After analyzing various age verification systems with the aim of controlling access to websites prohibited to minors, the National Commission on Informatics and Freedoms has made its position known. By stimulating the development of more effective and privacy-friendly solutions, the body does not get wet.
How to set up a system to verify the age of an internet user to ensure that he can visit a site that is prohibited to persons under the age of 18, while respecting privacy. This is a delicate balancing act that the CNIL tried to perform by issuing an opinion on it.
In the preamble, the National Commission for Informatics and Freedoms mentions some elements of the law. For example, French law and certain European regulations subject the provision of certain services or goods to age conditions, which oblige the sites concerned to check the customer’s age: purchase of alcohol, online money games and betting, certain banking services, etc. “With the In order to better protect young people online, the Commission expects an increase in age verification obligations for certain services. More generally, the increasing digitization of public and private procedures increases the importance of giving everyone the possibility to issue only proof of attributes (majority proof, proof of residence, proof of diploma, etc.) without the other constituent revealing elements of identity,” explains de Cnil.
Engaging a trusted third party: easier said than done?
In other cases, such as those of sites that distribute pronographic content, the law of 30 July 2020 protecting victims of domestic violence has reaffirmed the age verification obligations laid down in Article 227-24 of the Criminal Code. Reminders have also been sent to sites that have not complied, followed by a block request in March 2022 for those who have not yet complied with this regulation. Verification of the age of internet users for these types of sites is sensitive and consists on the one hand of ensuring compliance with the law and on the other hand of protecting the privacy of individuals. This means, for example, that sites do not have to collect identity documents, estimate the age based on the Internet user’s browsing history on the web and process authenticating biometric data (facial recognition …).
“The Cnil also more generally recommends the use of an independent, trusted third party whose purpose is to prevent the direct transmission of identifying data relating to the user to the site or application that offers pornographic content. With its recommendations, the Cnil pursues the dual purpose of preventing minors from accessing content inappropriate for their age, while minimizing the data collected on Internet users by the publishers of pornographic sites.
A torpedo called VPN
But how do you do that concretely? The Cnil takes it easy by recommending sites that are subject to an age verification obligation to rely on third-party solutions “whose validity has been independently verified”. From there to talk about a gas plant, we are not far from it. “The Cnil recommends passage by an independent third-party verifier, whose use is placed under the control of the individual,” the organization continues. In particular, this independent third party would be responsible for maintaining one or more solutions that make it possible to issue a valid proof of age and, on the other hand, to guarantee to the site visited that the user of the age required to access the requested content using cryptographic signatures to verify the authenticity of the information and its source”.
Especially since a possible circumvention seems easy to perform: “The use of a simple VPN that locates the Internet user in a country that does not require age verification of this order may allow a minor to bypass an age verification device applied in France , or to bypass the blocking of a website that does not comply with its legal obligations. Likewise, it is difficult to certify that the person using the proof of age is the one who obtained it,” admits the Cnil… who does not hesitate to send the hot potato: “The Cnil has analyzed several existing solutions for verifying the age of users online, checking whether they have the following properties: sufficiently reliable authentication, full coverage of the population and respect for data protection and privacy of individuals and their safety.The CNIL notes that there are currently a solution that satisfactorily meets these three requirements. It therefore calls on governments and players in the sector to develop new solutions.”
A protester facing the reality principle
One of the solutions considered: the purchase – in supermarkets or tobacconists where age verification can be carried out – of scratch cards that allow you to recover a username and password to access prohibited content. We imagine that if the controls are as effective as the controls put in place to prevent minors from purchasing alcohol or cigarettes, the banned web content could pass under all eyes. Not to mention the widespread sharing across social networks of the precious sesame of identifying couples and passwords. Other solutions seem more problematic from the point of view of preserving the integrity of personal data or even security as a whole (payment cards, facial analysis and identity documents, etc.)
But the Cnil also reflected on an original verification system on an exploratory basis, in collaboration with Olivier Blazy, professor of cybersecurity at the Ecole Polytechnique and PEREN. The latter, whose source code is freely accessible, adaptable and reusable – commercial or not – provided the source is acknowledged, is based on three conditions: a website whose access to the content requires verification that the internet user is of the required minimum age; one or more “accredited” sites to verify the real age of Internet users; a “trusted” authority that facilitates the accreditation of these sites. It now remains to confront this protester with the test of real life and see if he – or not and one day – will come out of the boxes.