How to verify that a user is of the required age to use certain online services while respecting his privacy? The CNIL offers a solution to remedy this.
The issue of online age verification for minors is once again in the spotlight. While digital is undeniably a central component of the lives of miners today, a growing number of studies highlight the potential harmful effects of such an evolution, such as the recent Washington Post study based on a internal document from Meta, admitting to being aware of the negative impact Instagram can have on the mental health of teenage girls.
The necessary establishment of a digital space adapted to the age of users is also highlighted by the regulations surrounding the protection of personal data and privacy. Thus, the GDPR clearly defines specific rules concerning digital minors, and in particular specific conditions related to their consent (Article 8).
The question of the creation of an adjusted digital space constitutes, from this dual point of view, a major social challenge for our digital societies. However, it raises another, more thorny and more concrete, which is that of the mechanisms for identifying the age of online users. The legal vagueness surrounding the practicalities of age verification procedures in the digital space is a symptom of the dilemma they embody: age verification must, on the one hand, be sufficiently efficient not to become entirely useless ; it cannot, on the other hand, prove to be excessively intrusive and cause a violation of the users’ right to their private life. A balance between efficiency and data protection is therefore as delicate as it is necessary to achieve.
The growing intensity of the debates surrounding the verification of the age of users is now pushing a certain number of players to toughen up their procedures: this is particularly the case with Instagram, the last social network to have announced the establishment of stricter and more complete verification of the age of its users.
Hardening of user age verification procedures: the example of Instagram
On June 23, 2022, Instagram announced the implementation of a system requiring all users (initially in the United States) wishing to define their age as over 18 to prove the veracity of this information through one of the following three methods:
- First, by uploading a valid identity document, which will then be deleted within 30 days.
- Second, by recording a video of oneself which will then be analyzed using facial recognition technology to estimate the age of a person appearing in a video.
- Third, by asking three followers of the user who is at least 18 years old to confirm the age of this user.
Instagram is not an isolated case when it comes to the implementation of this kind of age verification mechanism: thus, Roblox similarly announced in September 2021 the establishment of a system requiring users to prove their age through the communication of a photo ID and a selfie.
However, the dissemination of the age verification practices mentioned above raises questions about their relevance. Do they really make it possible to achieve a satisfactory balance between efficiency of the identification system and respect for the privacy of users?
We can doubt it. Indeed, the communication of identity documents, or even photo or video selfies represent highly intrusive processing of personal data. More specifically, the use of facial recognition technologies involves sensitive processing of the user’s biometric data. At the same time, such mechanisms are far from infallible and their effectiveness remains to be proven. The possibility of providing a false identity document, of agreeing with other users of the social network, or the use of deep fake technologies, which are increasingly accessible, seem to be ways of circumventing the verification mechanisms. age suggested above.
Faced with the observation of the unsatisfactory nature of the age verification measures gradually implemented by digital service providers, another solution must be considered. In this context, the LINC (CNIL’s digital innovation laboratory) published, on June 21, 2022, a demonstration of the feasibility of an innovative, effective and privacy-respecting age verification solution.
Towards a balanced age verification that respects privacy: the CNIL proposal
The solution proposed by the CNIL is based on the intervention of a trusted third party in the procedure for verifying the age of the user of a digital service. Four players are involved in such a proposal: the user of the service subject to an age restriction, the service provider, the trusted third party who knows the age of the user with certainty (for example: a bank, an energy supplier, an internet supplier, etc.), and a certifying authority that has verified the reliability of the trusted third party beforehand.
The different stages of the mechanism proposed by the CNIL are as follows:
- The user wishes to access an online service, the latter being subject to an age limit. The online service provides the user with a “challenge”, in other words a document containing random data. This document does not mention the online service concerned.
- The user transmits the document to the trusted third party of his choice.
- The trusted third party signs the document if the user is of the required age using a secret key that he alone possesses. Nothing in this signature indicates the nature or identity of the signatory trusted third party.
- The user sends the signed document to the online service.
- The online service verifies the validity of the document thus signed by the trusted third party using a public key made available by this trusted third party.
- The user is then granted access to the online service if the signature is valid, proving that the trusted third party has confirmed the age of the user.
Such an age verification procedure would represent an important step forward in that it is both extremely reliable and respectful of the user’s privacy. Extremely reliable firstly because in such a scheme, the verification carried out by the trusted third party cannot be circumvented, and the implementation of rigorous certification standards can very simply prevent fraudulent actors from passing themselves off as trusted third parties. Respectful of privacy then, because within the framework of this age verification procedure, the transmission of personal data relating to the user is restricted to the maximum. The service provider does not receive any data from the user, apart from the fact that the latter is of sufficient age to access the service, or not. Similarly, the trusted third party has no information other than the user’s request to certify his age.
Thus, at a time when the need for a digital space adapted to the maturity of users is becoming more and more evident, serious reflection on the development of a balanced online age verification system must be undertaken. The proposal put forward by the CNIL through the LINC will require the establishment of an ecosystem and its own large-scale governance. However, it is an extremely promising solution reconciling both the imperatives of efficiency and protection of privacy. An approach in line with responsible innovation which, without depriving itself of the tremendous opportunities offered by digital technology, also takes into consideration the specific needs of certain users, particularly in this case the youngest among them.
#Verification #age #minors #online #balanced #framework #efficiency #protection #privacy