This document presents the official report of the Age Assurance Technology Trial, offering a comprehensive overview of its findings, methodologies and key observations. It brings together the conclusions and detailed analyses of the range of age assurance technologies assessed during the Trial. All of this was evaluated within the Australian context.
To ensure robust and replicable results, the research methodology aligned with leading international standards and frameworks, including ISO/IEC 25040 (for quality evaluation), ISO/IEC FDIS 25766 (for age assurance systems) and IEEE 2089.1 (for online age checking systems). The methodology also considered unique Australian regulatory, cultural and social considerations, with specific attention to the participation of Aboriginal and Torres Strait Islander Peoples and alignment with Australia’s privacy and online safety frameworks.
Part C of the Age Assurance Technology Trial focuses specifically on age verification – the process of determining an individual’s age by referencing a verified date of birth and calculating their age from that known data point. Age verification represents the most direct and high-assurance form of age assurance and is already in widespread use across many regulated industries.
Part D of the Age Assurance Technology Trial focuses specifically on age estimation – a method of determining an individual’s likely age or age range by analysing physical or behavioural characteristics using artificial intelligence or machine learning models. Unlike age verification, which relies on known and validated dates of birth, age estimation applies biometric or statistical techniques (such as facial analysis, voice modelling or motion pattern recognition) to predict age without the need for formal identity documents.
Part E of the Age Assurance Technology Trial focuses specifically on age inference – a method of determining an individual’s likely age or age range based on verifiable contextual, behavioural, transactional or environmental signals, rather than biometric data or identity documents. Unlike age verification, which relies on a known and validated date of birth or age estimation, which uses biometric characteristics to predict age, age inference draws reasonable conclusions about age by analysing facts such as school enrolment, financial transactions, content barring settings, service usage or participation in age-specific activities.
Part F of the Age Assurance Technology Trial focuses on successive validation, the process of combining two or more age assurance methods (such as age inference, age estimation and age verification) to reach a more accurate, risk-appropriate or confidence boosted age-related decision. Defined in ISO/IEC FDIS 27566-1 successive validation supports the principle that age assurance should be proportionate to risk, enabling layered approaches where no single method alone is sufficient or contextually appropriate.
Part G of the Age Assurance Technology Trial focuses specifically on parental control systems – the tools, configurations and supervisory features that allow parents or guardians to manage a child’s access to digital content, services, devices or online functions. Parental controls play a significant role in digital safety ecosystems by providing families with the means to restrict or guide a child’s exposure to age-inappropriate content, particularly in contexts where direct age verification or estimation may not be viable or proportionate.
Part H of the Age Assurance Technology Trial focuses on parental consent – a form of age assurance where a parent or guardian confirms a child’s access to age restricted goods, services or content, typically in digital environments. Unlike age estimation, inference or verification, parental consent does not seek to determine a user’s age directly. Instead, it relies on the intervention of a responsible adult, who attests to the child’s eligibility, often in response to an age-related trigger.
Part J of the Age Assurance Technology Trial examined how age assurance, parental consent and control mechanisms could be embedded more systematically across the digital ecosystem by leveraging the technology stack – ranging from user devices and browsers to networks, app stores and backend services. The aim was to explore whether stack-level deployment could move beyond fragmented service-by-service implementation and support more consistent, interoperable and privacy-conscious approaches to protecting children online.
Part K of the Age Assurance Technology Trial provides the core reference materials that support the evaluation findings across all parts of the Trial. It serves as a foundational resource for readers seeking clarity on key terms, source materials and the broader evidence base that informed the Trial’s design, execution and analysis.
Age assurance can be done in Australia – our analysis of age assurance systems in the context of Australia demonstrates how they can be private, robust and effective. There is a plethora of choice available for providers of age-restricted goods, content, services, venues or spaces to select the most appropriate systems for their use case with reference to emerging international standards for age assurance.
Our evaluation did not reveal any substantial technological limitations that would prevent age assurance systems being used in response to age-related eligibility requirements established by policy makers. We identified careful, critical thinking by providers on the development and deployment of age assurance systems, considering efficacy, privacy, data and security concerns. Some systems were easier for initial implementation and use than others, but the systems of all technology providers with a technology readiness level (TRL) 7 or above were eventually capable of integration to a user journey.
