Digital rights group condemns age assurance trial’s final report

The final report of the Age Assurance Technology Trial (AATT) has been published, receiving strong criticism from digital rights group Electronic Frontiers Australia (EFA).

EFA Chair John Pane contributed to the AATT Stakeholder Advisory Board as a digital rights advocate and privacy subject matter expert before stepping down in August 2025 due to concerns regarding the preliminary report and communications surrounding the project. EFA had previously raised major criticisms following the AATT's June report and, after reviewing the Final Report, maintains that their concerns remain unaddressed.

Aspirational claims questioned

EFA asserts that the Final Report overstates the capabilities of age assurance technology. The group argues that describing these technologies as "private, efficient and effective" is not factually accurate for the full range of methods assessed during the trial.

"Age assurance tech is not, nor can it be reduced to a political sound bite, of being 'private, efficient and effective.' It is an aspirational statement but not a statement of fact that applies across the entire suite of age assurance technologies and methods tested. There are significant gaps and margins of error."

Privacy critique

EFA's review highlights deficiencies in how privacy compliance is evaluated. The group says that simply reading an organisation's privacy policy is not sufficient to determine real-world privacy protection.

"Privacy compliance and operational effectiveness cannot be inferred by the simple presence and reading of an externally facing privacy policy. There must be a detailed analysis undertaken of the organizational privacy framework, risks register and controls register. To say an organization has embraced Privacy by Design based upon the reading of a privacy policy is simply poor risk management and ultimately fits the definition of 'Privacy Washing.'"

The organisation draws attention to data retention practices by some vendors who store children's personal and biometric information indefinitely, warning that suggested solutions in the report are inadequate.

"Vendors that built backdoors and retained children's personal and biometric data indefinitely – on the assumption that someday, someone, somewhere will request access to it – get a free pass. To fix this, the AATT suggested more 'regulatory guidance.' EFA, however, points out that social media platforms don't have Know Your Customer obligations like banks do. Instead, this kind of data should be securely destroyed as soon as possible after age authentication has been proven."

EFA questions reliance on further regulatory instructions, stating existing resources are already available. The group says,

"And no, unlike the AATT's recommendation to solve this problem by having the regulator (the Office of the Australian Information Commissioner) provide more guidance, all the EFA can say is that the OAIC has published detailed public guidance on these issues for over 20 years. Perhaps no one bothered to look?"

Government and industry responses

The Minister for Communications commented on the report, stating, "This report is the latest piece of evidence showing digital platforms have access to technology to better protect young people from inappropriate content and harm." The Minister continued, "While there's no one-size-fits-all solution to age assurance, this trial shows there are many effective options and importantly that user privacy can be safeguarded."

EFA disputes the assessment presented by the Minister, suggesting policymakers have not fully engaged with the details in the Final Report. The statement reads:

"Clearly neither the Minister nor her staff has closely examined the report. But then again, if your objective is to habituate the Australian public to ubiquitous adoption of Digital ID, why would you?"

Policy and technology concerns

EFA describes the government's effort as unsuccessful, warning that the technological solutions trialled are flawed and readily circumvented.

"The government earns a big, red 'F' from EFA on this initiative. It is bad policy, bad law, and a gap-ridden technological solution that is easily circumvented by technical means or third-party collusion. It does not solve the problem of algorithmic manipulation that steals users' attention and engagement, nor does it fix the inherent shortcomings in our privacy and online safety laws through a mandated digital duty of care."

EFA maintains that the report appears too favourable to the commercial interests of age authentication technology vendors, saying:

"Why does the entire report read like a sales pitch or marketing material for the Age Authentication, Identity Verification, and Biometrics industries? Because it is."

Digital ID pathway

The organisation reiterates its previous worries that the focus on social media age verification regulations is aligned with the government's push for broader Digital ID adoption.

"EFA called it 18 months ago: the Social Media Minimum Age regulation is a trojan horse for Digital ID. Certain age ranges (particularly those 15–18) are highly error-prone, which creates demand for 'more effective' technology. This, in turn, bolsters the government's business case for deploying identity verification technologies, as they are the most effective tool in the tool box. All of this brings us to normalizing the government's entire Digital ID strategy."

EFA concludes its response to the AATT Final Report by comparing the perceived benefits to industry and wider society:

"Age Authentication, Identity Verification and Biometrics Industries: 1 Australian society: 0"