How to verify that a user is of the required age to use certain online services while respecting his privacy? The CNIL offers a solution to remedy this.
The issue of online age verification for minors is once again in the spotlight. While digital is undeniably a central component of miners’ lives today, a growing number of studies highlight the potential damaging effects of that evolution, such as the Washington Post’s recent study based on an internal document from Meta, which admits to being aware of the negative impact that Instagram can have on the mental health of teenage girls.
The necessary creation of a digital space appropriate to the age of users is also highlighted by the legislation on the protection of personal data and privacy. Therefore, the GDPR clearly defines specific rules regarding digital minors, and in particular specific conditions relating to their consent (Article 8).
From this dual point of view, the question of creating an adequate digital space constitutes a great social challenge for our digital societies. However, it raises another, more thorny and more concrete, which is that of the mechanisms for identifying the age of online users. The legal vagueness surrounding the practicality of age verification procedures in the digital space is a symptom of the dilemma they embody: age verification must, on the one hand, be sufficiently efficient not to become completely useless; it cannot, on the other hand, be excessively intrusive and harm users’ right to privacy. A balance between efficiency and data protection is therefore as delicate as it is necessary to achieve.
The growing intensity of debates on user age verification is now prompting a number of players to tighten their procedures: this is the case in particular of Instagram, the latest social network to announce the establishment of a full verification of the age of its users.
Hardening of user age verification procedures: the example of Instagram
On June 23, 2022, Instagram announced the implementation of a system that requires all users (initially in the United States) who wish to define their age as greater than 18 to prove the veracity of this information through one of three methods below. :
- First by uploading a valid identity document, which will then be deleted within 30 days.
- Second, by recording a video of themselves which will then be analyzed using facial recognition technology to estimate the age of a person appearing in a video.
- Third, by asking three followers of the user who is at least 18 years old to confirm the age of this user.
Instagram is not an isolated case when it comes to implementing this type of age verification mechanism: thus, Roblox similarly announced in September 2021 that it would set up a system that requires users to prove their age through the communication of a photo ID and a selfie.
However, the spread of the age verification practices mentioned above raises questions about their relevance. Do they really make it possible to achieve a satisfactory balance between the efficiency of the identification system and respect for the privacy of users?
We can doubt. In fact, the communication of identity documents, or even photographic or video selfies, represent a highly intrusive treatment of personal data. In particular, the use of facial recognition technologies involves the sensitive processing of the user’s biometric data. At the same time, such mechanisms are far from infallible and their effectiveness remains to be demonstrated. The possibility of providing a false identity document, of agreeing with other users of the social network, or the use of deep fake technologies, increasingly accessible, seem to be ways to circumvent the age verification mechanisms suggested above.
Faced with the observation of the unsatisfactory nature of the age verification measures progressively implemented by digital service providers, another solution needs to be considered. In this context, the LINC (CNIL digital innovation laboratory) published, on 21 June 2022, a demonstration of the feasibility of an innovative, effective and privacy-friendly age verification solution.
Towards a balanced age verification that respects privacy: the CNIL proposal
The solution proposed by the CNIL is based on the intervention of a trusted third party in the procedure for verifying the age of the user of a digital service. Four actors are involved in this proposal: the user of the service subject to an age restriction, the service provider, the trusted third party who knows with certainty the user’s age (for example: a bank, an energy supplier, a supplier, etc.) and a certification authority that has previously verified the reliability of the trusted third party.
The different phases of the mechanism proposed by the CNIL are the following:
- The user wishes to access an online service, the latter subject to an age limit. The online service provides the user with a “challenge”, that is a document containing random data. This document does not mention the online service in question.
- The user transmits the document to the trusted third party of his choice.
- The trusted third party signs the document if the user is of the required age using a secret key that only he has. Nothing in this signature indicates the nature or identity of the signatory trusted third party.
- The user sends the signed document to the online service.
- The online service verifies the validity of the document thus signed by the trusted third party using a public key made available by this trusted third party.
- The user is then granted access to the online service if the signature is valid, proving that the trusted third party has confirmed the user’s age.
This age verification procedure would represent an important step forward as it is extremely reliable and respectful of the user’s privacy. Extremely reliable in the first place because in this scheme the verification carried out by the trusted third party cannot be circumvented and the implementation of rigorous certification standards can simply prevent fraudulent actors pretending to be trusted third parties. Respectful of privacy then, because in the context of this age verification procedure, the transmission of personal data relating to the user is limited to a maximum. The service provider does not receive any data from the user, other than whether the user is old enough to access the service or not. Likewise, the trusted third party has no information other than the user’s request to certify her age.
Therefore, at a time when the need for a digital space adapted to the maturity of users is becoming more and more evident, it is necessary to undertake serious reflection on the development of a balanced online age verification system. The proposal put forward by the CNIL through the LINC will require the creation of an ecosystem and its own large-scale governance. However, this is an extremely promising solution that reconciles both the imperatives of efficiency and the protection of privacy. An approach in line with responsible innovation which, without depriving itself of the enormous opportunities offered by digital technology, also takes into account the specific needs of some users, particularly in this case the youngest.