The European Commission will announce a solution to the online age verification problem next month. An app will allow you to (safely) indicate whether you are eighteen years or older. At least, if sites and services start using the app.
Buying alcohol, watching porn, and opening a social media account: these kinds of things have a minimum age requirement on the internet. But effective control is lacking in practice. Often, pressing a button (or entering a fake age) is enough to get in everywhere – regardless of how old you actually are.
This has been a headache for years. Online platforms need to be able to verify ages without infringing on users’ privacy. Uploading a passport copy is a bad idea, according to critics, because then all users would have to do that, and sensitive personal data would end up en masse with large tech companies. Not to mention data leaks.
The conversation around age verification has mainly been about porn sites in recent weeks. The European Commission is calling on a number of those sites to prove that they are taking enough measures to keep minors off their platforms. They are required to do so under the European tech law DSA.
The same Commission will come with an app next month that allows people to indicate to websites that they are old enough, without sending any further information. They do this by linking the app to a trusted authority, such as a bank or government service. The age verification is then stored encrypted in the app, so that no one can access it.
If the user then comes to a website that asks for an age check, the app only indicates at that moment whether the person is old enough. “It’s like a coin made especially for a cigarette machine,” says cybersecurity expert Harm Teunis of ESET Netherlands. “With that you show that you are old enough, nothing else.”
What the app actually does is either confirm that someone is old enough, without sending a date of birth at all. The check takes place in the secure app, not on the website.
Just look and then forget
According to privacy researcher Jaap-Henk Hoepman, it should not be possible for the issuer of an age verification, such as the government or bank, to know where and when the user logs in. Robbert Hoving of Offlimits, the expertise center that is committed to combating online child abuse, agrees. “It is important that we do not open any back doors that allow governments and services to access private data.”
In the most ideal case, it works like in the supermarket, says Hoepman. “At the checkout you just show your passport and when you walk away the other person has forgotten it again. That’s what you want. But that’s surprisingly difficult to achieve in the digital domain.”
The app serves as a precursor to a European digital identity that EU member states must issue next year. This will allow citizens to store their identity documents securely on their phones. If authorities need certain information, that app can ensure that only the necessary information is shared.
Because many countries are lagging behind in the development of these ‘wallets’, the Commission is now coming up with a temporary solution.
Doubts about effectiveness
How effective this app proves to be in practice depends on parties that are going to work with it. Sites and services are not required to use it. “So I don’t expect much from it,” says Hoving. “In unsafe places you just have to make this mandatory. As it is presented now, I think it is far too weak.”
The tricky thing is that you need a smartphone for this type of verification systems. Hoepman: “You can’t exclude people without a phone.”
According to Teunis, the solution is technically elegant in itself. But he also doubts whether such an app solves everything. “If you as a young person do not meet the conditions, you may move to unregulated sites,” he says. “This increases the risks of, for example, harmful content and blackmail. Let’s continue to discuss whether young people are really effectively protected by this, before we definitively introduce something that is difficult to reverse.”