Online age verification debates continue in Canada, EU, India

Introducing age verification to protect children online remains a hot topic across the globe: Canada is debating the Online Harms Act, the European Union experimenting with an online age assurance project while India is potentially opening the path towards age verification with the Digital Personal Data Protection (DPDP) Act.

Canada grapples with pornography

The perils of porn may be less dangerous than the surveillance that age verification could bring to Canada, argues Maggie MacDonald, an advisory board member with Ethical Capital Partners, which manages the world’s most famous porn site Pornhub through its parent company Aylo.

MacDonald says that the Online Harms Act, which made another step towards the House of Commons in December, brings “alarmingly vague proposals” while glossing over privacy concerns.

“Age verification poses significant privacy risks for all internet users in Canada,” she says. “Systems that authenticate age typically rely on government-issued ID being checked through third-party services.”

The Ph.D. candidate at the University of Toronto also says digital ID carries other risks, such as leaks and hacks. Requirements for age verification could also spread to search engines and social media platforms, MacDonald notes in an opinion piece in the Globe and Mail.

The arguments echo those from companies such as Pornhub which have been fighting the legislation, advocating for an approach that would verify a user’s age through a device. But Pornhub is not the only one skeptic about the new law. The Canadian Heritage Minister’s office has called the Online Harms Act “fundamentally flawed.”

euConsent faces mixed messages from governments

The European Commission-funded project to create an age verification and parental consent solution is being welcomed by well-known internet platforms, says euConsent’s Secretary General Iain Corby.

Last year, the non-profit completed its first phase, a €1.4 million (US$1.5 million) pilot project including some 2000 children and adults across five European countries. Platforms have been supportive of that work.

“They also want a level playing field, with all platforms adopting a similar standard – so they are enthusiastic about the international standards we drafted in Phase 1 being the common basis for all age checks,” Corby says.

euConsent has received additional funding from Safe Online, another non-profit tackling online risks for children. The project has also recently released a feasibility study investigating how to increase interoperability between age verification providers (AVPs). But the organization is still tackling a different set of challenges.

“The biggest issue is that governments and regulators are equivocating on setting a vision for online age assurance so they are sending mixed messages to an industry that wants to be compliant but is struggling to know what that would look like,” says Corby.

euConsent provided an update this week on its underlying technology at the Global Age Assurance Standards Summit.

India may be moving towards its own age verification mandates

Last year, India introduced its Digital Personal Data Protection Act (DPDP) after more than half a decade of deliberations. One of the provisions of the law that has escaped attention is an obligation on all data fiduciaries to obtain a parent’s verifiable consent before they process the personal data of a child.

The provision could mean that businesses will be required to verify whether a person is a child or not, leading to online services introducing identification and age-verification requirements, argues Rahul Matthan, a partner at Trilegal law firm.

The move could open up new privacy issues for a country that is already dealing with a deluge of data leaks. One answer to this problem might be to use zero-knowledge proofs (ZKPs).

“All it will take is for us to generate a digital token that, when processed using a ZKP, will confirm that the person is above the prescribed age without sharing any other personal information,” Matthan writes for Livemint. “This will allow us to verify the age of internet users while still preserving privacy.”

He also believes that India could leverage its digital identification system Aadhaar for age verification.

“All we need is for the Unique Identification Authority of India (UIDAI) to generate a token for each Aadhaar holder that could, when passed through a suitable ZKP system, confirm whether or not the possessor of that token is above the prescribed age,” he says. “Once in possession of such a token, all a user needs to do is present it whenever access is needed to a new website or online service, so that one’s age can be proven as appropriate without having to reveal any other identifying information.”

Token-based solutions address privacy concerns around age-gating. Set up right, they can also reduce the friction implicit in any age-gating implementation. If ZKP tokens are designed in a way so that they can easily be uploaded to one’s internet browser, all a data fiduciary would have to do is run the browser token through the ZKP system to ascertain whether the user is of an appropriate age.

Article Topics

age verification  |  Canada  |  Digital Personal Data Protection (DPDP) Act  |  EU  |  euCONSENT  |  face biometrics  |  India  |  regulation