euCONSENT age verification interoperability: huge success, but the potential to fail
The encouraging results of the euCONSENT trials for browser-based interoperability for age verification and parental consent were shared at the recent euCONSENT 2022 Conference. However, France’s data regulator found no current options to be acceptable and has put forward its own based on cryptographic signatures, and the euCONSENT warns the project is destined to fail if it does not receive further funding.
‘Online Child’s Rights, Age Verification and Parental Consent: Delivering the Balance’ brought together in Athens the euCONSENT project team, stakeholders and regulators to discuss age verification and parental control in the European Union (and UK).
euCONSENT is a project for browser-based interoperability for age verification and parental control where a user can undergo age verification for one particular site with that site’s preferred verification partner, and then reuse that verification on subsequent sites whose own age verification partner communicates with the former.
Strong results from first trial, second planned
The first trial of 1,600 users – adults and children – in five European countries was already announced as a success and now the results show that interoperability among age verification and parental control providers was reliable in almost 100 percent of cases, announced Vangelis Bagiatis, product owner at AGEify, one of the providers involved.
“Interoperability was one of the more if not most important technical objectives of the euCONSENT project, so being able to verify that it works that reliably makes us very, very happy,” said Bagiatis.
Slightly over 50 percent of adults gave the scheme a full 10 points for ease of use and 80 percent gave six points or higher. Among children, 17 percent had to ask for help from parents. Eighty-two percent of parents were happy with the way it worked with children. Ninety-six percent of parents said this approach should be used every time a website wants data from child.
Parental control is the more time-consuming part of the project, according to Bagiatis, but 65 percent managed the process in less than two minutes and 92 percent managed in under five.
A demonstration of the system in action can be viewed here from 12 minutes in.
A further, smaller-scale trial of 400 volunteers will take place in the same five countries from 20 to 30 June to test some of the improvements in UX identified in the first trial and to provide an opportunity to ask more questions of participants. It will test the age verification services from AgeChecked, AGEify and Yoti as well as parental control from JusProg and UpcoMinds.
Cryptographic signature alternative
“Our conclusion at the moment is that there are no real practical solutions that can match all the necessary requirements for security, privacy protection etc,” said Erik Boucher de Crèvecoeur, IT expert at the Digital Innovation Lab (LINC) of France’s data regulator, CNIL.
LINC explores the future of digital society, anticipates the impact of tech innovations on privacy and freedoms, and helps create links between the actors of digital society.
Following France’s 2020 legislation that pornography websites are required to do more for age verification than just provide a checkbox, CNIL issued recommendations on the decree in 2021. These affect biometrics and face analysis.
No direct identity data should be collected by the pornography sites; no biometric identification; no age estimation based on browsing history; and a trusted third-party should be involved in the age verification scheme.
Their analysis finds no solution that matches all these. Requiring an ID credential only works if it is checked biometrically against the website user. Boucher de Crèvecoeur said LINC is precious about the use of biometrics as they are “not proportional I would say for day to day use.”
Third party databases also pose risks due to the issue of “linkability” between individual identity and tokens used to access particular online services.
His CNIL colleague, Jérôme Gorin, Research and Development engineer at LINC, presented an alternative proof of concept for privacy and security by design for age verification, this time using well-tested cryptographic signatures.
In their version, with a demonstration available, a website creates a ‘challenge’ which needs to be signed. The website user downloads this challenge and takes it to a third party that already knows this individual such as his bank or her utility provider.
This third party, which would be certified by an external certifying authority, would sign this challenge. The website user would then upload the certified, signed challenge to the site which would be able to match it with the first challenge it originally generated.
The website would not know the identity of the site user nor of the third party involved from the signature. This would mean far fewer risks to the user and match France’s requirements. Only the certifying authority would know which third parties had signed which certificates in case it needed to revoke them.
The current process of downloading and uploading could be automated in future.
euCONSENT needs to be a privately-run concept and authority
“It has to be a concept like telecom roaming, credit card acceptance, like all those networks that operate efficiently in order to help their various stakeholders work together without bottlenecks and that is not centralized,” said Kostas Flokos, euCONSENT project coordinator, and CEO of UpcoMinds.
In his address, ‘Looking forward into the future: what are the next steps for euCONSENT?’, he stressed the need for euCONSENT (which may have a name change) to “become a recognized authority,” and a private entity such as the GSMA with continuous technology evolution and a budget to help increase market penetration.
Flokos called for immediate funding to keep the momentum. There will be profits for the age verification sector in the future, but the project needs funding sooner. “If the Commission is listening to us – ‘hello, we’re here, we need some money’,” said Flokos who pointed out that the European Commission, which has recognized the progress, “wrote the first cheque and it’s time for the second.”
At present, the private sector alone will not persevere. Future challenges such as eIDAS 2 mean the project has to be kept up to date to be compatible. “I seriously doubt it will ever happen” said Flokos of digital wallets integrating euCONSENT, even if a wallet has 25 percent penetration in Europe.
Without action, the current euCONSENT project is “destined to fail.”