Age verification: an Epic mess

Screenshot of an email purportedly from Epic, about age verification. Key text is in the blogpost

I have a Gmail account which I use for testing purposes. I get a lot of spam to it. Presumably, there are lots of people called “Neil Brown” who forget, or mistype, their own email address, and so give mine instead.

But this is a bit different.

Yesterday, I received an email entitled “Parental Permission for an Epic Games Account”.

Weird, but then I get all sorts of weird spam. So I had a look.

It appeared to be a form of age verification:

Your child (aged 11) has an Epic Games account, which is used to play Fortnite, Rocket League or Fall Guys, or to use other services available from Epic Games companies. We have become aware of your child’s age, and we have temporarily restricted access. Because of their age, we need your permission before we can restore the account and allow it access to our games and services. Your child has provided us with your email address to ask for your permission.

Two things crossed my mind.

First, the weasely-worded “We have become aware of your child’s age”. What on earth does that mean? How did they become aware? By being so secretive, by using such an odd turn of phrase - that awkward use of the passive - it makes it sound really dodgy to me.

Second, “Your child has provided us with your email address to ask for your permission.”.

Now, I don’t have children who ask me for permission to reinstate their currently-restricted access to online games. So perhaps I am doing children everywhere a disservice.

But if your age verification system relies on the child giving their parent’s email address and not an email address which they control, I am very sceptical about its efficacy.

I mean, really?

The email had a button marked “Continue”. Above it, the text:

Click on the link below to provide your permission and restore your child’s account

What on earth does “Continue” mean? Wouldn’t “Give permission” have been a better user experience?

And why say “click on the link below” when it renders as a button?

Anyway, I was assuming it was spam at this point, since no-one would be silly enough to create an age verification system which relied on the child giving a parent’s email address. Right?

So I wanted to have a look at the message source, and then the headers. But, fat fingered me, I clicked “Continue”.

And that was all it took.

I didn’t need to prove my age.

I didn’t need to demonstrate anything about me.

That one mistaken click of “Continue”, and I’d approved some lucky child’s access to an unspecific game.

I wasn’t chuffed that I had done that.

It might be a stupid process but, assuming it is genuine, it’s not my child, and it’s not my decision.

No problem though, I’ll just revoke it using the “back” button on the page. But no, that takes me back to an Epic login screen.

Apparently, once permission is given, that’s it.

So yeah. Age verification. Spamming my inbox, with an approach that, as far as I can see, could be circumvented by the Clever L33t Hack of “giving your own email address”.