The complex case of online age verification against privacy protection laws

La CNIL, or Commission Nationale de l’Informatique et des Libertés, is the French Administrative Authority competent for the personal data protection under the GDPR and national law perimeter. On July 26th, they published a study (link in French) about the online age verification regarding the adult restricted content on the Web, the existing solutions, their opinion, and their recommendation. As the CNIL article is quite long and in French, I’ll propose you a summary with some opinion about it.

At the beginning of the year, I’ve wrote some concerns (in French) about how the French law restricting access to pornography content are badly written. Mostly since the law (article L227-24 Code Pénal) has been amended in 2020 to add a new criteria saying the “yes I’m 18 years old” disclaimer is no longer enough to restrict the access to underage people. In this article, I’ve quoted the impact study the CNIL made for the application decree, but as there are currently two legal procedures against the major pornography publisher services (PornHub, xhamster, x-videos, etc), the Administrative Authority proposed a more advanced study about how to check the user age without disclose too much personal data.

Note : As the CNIL text contents are licensed under CC-BY-ND 3.0, this article will use the same.

A complexe matter and the CNIL’s recommendations

The first part of the topic is a reminder about informing, educate, and focus on user-controlled device. Our online activity can quickly reveal some very personal and intimate parts of our private life. Linking an identity to this privacy would be against every protection principles we have acquired thanks to these regulations. But for some use cases, the laws ask for a verification of the user’s age to ensure they have the legal majority (18 yo in France), while the user’s privacy must be kept protected.

In France, there are several cases when you must prove your majority while using online or physical services, but the methods are not always the sames. For example, while opening subscribing to specific bank services, to an Internet offer or mobile, buying alcohol, renting a car, subscribing to online bets and casinos, or also because it’s stipulated by the contracts, you need to provide a proof of your majority. However, as these services are usually associated to a payment, they rely on the bank transaction to estimate you’re major. In my opinion, this idea has already a flaw (also pointed by the CNIL) : in France, 16 years old teenagers can open a bank account and have a credit card. That’s mostly for the apprentices who will receive a salary that have be transferred to a bank account (because it’s a legal obligation regarding the unreported employment prevention laws). Also, the credit card can still be usurped. So that’s not really a robust method.

So the other way would be to check the user identity card, which is usually the case for the previously enumerated services.

However, for pornography access, you can’t really do that because there is a social issue (porn is still a taboo). Also, because it could be a way for publishers or third party services to create databases with very sensitive and intimate data, maybe wrong like deducing a supposed sexual orientation regarding the content accessed. These kind of data are highly protected by the GDPR which restricts the possible cases to treat them.

In 2021, the CNIL published their opinion about the decree project for the L227-24 article modification. They ended-up with three recommendations :

• No identity card collection by the publisher of the pornographic service
• No age estimation based on Web browsing history
• No biometric analysis with the purpose to identify a person in a unique way (like face recognition, selfie with our identity card, etc)

The CNIL recommend to use an independent trusted third-party. A service that would only know the user is a legal adult and provide a proof for the restricted access website, with no possibility to attach the identity with the accessed service. The idea could be split into two distinctives operations :

• The trusted third-party could be a dedicated service, or a service the user has already subscribed to, that can prove they’re adult (an online retailer, the bank account manager, an administration, etc). This trusted third party would deliver a kind of certificate containing only the proof of majority.
• This proof transmission would be given to the restricted to adult service and validated by the publisher. The publisher has no information about the user’s identity, only a message saying “yes, this person is a legal adult”.

Using different actors in the chain is a more privacy security option according to the CNIL, they justify it with the following items :

• The age proof certificate producer knows the user identity, but has no idea for which use case the request is made
• The person who transmit the age proof to the online service can know the requested access, but cannot know the user identity
  • The most ideal case would be the user transmitting themselves the age proof, which is the approach proposed by the CNIL
• The online service read the proof and grant the access, or not. They don’t know the user’s identity, the only information is “user is adult”.

The CNIL defines the trusted third party validator as an independent service controlled by the user. This trusted third party would be expected to offer one or more solutions to deliver the age proof and guarantee the requested service that the user is major and the request is authentic by using cryptographic signatures. The Authority provided in its article an implementation example that we will see later.

