EU seeks more age verification transparency amid contentious debate

Age assurance requirements are contentious everywhere, and robust social dialogue is needed to make clear what kind of online gating each jurisdiction is prepared to put up with. More transparency obligations could be coming in the EU, while conversation about the UK’s new regulations vary from policy binaries and mud-slinging to the occasional measured assessment.

The EU is considering setting minimum requirements for online platforms to disclose their use of age verification or age estimation tools in their terms and conditions. The obligation is contained in a new compromise draft text of the EU’s proposed law on detecting and removing online child sex abuse material (CSAM), dated July 24 and seen by MLex.

A discussion of the proposal, which contains few other changes to a previous draft, is scheduled for September 12. The text also calls for online platforms to perform mandatory scans for CSAM, which critics say could result in false positives and break end-to-end cryptography.

Platforms are not required to disclose details of their age assurance systems that could undermine their effectiveness.

Each member state’s Coordinating Authority would be responsible for overseeing implementation of the rules.

Bad arguments and non-arguments

Anyone hoping for sober debate over the UK’s Online Safety Act must feel like the central character in Monty Python’s famous “Argument Clinic” sketch.

“I came in here for an argument,” he objects early in the sketch, after being subjected to a name-calling attack.

“Oh, I’m sorry, this is abuse,” the man behind the desk replies. He directs the protagonist down the hall.

Debate over the OSA has neatly side-stepped productive discourse, with Nigel Farage, leader of fringe party Reform UK, accused of being on the side of people like infamous pedophile Jimmy Savile by Secretary of State for Science, Innovation and Technology Peter Kyle.

Under-Secretary of State for Safeguarding and Violence Against Women and Girls Jess Phillips reiterated the warning about “modern-day Jimmy Saviles,” according to The Times.

U.S. politicians contributed complaints that Ofcom is “harassing” American companies. Perhaps their visit to the UK and comments on the OSA were not directed at North Dakota, which Pornhub blocked access from last Friday to put a disingenuous and misleading statement in its place, because the pornography site is owned by a Canadian company.

The Guardian found that topics which appear not to fall into any defined categories of “harmful content” have been gated on X and Reddit, and some observers warned that an overly cautious approach could lead to legal material becoming restricted.

A man who Gizmodo says is the most tattoo-covered in Britain has found that he cannot complete online identity verification with face biometrics because of a system that mistakes his tattoos for a mask. The article attributes the problem to facial recognition bias, which it claims is “a real problem with the UK’s verification system.”

For evidence, it cites the famous 2018 Gender Shades study on facial analysis algorithms, conflates it with facial recognition, and then refers to an academic study from 2022 that explicitly confines its findings to “current AI technology” and gives advice on how to improve it.

A ‘privacy nightmare’ with real-world fixes

The way age verification is set to work under the OSA is described as a “privacy nightmare” by PC Gamer, but the article stands in stark contrast to the vague posturing of the political class. Author Jacob Ridley acknowledges the possibility for double-blind methods of age assurance among those that do not require any personal information at all to be shared with the website or app the individual is trying to access.

At the same time, many age verification systems do not work this way. Also, age assurance pop-ups can be spoofed, and those spoofs could harvest a wealth of valuable personal information

Privado ID Co-founder Evan McMullen calls it “like using a sledgehammer to crack a walnut.” McMullen, of course, prefers a decentralized approach that leans on zero-knowledge proofs (ZKPs).

Age Verification Providers Association ED Iain Corby notes the “slight risk” of age checks becoming “cookie pop-ups on steroids.” To avoid this, proofs need to be tokenized and interoperable.

Corby lays out a scenario in which Yoti accepts evidence from a third party providing mobile phone checks to complete a transaction, but notes that a price for this third-party service must be agreed to.

Ultimately, Ridley finds the UK GDPR and data protection oversight by the Information Commissioner’s Office provide little reassurance against malicious data collection practices or breaches of sensitive personal information, even though good age assurance technologies are out there.

Article Topics

age verification  |  Aylo  |  biometric age estimation  |  Digital Services Act  |  EU age verification  |  Online Safety Act  |  UK age verification  |  ZKP cryptography