There is no perfect solution for verifying the age of Internet users accessing X sites

Cnil has reviewed the systems that can be used to check the age of internet users. Nobody’s perfect. But that doesn’t mean it shouldn’t be used at all. Recommendations are made in this connection.

This is a new rule enshrined in law: pornographic websites available in France have the duty to effectively verify the age of Internet users to prevent minors from accessing content that is not their age. The goal is laudable: Today, children have too easy access to X, and it must stop.

But the legal scaffolding that has been erected to force the publishers of X sites to respond under penalty of ISP blocking following a court ruling is rickety because it is incomplete. Neither the legislator nor the supervisory authority (the Supervisory Authority for Audiovisual and Digital Communications) provides the recipe to follow.

In short, it’s up to the websites to manage. Arcom then evaluates the chosen solution and indicates whether it is suitable or not. And at the moment, nothing finds favor in his eyes: Arcom, for example, has told the website “Jacquie et Michel” to do better, under penalty of access restriction. However, the site is paradoxically one of the few that attempts real control.

How to check the age of Internet users on X sites?

It is in this strange context that the National Commission for Computing and Liberties (Cnil) made its contribution on July 26, 2022. The authority endeavored to review the existing systems (verification of age by payment card validation, by facial analysis, by offline verification, by analysis of identity documents, using tools offered by the state, at the end).

The conclusions were predictable: these devices, which contribute to the protection of minors, are never perfectly effective, and solutions are possible “. In addition, the CNIL warns that certain solutions ” may also pose a privacy risk » : personal data is at stake in this verification process.

Preventing minors from viewing pornographic content is desirable, but the difficulty is finding a good way to do it. // Source: Lucie Benoit for Numerama

For example, a bank card can be given to a minor. A child may also steal a parent’s credit card to trick the system. An analysis of facial features also has its limitations: in addition to the symbolically rather disturbing nature in this context, facial recognition sometimes encounters errors.

As for the solutions that could be considered, the CNIL warns that they may be based on binding technical prerequisites or may not have reached a sufficient degree of maturity. Inferential age verification systems, such as guessing an internet user’s maturity via a questionnaire, are insecure.

However, just because a track is not quite perfect and does not quite meet goals, which may be contradictory, does not mean that nothing should be done. Cnil admits the limits of such an exercise, but nevertheless makes recommendations and supports the development of solutions that do not compromise privacy.

“In the absence of being able to aim for absolute efficiency, it is advisable to choose relevant and safe devices to achieve the best possible result. »

CNIL

First and main request: the solution that makes it possible to check the age must be operated by a trusted third party, completely independent of site X. To establish the reliability of this third party, one could imagine a labeling or certification system, with objective criteria, that must be met that can provide sufficient guarantees.

Another obviously big requirement: that the security level of the solution is high enough to limit incidents, such as a data leak. Implicitly, we assume that it is necessary to secure the exchanges and to encrypt the possible data that is the subject of a storage. Furthermore, data collection should be minimal and as provisional as possible.

The plan envisioned by Cnil involves a process that crosses three platforms: the X site, the site that verifies age by knowing the internet user’s identity, and the site that is the link between the two. That would be “a triple protection of privacy,” the National Commission for Computing and Freedoms estimates. She has also created an infographic to schematize her idea:

Cnil age control scheme
The Cnil scheme on age control. // Source: CNIL
  • whoever provides the proof of age knows the identity of the user but does not know which website is being consulted;
  • anyone who submits the proof of age to the website may know the website or service being consulted but not the identity of the user;
  • the site or service subject to age verification knows that the Internet user is of legal age and that a person is consulting it, but does not know their identity.

With the future arrival of the digital identity application, combined with the national electronic identity card, one could imagine that it could generate authentication tokens that would confirm the major or minor character of the Internet user without revealing his identity. But the use of such a sovereign service to access X will not be unanimous.

In short, the challenge that emerges is to determine what level of enforcement we seek to achieve with this age control on sites prohibited for minors, knowing that absolute effectiveness does not exist and that we are faced with conflicting imperatives – to verify with certainty the individual’s age, but without compromising his privacy too much.

A sacred square of the circle to solve, in short. And in the absence of a perfect solution, we must preserve the essential goal of the law: to avoid too easy access for minors to pornographic content. Will we be able to prevent all minors from seeing X? Probably not. But in relation to the current situation where it is open barit won’t be worse.

Leave a Comment