Age assurance and the case for building safety into the device

Colm Gannon, CEO, ICMEC Australia 

Earlier today, ICMEC Australia met with a delegation of Mongolian parliamentarians and government officials to discuss one of the most pressing questions in online child safety: how do we actually verify who is using the internet, and what can we do with that information once we know? 

It is a question that governments across the world are wrestling with. Age assurance, the ability to determine with reasonable confidence whether a user is a child or an adult, has become a foundation of modern online safety architecture. Australia has already moved decisively on this with its social media delay for under-16s. The UK’s Online Safety Act, enforced by Ofcom, has gone further still, requiring platforms to implement age assurance that is ‘highly effective’, not just technically present. 

The problem with most age assurance approaches to date is where the verification happens. When each platform or service runs its own process, users face repeated verification cycles, data is shared across dozens of services, and children determined enough to circumvent one check simply move on to the next. The burden sits entirely with the individual user and the individual platform, and neither is particularly well equipped to carry it. 

Device-based age assurance changes the architecture of that problem. 

Earlier this year, Apple rolled out device-level age verification to UK users via iOS 26.4, making the UK one of the first countries in the world to implement this model at scale. The rollout has not been without friction – technical issues and gaps in accepted verification methods have presented real challenges for some users. But the underlying model is significant, and the direction of travel is clear. Under this approach, a user verifies their age once, directly with their Apple device. That verified status sits at the device level, tied to their Apple ID. Services can then query an age signal without ever receiving personal identity data directly. The verification is contained within the device ecosystem, not shared across the open web. 

The privacy implications of this are worth examining carefully. Device-based approaches raise fewer data minimisation concerns than platform-level alternatives – rather than every app and platform verifying your date of birth or identity document, the data stays with the infrastructure provider. It also means a single verification event can inform access decisions across many services, reducing the friction of repeated identity checks. No architecture is without trade-offs, and questions about circumvention remain live in the policy debate. But the device layer offers a more structurally robust starting point than asking each platform to solve this independently. 

There is a broader principle at work here too. A device-based system has the capacity to evolve with the person using it. A child’s account, properly verified, receives age-appropriate access and protections. As the user grows older and their verified status updates, access can expand accordingly. The device becomes a kind of lifelong safety layer, not a one-time gate. 

This is what a genuine safety stack looks like: device-level protection, platform-level controls, a digital duty of care built into infrastructure rather than bolted on after the fact. It is the theme ICMEC Australia has placed at the center of our 2026 Symposium, taking place in Sydney on 22 October. If you work in technology, policy, law enforcement or child protection and want to be part of that conversation, tickets are now available at icmec.org.au. 

ICMEC Australia's position has always been that safety architecture must be proactive, not reactive. Waiting for harm to occur and then responding is not a strategy. Building the conditions that reduce harm at the point of access is. What we are seeing emerge in the UK, and in conversations like the one just had with our Mongolian colleagues, is a growing global recognition that the device is the right place to anchor age assurance – because it is the one layer of the technology stack that genuinely follows the user. 

Children do not experience the internet in silos, and neither can the systems designed to protect them. 

About the Author

Colm Gannon is the CEO of ICMEC Australia, leading the organisation's efforts to protect children from sexual exploitation and abuse. With 20 years of law enforcement experience spanning cybercrime investigations, online harms, and child sexual exploitation, combined with expertise in AI policy and technology development, Colm is one of Australia's foremost experts on child protection and the role of technology in both enabling and preventing harm to children.