Online age verification: CNIL not happy with existing solutions

Clicking “I’m over 18” is a small barrier to prevent minors from accessing adult content online. However, this is the only verification that many porn sites have been introducing for many years, but a law passed in July 2020 tightened the noose on site publishers. Thus, in December 2021, Arcom officially notified the five most visited pornographic sites in France to comply with legal obligations under pain of blocking. In March, noting that the publishers had not complied, Arcom sued several of them.

Adjusting screw turn

The July 2020 law, and in particular the June 2021 enforcement decree on Internet user age verification, created a sensation for online services subject to the age verification obligation. The text of the law makes it clear that the simple declarative regime that has been applied until then is no longer enough, but without putting forward a real solution that allows an alternative solution to be proposed.

Arcom should publish its directives on this issue, but this does not prevent the CNIL from making decisions on this issue. Thus, the commission was forced to express its opinion by decree of June 2021 and yesterday published an assessment of the various approaches envisaged to propose suitable age verification tools.

The CNIL analysis sought to test the compliance of age verification solutions against three criteria: “reasonably robust verification, complete coverage of the population, and respect for data protection and individual privacy and security. »

There is no perfect solution in the eyes of CNIL

The first solution envisaged by the CNIL is age verification by checking a payment card, a solution “already implemented by a certain number of players,” the Commission clarifies. CNIL considers this to be an imperfect method that poses a significant risk in terms of phishing: by multiplying requests for an Internet user’s credit card, the latter may be more likely to be deceived by a fake site trying to steal their credit card details for malicious purposes.

The second solution, face recognition. The CNIL sees several disadvantages in this: first of all, a clear propensity for errors, in particular for “juveniles and minors under the age of 18 or young people and adults. But the intrusive nature of the solution, which necessarily accesses the user’s webcam, also leads CNIL to recommend the use of certified trusted third parties to deploy this type of solution.

Similarly, the solution to encourage users to purchase an offline “scratch card” that allows them to recover their ID and password to access an online service is not without its drawbacks. Thus, the CNIL states that “this method requires special management when the authority issues cards and manages authentication systems. »

The other solutions considered, age verification by analyzing identity documents, using verification tools offered directly by the government, face the same challenges in creating a certified ecosystem capable of controlling entities responsible for identity verification, while creating the risk of “associating an official identity with an intimate information and presumed sexual orientation” in the case of government authentication decisions.

The latter approach considered systems of “age verification by inference”, which consist in “guessing” the age of an Internet user based on certain third-party information, such as browsing history, his answers to a questionnaire, or analysis of site navigation. services specific to the site editor. Three solutions that clearly do not fit the CNIL, which considers them incompatible with data protection, unreliable, or reserved for a small number of players.

sketch tracks

While CNIL nitpicks all the solutions analyzed, it nonetheless charts a path developed by its own services: Developed by the CNIL Digital Innovation Lab in collaboration with the digital regulation think tank, the Commission highlights its tool demonstrating the feasibility of privacy. convenient mechanism for checking age. This is based on the cryptographic concept of “zero-knowledge proof”, which allows people to prove their legal age without having to reveal other information.

However, the solution also relies on an ecosystem of certified third parties and a supervisory authority capable of issuing those certificates. For now, the CNIL demo is just a proof-of-concept first introduced in June, but it invites anyone interested to experiment with its solution. This is available on github, adulact and

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.