How can you effectively verify the age of users wishing to access a protected site? The government will soon be testing a system to address this issue.
Since July 2020, a law has required pornographic sites to “effectively control the age of their visitors”. In France, access to this type of content is forbidden to minors under the age of 18. Currently, users carry out this verification by means of a simple click of consent, which by declaration approves the user’s majority. This unreliable solution will soon be replaced by a more thorough verification of the user’s age. At least, that’s the ambition of the government, which will be testing a brand new system from the end of March. A simple declaration will no longer suffice: you’ll have to prove that you’ve reached the age of majority .
The principle of double anonymity
“We’re working to bring out an age verification solution that respects a principle of double anonymity,” explained Jean-Noël Barrot, Minister Delegate in charge of the Digital Sector.
“Whoever provides the attestation of majority doesn’t know what it’s going to be used for. It could be a telecom operator, a digital identity provider or any other organization that can attest to a person’s majority.” Conversely, the site on which the attestation of majority is used does not know the identity of the person. This is known as the principle of double anonymity.
With this method, the government hopes to make its law applicable to publishers of pornographic sites. The main aim is to win the support of end-users, who must be able to carry out this verification quickly and easily, and above all with complete confidence. Let’s not forget the complex issue of this device, which carries major risks, particularly with regard to privacy. The challenge is to strike a balance between protection of minors, respect for privacy and tolerance of the user experience.
The role of trusted third parties
According to the French Minister for the Digital Economy and the opinion of Arcom and CNIL, double anonymity is “the most robust system” available today.
The CNIL (Commission Nationale de l’Informatique et des Libertés) recommends the use of an independent trusted third party to prevent the direct transmission of identifying user data to the site. This meets the dual objective of preventing minors from consulting unsuitable content, while minimizing the data collected on Internet users by the publishers of these sites.
In practice, age control is divided into two distinct operations:
- on the one hand, the issue of proof of age,
- the transmission of this proof.
By entrusting these two operations to different players, privacy protection is strengthened to the maximum. The ideal solution would be for the proof of age to pass through the user directly, by means of a cryptographic signature. This would ensure that the third party transmitting the proof of age has no knowledge of the site visited, and conversely that the site visited has no knowledge of the provider of the proof.
Against this backdrop, the CNIL would like to see the creation of a certification framework for third-party players involved in the management of proof of age.
Like the PVID
certification, the CNIL considers that this framework could be inspired by it, in order to attest to the quality and reliability of the service provider, while avoiding less serious or even fraudulent services.
What are the solutions?
The CNIL has identified several existing solutions for verifying users’ age online:
Verification by estimation based on facial analysis: age estimation technique based on facial analysis, without attempting to identify the person. However, the risk of error can be significant, especially for people close to the age of 18.
Verification by ID document analysis accompanied by facial verification: since providing an ID document alone is easily circumvented by using a false or stolen document, some systems also incorporate facial verification. Living detection” counteracts any attempt at circumvention. This process is much more reliable and is also used for
according to ANSSI’s PVID standard.
Verification by an authentication service: the use of third-party identification solutions such as the one offered by FranceConnect. This solution is unsatisfactory, as the use of such a device could entail the risk of associating an official identity with certain intimate information, or even a supposed sexual orientation.
Other solutions are also mentioned, such as payment card validation, an offline verification system or inference-based verification.
The future of trust on the Internet?
The promise of double anonymity is that you can reliably prove your age, without having to provide the site with your precise identity data. Whatever solution you use, you need to guarantee reliability, confidentiality and minimize the amount of data exchanged.
Using trusted third parties offers a number of advantages, including guaranteed protection of the user’s identity and compliance with the principle of data minimization, while maintaining a high level of reliability for the data transmitted.
However, to be truly effective, double anonymity should not only be used by pornographic sites. It will also have to be used on other online services forbidden to minors. We can imagine it being applicable to certain gaming sites (notably online gambling and sports betting), and why not to social networks, which also impose a minimum age.