The trusted third-party validator could become a attribute management service, letting the user choose which data they want to disclose for which use-case. These data would be issued by well known provider. For example, the electricity company could attest the address validity, an identity service can attest the age, etc.

Another recommendation is to evaluate these trusted third-party validator, especially when they propose an automated statistic analysis method. When I’ve check about two majority validation services in my previous article, I’ve seen some worrying things. The first one was related to the credit card verification (with a canceled transaction). A teenager can have a credit card in France, so that’s irrelevant (and recently confirmed by the French Authority “Arcom” competent for the child protection in medias, including Internet). The other was a face recognition way estimating if you’re underage or not… With a fun detail in the EULA : “if not working, try again”, nice ! And the last one was providing a legal document like ID card or driving license. Robust, but privacy intrusive.

About these last cases, the CNIL warn about the false services that would just collect personal data and sell them. That’s why they recommend a certification for these services because the age verification is highly privacy intrusive.

Another interesting point about the CNIL’s study is the weakness of all possible solutions. This weakness is mostly caused by the Internet concept itself which is opened and freely accessible by design. The protection of underage people must be made with the respect of this design in mind, or the only way would be to transform the Internet into a closed service requiring authentication for each usage via users accounts creation and a very intrusive identity control. In my opinion, that would be the worst case that could happen. With the very centralized platform that enchain the users into their own ecosystem and tracking their very moves and reading every detail of their private life, we already have a serious privacy issue. If tomorrow, because some laws require it, every online service should verify the user identity in a very intrusive way, it would be a serious danger for the freedom of speech and privacy respect. The opinions, activities, and habits could be logged and attached to an identity without any possibilities to refuse it.

As an example for the current age verification weakness, the CNIL quote the Great Britain example, where these kind of idea was also planned, a study said that 23% of the minors declared being able to bypass the restrictions with VPN. Even some restricted to adults content publishers propose their own VPN solution.

The CNIL reminded that the VPN is an essential Internet technology because it’s massively used by the companies to secure their trafic across the Internet, so restricting it would be a problem. However, I would also consider that using a VPN (or a Proxy) could pose a serious privacy threat. There is a say telling “there is no Cloud, only other ones computers”, the commercial VPN services are the same thing : there are no VPN, only the others’ Internet connection. By using a VPN, you’re using somebody’s else Internet connection. You have absolutely no warranty this third party provider would not log all of your activity and monetize it. It’s the same for a proxy service. Unless you’ve mounted these services yourself and you’re sure they’re safe, you can only trust the provider good faith.

Existing solutions analysis

The CNIL analyzed the current online age verification solutions and the conclusion is not really a scoop : none of them are robust enough.

Age verification by credit card payment

As seen above, in France, a 16 yo teenager can have a bank account and a credit card without their parents approval, so only the younger people could be impacted. And that’s the first nail on the coffin. The principle is to validate the credit card itself, or setup a payment and cancel it immediately. First, a payment process has not been designed to be able to certify some user’s attributes, like their age. Then, the age verification must not be installed by the service that need this verification for an access because of privacy concerns, this step has to be done by an independent third party. Also, using this way as a verification could increase the phishing risks with fake providers using it to illegally charge the users. Finally, a free service must remain free of charge.

Age verification by facial recognition

There are some methods that use the face analysis to determine if the user is legally adult or not. However, this method is highly privacy intrusive and also very weak. The difference between a 18 and 17 yo person could not be discriminant enough and it require to activate a webcam or take of selfie.

The CNIL warns about the risk of webcam blackmail scams and recommend that these provider must be certified by an authority. Also, I think it could be very risky for privacy and a fake service could feed a scam webcam blackmail database. Also also, we have the same recommendation as before : the verification service cannot be provided by the publisher of the adult content.

Offline verification

This method is buying a scratch card revealing a password to be used on the requested service. The idea is related to the alcohol, cigarettes, or gamble stores which already verify the user identity and their age. First, in my experience, in the real world, I’ve never seen any casher verify young people ID card for alcohol… Also, the CNIL warns about the risk a stigmatize the people wanting to buy these cards because the usage is well known. Finally, the black market sales could be possible.

