CNIL Privacy friendly Age Verification System
It goes without saying that online age verification is a complicated issue with serious privacy and security risks. That’s why the French DPA (CNIL) released an analysis to help clarify its position on online age verification and outline how publications can meet their legal obligations.
In short, an age verification system is a method used to verify a person’s age before granting them access to certain content or services. Age verification systems can use various methods such as asking for the user’s date of birth, verifying a user’s government-issued identification, or using third-party verification services. The purpose of these systems is to prevent children or minors from accessing content or services that are not appropriate for their age, and to help companies comply with laws related to privacy and data protection.
The CNIL examined the various forms of age verification systems, notably on pornographic websites where such verification is required. CNIL considers it easy to bypass the current systems and advocates for developing more privacy-friendly alternatives.
Knowing an individual’s identity can help with age verification; however, it can connect the individual to their online activities, which contain highly private and sensitive information.
Therefore the necessity to identify internet users’ ages raises privacy and personal data protection concerns.
Users are required to identify themselves in order to access certain websites or participate in certain online activities (e.g., to buy goods on an e-commerce site).
Age verification is likely to change how well users’ privacy is protected. While access to sites or online services does not necessarily require identification, if the users do not give the publisher information on their identity, they will be blocked from visiting the site.
Given the growing significance of digital technologies in people’s lives, the CNIL emphasizes the significance of educating and creating awareness among minors, parents, legal guardians, and employees in the educational community about safe online practices.
In this regard, as part of its work on minors’ digital rights, the CNIL published general recommendations in August 2021 to comply with the obligations of the GDPR and the Act on minors’ access to social networks. The recommendations reinforce the standards set to,
“verify the age of the child and parental consent while respecting the child’s privacy.”
Age verification systems should be built on six pillars: minimization, proportionality, robustness, simplicity, standardization, and third-party intervention.
💡 The CNIL tends to favor user-controlled systems over centralized or imposed ones. From this perspective, parental control seems to be the most considerate of people’s rights because it encourages households to limit access to sensitive information.
The purchase of alcohol, online gaming and betting, some financial services, and other products are all subject to age restrictions under French legislation and various European rules. Therefore, such sites are required to confirm the customer’s age. Additionally, certain services have contractually mandated age restrictions (e.g., access to application settings for children).
The legal framework already requires a fairly strong confirmation of identity, and website publishers have consequently incorporated age verification systems.
💡 CNIL predicts an increase in age verification requirements for some services in order to protect children better online. That being said, CNIL also urges caution not to unreasonably raise the standards for online age verification, which would result in a decrease in the number of sites that can be freely accessed.
Age verification methods must be managed in the short term by a reliable third party.
When using a trusted third party, as the CNIL advised in its decision dated 3 June 2021, the age verification is divided into two distinct operations:
This verification may be provided by a variety of organizations that are familiar with the user, including digital identity service providers and organizations with which the user is acquainted (a merchant, a bank, an administration, etc.)
2. Second, the website visited must receive this verified evidence of age before deciding whether to grant access to the requested content.
However, these two factors raise significant data protection and privacy concerns, especially in light of the desire to maintain the option of using the internet anonymously or without disclosing personally-identifying information.
🚀 To effectively protect people’s data while verifying their age, CNIL advises using an unbiased third party.
The CNIL advises sites subject to age verification requirements not to conduct age verification operations themselves but rather to rely on third-party solutions whose validity has been independently verified in order to maintain a high level of data protection.
🚀 To effectively transmit a valid proof of age to a site,* CNIL advises using an independent third-party verifier* whose use is under the user’s discretion for the purpose of transmitting a verified proof of age to a website.
A third party would be responsible for choosing one or more methods that would enable the issuance of legitimate proof of age by using cryptographic signatures that enable the information’s source and authenticity to be confirmed.
The safeguards used in this proof of concept:
This trusted third party could take the form of an “attribute management” service, which would give each user the option to select from a well-known data provider to disclose their data (such as an electricity company to certify an address or an identity service to certify an age).
💡 According to the Communication “the new European strategy for a better internet for kids” (PDF), the work of the European Commission is progressing in this direction.
The CNIL has examined various solutions that are now available for online age verification to see if they meet the criteria for sufficiently reliable age verification. You can read this analysis here.
CNIL is developing an age verification system with a focus on privacy. In order to achieve this, the CNIL’s Digital Innovation Laboratory (LINC) has shown that a system based on a secure protocol employing “zero-knowledge proofs” is feasible.
This technique is based on a method used in cryptology that enables users to provide proof of age without disclosing any additional information.
This demonstration explains how the security of a user’s identity and the principle of data minimization can be guaranteed through a third-party system while still retaining a high level of confidence in the correctness of the data supplied.
👋 See here for the Demonstration of a privacy-preserving age verification process.
Whatever method is used to determine a users age, it must be reliable, the data must be kept private, and the amount of data transferred must be kept to a minimum.