We found that the practice statements provided by age assurance providers with a TRL of 7 or above fairly reflected the technological capabilities of their products, processes or services (to the extent applicable to the Trial’s evaluation criteria). Some of the practice statements provided have needed to be clarified or developed during the course of the Trial, but we observed that they offer a useful option for transparency of the capabilities of the available age assurance systems. Those with a TRL below 7 will need further analysis when their systems mature.
We found a plethora of approaches that fit different use cases in different ways, but we did not find a single ubiquitous solution that would suit all use cases, nor did we find solutions that were guaranteed to be effective in all deployments. The range of possibilities across the Trial participants demonstrate a rich and rapidly evolving range of services which can be tailored and effective depending on each specified context of use.
We found a vibrant, creative and innovative age assurance service sector with both technologically advanced and deployed solutions and a pipeline of new technologies transitioning from research to minimum viable product to testing and deployment stages indicating an evolving choice and future opportunities for developers. We found private-sector investment and opportunities for growth within the age assurance services sector.
We found robust understanding of and internal policy decisions regarding the handling of personal information by Trial participants. The privacy policies and practice statements collated for the Trial demonstrate a strong commitment to privacy by design principles, with consideration of what data was to be collected, stored, shared and then disposed of. Separating age assurance services from those of relying parties was useful as Trial participants providing age assurance services more clearly only used data for the necessary and consented purpose of providing an age assurance result.
The systems under test performed broadly consistently across demographic groups assessed and despite an acknowledged deficit in training age analysis systems with data about Indigenous populations, we found no substantial difference in the outcomes for First Nations and Torres Strait Islander Peoples and other multi-cultural communities using the age assurance systems. We found some systems performed better than others, but overall variances across race did not deviate by more than recognised tolerances.
We found opportunities for technological improvement including improving ease of use for the average person and enhancing the management of risk in age assurance systems. This could include through one-way blind access to verification of government documents, enabling connection to data holder services (like digital wallets) or improving the handling of a child’s digital footprint as examples.
The Trial found that both parental control and consent systems can be done and can be effective, but they serve different purposes. Parental control systems are pre-configured and ongoing but may fail to adapt to the evolving capacities of children including potential risks to their digital privacy as they grow and mature, particularly through adolescence. Parental consent mechanisms prompt active engagement between children and their parents at key decision points, potentially supporting informed access.
We found that the systems were generally secure and consistent with information security standards, with developers actively addressing known attack vectors including AI-generated spoofing and forgeries. However, the rapidly evolving threat environment means that these systems – while presently fairly robust – cannot be considered infallible. Ongoing monitoring and improvement will help maintain their effectiveness over time. Similarly, continued attention to privacy compliance will support long-term trust and accountability.
We found some concerning evidence that in the absence of specific guidance, service providers were apparently over-anticipating the eventual needs of regulators about providing personal information for future investigations. Some providers were found to be building tools to enable regulators, law enforcement or Coroners to retrace the actions taken by individuals to verify their age which could lead to increased risk of privacy breaches due to unnecessary and disproportionate collection and retention of data.
The standards-based approach adopted by the Trial, including through the ISO/IEC 27566 Series [Note 1], the IEEE 2089.1 [Note 2] and the ISO/IEC 25000 [Note 3] series (the Product Quality Model) all provide a strong basis for the development of accreditation of conformity assessment and subsequent certification of individual age assurance providers in accordance with Australia’s standards and conformance infrastructure.
[Note 1] This Series of International Standards relates to Information security, cybersecurity and privacy protection – Age Assurance Systems. Part 1, referenced throughout this suite of documents. It is the Framework document, at Final Draft International Standard Stage. 27566-2 is the Technical approaches and guidance for implementation document and 27566-3 is the Comparison or Analysis document.
[Note 2] The IEEE 2089.1-2024 standard establishes a framework for the design, specification, evaluation, and deployment of age-verification systems. It was published internationally in 2024.
[Note 3] The series of standards ISO/IEC 25000, also known as SQuaRE (System and Software Quality Requirements and Evaluation), has the goal of creating a framework for the evaluation of software product quality.
All 10 Parts to the Report are free to download from this website, but they are 1,150 pages long. So if you would like to order a full set of all of the reports, or individual reports, you can do so by visiting the links below.
