarily the case that all platforms will use facial verification. But given its proven use around the world as a quick, safe, non-intrusive and reasonably accurate method of ascertaining age, many will.

The age verification waterfall

For the biggest companies, including the 10 eSafety has specifically called out as being subject to the restrictions, the truth is that they already know the rough age of all their users. Inferring personal information about users that may be useful for engagement and advertising is the entire business model of most of these companies, and is also a big part of the reason these restrictions exist in the first place. Do you really think Facebook needs to do any extra work to collect and analyse photos of its user’s faces?

So, some form of age inference is already being applied to all social media accounts, even when there’s no legal requirement. That might mean inferring your age from photos you post, messages you send or subjects you’re interested in. It’s not exactly precise, but if the estimate on your account is 40-45 then the platform might be satisfied and won’t ask you to verify your age for the purposes of the new laws. If it’s 20-25 though, it may.

The eSafety commissioner has recommended companies take a “waterfall” approach to this problem, borrowing industry jargon to mean starting with the method that interrupts users the least and then escalating from there as necessary. So theoretically, the company could first check to see if it’s already very confident a user is over 16, without the user even knowing.

The next option might be an instant background check, which would require the platform to use an identity service. VerifyMy, which supplies services like these to companies complying with US and European laws, says it can verify the vast majority of adults over 18 very quickly using only their email address, deleting all the information afterwards. The social media companies already have your email address, so you would likely be asked to consent to the check, and the identity company would then search through financial records and the like to see if your email address shows up. If you’ve ever taken out a loan or paid for utilities, it probably will.

If the methods that can happen automatically in the background fail, the next step would likely involve the user supplying a short video of themselves. Which is where visual facial age estimation comes in.

The video selfie

It’s important to note that since the government isn’t requiring social media companies to use any specific technology or service, we can’t say exactly what the process will be for each app. But in this hypothetical waterfall scenario I’m describing — based on the eSafety’s guidelines and the way things have worked with age restriction regulations overseas — I’ll describe the facial age technology provided by Yoti, a British company that Meta uses for identity services. It currently processes more than a million age checks per day, thanks to laws restricting access to adult services and the purchasing of certain goods in the US and Europe.

If the platform hasn’t been able to verify that you’re 16 or over with the above methods, it may open up a facial age estimation window powered by Yoti’s technology. This doesn’t require you to download an app or go anywhere outside of the platform, and it works with whatever camera is attached to the device you have. Prompts guide you through capturing a photo of your face, while Yoti’s processes attempt to confirm it is a living face rather than a photo or some other image.

Once the data is captured, the system analyses it and guesses your age, with the pass or fail transmitted to the social media platform. Yoti says this takes less than a second. Importantly, it’s not using your facial data to make any assumptions about you other than your age. It’s not trying to identify you, and it doesn’t pass anything on to the social media platform except whether you passed or failed. Yoti says that its selfie age assurance works to within one year of accuracy, and equally well across genders and skin tones. So anyone over 17 should pass.

So, will kids be able to break into social media using their parents’ faces, as several have already boasted of doing online? Of course they will. Facial age estimation platforms are designed only to guess the age of a face, not to identify the person the face belongs to, or ensure it’s the same person using a social media account. Yoti makes big claims about its ability to tell a living face from a photo or recording, but other platforms may not be as strong.

But this isn’t to say that getting around the ban will be easy. The underage user will likely need access to a willing adult accomplice, and all the platform’s other analytics will still be sounding the alarm. If you recently changed your birthdate to make yourself 16 instead of 13, then passed a facial age estimation check, then continued to engage with the platform in a way that’s consistent with a 13-year-old, the apps will take note. You might not get booted right away, but if eSafety is upset that too many underage users are still on the platform, they’ll know who to re-verify.

Where else things could come apart

At this point in the waterfall hypothetical, the huge majority of Australians who are legitimately over 16 have been allowed onto the platform, either because the app already knows they’re an adult, or because of a background check or facial age estimation. The remainder can fit generally into three groups; those who are under 16, those who are under 17 (remember Yoti’s technology is accurate to within one year), and those who are an absolute edge case in both not having an active email address and appearing significantly younger than they are. Photo IDs are the next least intrusive option.

For the edge cases, the process should go smoothly and (if the platform is following best practices and eSafety’s guidance) would not require them to give a scan of their ID to a company that’s going to misuse it or store it improperly. An identity service would capture a video of the user holding their ID, checking the details against government records while also matching the face on the document, subsequently informing the platform of a pass or fail and deleting all the data.

The big problem for users between 16 and 17 is that if they don’t have a learner’s permit or passport they likely don’t have a useable photo ID. Some states have alternative documents and there are burgeoning digital ID systems that let you prove your age through other documents and then provide a token to the platform, but users will be at the mercy of social media platforms and identity services in terms of which of these are supported.

Users who are actually under 16 and are determined to defeat the verification system would likely do so in this step of the waterfall, assuming they couldn’t find a compliant adult to help in the previous one of the waterfall or the previous one. They could procure the genuine photo ID of a person who looks like them, for example their parent or sibling, and hope to get through. Since the verification happens through the identity company and not the social media platform, the ID would not be compared against any photos a user posts.

This is all based on speculation of how the system will ideally work, but there are other potential issues. What happens when a small under-resourced or inexperienced social media company tries to comply and ends up with user data it really doesn’t need to have? What about when crooks start making fake pages that look like verification screenings and ask people to send pictures of their passports? What if it’s so easy for underage users to side-step the checks that social media companies need to employ more intrusive methods?

We’re not even at the December 10 threshold where eSafety will begin auditing the efforts, so it’s obviously too early to tell how things will go. But of all the things you might worry about, Facebook getting access to more images of your face shouldn’t be one of them.

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.