Age assurance laws in EU prompt flurry of objections from rights groups

The EU’s latest tiny wallet accessory is scandalizing the continent’s digital activists. A review from European Digital Rights (EDRi) says the European Commission intends for its mini wallet to be a “white label” app, which can be used by governments and companies across the EU to check the ages of people trying to access certain platforms and services. (The technical specs are available on GitHub.)

EDRi, however, gives the project a frowny thumbs down. “Whilst the Commission believe that this will make everyone safer, we argue that it’s not only unrealistic – but also unhelpful – to try to childproof the internet,” it says.

EDRi’s argument says age assurance tools “systematically leak data in ways that threaten the privacy and data protection rights of children and adults alike – whether they use government-issued identity cards, AI analysis to predict a person’s age or other methods.”

This is both factually and conceptually wrong, in that most age assurance systems aim for anonymity, and that any systemic sharing of data would no longer constitute a “leak.”

Regardless, EDRi maintains its conspiratorial stand, asserting that while “this step from the European Commission is purportedly to age gate access to porn platforms, the plans that have been laid out show a clear intention to control access to a much wider range of platforms and services.”

Again, the word “control” is doing ample work in the group’s statement. But it is not afraid to get more specific, even if its objections ultimately boil down to, “could be risky.”

“The Commission puts a lot of faith in ‘Zero Knowledge Proofs’ (ZKPs) to resolve privacy concerns. ZKPs provide a cryptographic way to prove that a given statement is true without sharing any additional information. Although ZKPs are in theory a better way to protect users’ privacy than many other approaches, it is also a brand-new system. Testing the roll out of ZKPs, at scale, with data as sensitive as government-issued IDs, is risky at best.”

Having also declared age assurance to be a threat to society, EDRi also laments, of highly effective online age assurance such as biometrics, that “many people will be excluded from this form of age verification.”

Article 28 guidelines to lay out rules, penalties for noncompliance on age checks

As rights groups rage, policy work continues. Late April saw the thirteenth meeting of the European Board for Digital Services. According to a release, “discussions included updates on the work on the protection of minors, notably related to the EU age verification solution and the guidelines under Article 28 of the Digital Services Act, highlighting the priority on safeguarding younger users in the digital environment.”

Article 28 is at the center of the EU age assurance discussion. It states that “providers of online platforms accessible to minors shall put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service.” Formal guidelines on the matter are expected in the next couple of weeks.

In a blog, the Electronic Frontier Foundation (EFF) notes that “Article 28(3) makes a point of not requiring service providers to collect and process additional data to assess whether a user is underage,” and that while “the European Commission is currently working on guidelines for the implementation of Article 28 and may come up with criteria for what they believe would be effective and privacy-preserving age verification,” for now, that remains legally ambiguous.

The EFF also has an effective response to porn sites, social media platforms and others advocating for age assurance measures to be implemented at the operating system or device level (thereby making it Google or Apple’s problem, instead of Meta’s).

“Embedding age verification at the device level will make it more ubiquitous and harder to avoid.

This approach will likely also lead to mission creep: While the Commission limits its tender to age verification for 18+ services (specifically adult content websites), it is made abundantly clear that once available, age verification could be extended to ‘allow age-appropriate access whatever the age-restriction (13 or over, 16 or over, 65 or over, under 18 etc)’. Extending age verification is even more likely when digital identity wallets don’t come in the shape of an app, but are baked into operating systems.”

Article Topics

age verification  |  Article 28  |  biometrics  |  Digital Services Act  |  digital wallets  |  EFF  |  EU  |  EU age verification  |  European Digital Rights (EDRi)  |  regulation