Official identity documents analysis

A service that would check the identity document could be easily deceived by the user as they can provide another people ID card. Also, in my opinion, it’s highly privacy intrusive as you may have to send your ID card to a random web service… Nope.

For fraudulent usage, a possibility used by some services is to take a picture of yourself with the ID card for what the CNIL call a “living body test”. It’s of course a very reliable way, but fall under the GDPR biometry legal dispositions and cannot be used without the expected certifications and norms that are mandatory to these services.

Using official State services

In France, we have an online Single Sign-On service called FranceConnect which was made to facilitate the login between official services (tax payment, social security account, retirement, etc). In the discussions about the online age verification, using FranceConnect is always quoted. However, the CNIL sees two big problem to this idea :

• First, FranceConnect has not be designed to handle user attributes, only to simplify administrative walkthrought.
• Second, if we talk about pornographic services, it would create a database linking an official identity to very intimate informations and a supposed sexual orientation.

The only case FranceConnect would be usable according to the CNIL is for authentication to the trusted third party verification service.

Age verification by inference

Some providers try to deduce the user age by statistical analysis according to some specific behaviors.

• User web browsing history : this way is very privacy intrusive and barely reliable
• “Maturity” analysis with a survey : no private data, but not very reliable too. And also it could be a discrimination for adult people with intellectual difficulties (reading, understanding) or without the cultural references.
• Navigation analysis on services owned by the publisher : it’s a possible way, but the CNIL lists some conditions like no automated decision, no supplementary data collection, the data must be separated from the usual tracking collection, and finally, the analysis must be made by an independent third party.

In my opinion, none of these option are really acceptable. They’re too much privacy intrusive or not reliable.

An implementation idea

With the assistance of the cryptography searcher professor Olivier Blazy, the CNIL’s innovation laboratory, and the Expertise Center of Digital Regulation (PEReN - Pôle d’Expertise de la Régulation Numérique), an implementation idea is proposed.

The idea is based on the zero knowledge proof principle and with the following steps :

1. The user wants to connect to a restricted to adults (RTA) service. They have to provide a proof of their age.
2. The user choose a third party provider in a proposition list (bank account, electricity provider, etc) and connect to this service in a separated session
3. The third party service provides an age verification proof telling the user is legally adult according to them
4. The user come back to the RTA service and give the proof
5. The RTA service publisher check the proof via cryptographic signature and attest the user is a legal adult or not according to the content
6. The user can access to the service (or not)

In this sequence, the RTA service publisher has no idea of the user identity because this one would only provide a “yes, I’m an adult” document certified by a trusted authority. Also, the third party verification provider has no idea why the user asked for this document and is entirely independent from the RTA service publisher.

I think this implementation idea would be a good basis. It reminds me the OTP tokens used in the 2FA authentication protocols. The service asks for a code, a generator provide one and don’t know what is the service. However, the difficulty would be to implement it with the RTA services publishers. The big companies would comply to these obligations because the audience is important for them. But others would not and don’t care about France’s regulation. There would be two ways to deal with it… Like during the GDPR introduction, they block French users to avoid any problem, or they don’t care and get blocked by French authorities, with the endless loop of popping mirrors.

Personal conclusion

That’s an old problem and there are no perfect solutions unless we revert the Internet conception and use a network closed by design, which would be a terrible social regression. Child protection is important, but adults rights and liberties too because a child would become later and adult and there are no points to live in a world where you have almost no rights just to protect your first 18 years of life. That’s why the topic is very difficult to handle and it can’t be resolved by simple solutions or speechs. Today, that’s the pornography which is the target of various associations using the law to constrain the publishers (and sometimes badly, some complains has been rejected because of procedure errors), but the French law concerns a larger perimeter of contents (messages about violence, terrorism, etc). And I think everybody seems to forget or ignore it, which is, in my opinion, the real problem. Today it’s pornography, tomorrow it’s violence, and the day after tomorrow, every Web service will ask for identity verification and privacy is dead.

That’s not the Internet I want.