Intermediary age assurance provider collecting user data on specific URLs, more

A firm claiming to provide “double blind” age assurance services to pornography sites adapting to France’s online safety law has been found to be collecting unauthorized user data, according to a technical report released by AI Forensics. 

The additional data collection and retention appears to have been tacked on to biometric age assurance methods provided by third-party vendors, in a case that should raise alarms among those hoping to establish public trust in digital age checks.  

AgeGO knows exactly which videos users try to watch

AgeGO has contracts to provide software that enables age verification services for the large porn sites Xvideos, Xnxx and Tnaflix, as they look to comply with French regulator Arcom and the EU’s Digital Services Act. 

AI Forensics’ findings are damning. “We observed that, despite claiming to offer ‘double anonymity’ options (intended to hide user traffic), AgeGO collects the URL of the video the user attempts to watch.”

“In addition, when users select the ‘selfie’ verification method, their webcam stream is transmitted directly to Amazon Web Services,” which is listed as the provider of selfie-to-document verification. 

AgeGO also forces users to disclose their email address to complete the age verification process, which it says is needed to create an AgeGO account.  

The firm’s website says it was founded in Barcelona in 2019 and is a part of Exogroup, an investment company also based in Barcelona. It lists satellite offices in Dublin, Ireland and Porto, Portugal. It says its age verification methods are “free for the end users, secure and respect end user privacy by fully protecting their identity and data.” It lists “trust” as its first core principle. 

The third party services it uses are as follows. 

For digital ID, the provider is Yoti – the only third-party listed as being “within a country that complies with European data protection rules.” 

Selfie-to-document matching is done through Amazon Web Services (AWS) EMEA SARL. For ID documents, the provider is Klippa App B.V. And for credit card age verification, it is Shift4 Payments LLC. For safeguards, all of these services are listed as being “within the EU-U.S. Data Privacy Framework.” 

(Klippa is headquartered in Groningen, Netherlands, and Shift4 is a registered ISO/MSP of Citizens Bank, N.A. in Providence, Rhode Island.)

Regardless, according to the AI Forensics report, the privacy issue occurs before verification technically begins: “prior to selecting a verification option and prior to consenting AgeGO’s Privacy Policy, the user’s browser sends a request to AgeGO’s server disclosing: the website currently visited, and the exact video the user is attempting to access.”

“In response, AgeGO issues a cookie (x-ag-sid) encoding this information. This cookie is subsequently included in all further requests to AgeGO.” 

For the selfie option, AI Forensics “observed that the video stream captured from the user’s webcam is sent directly to Amazon Web Services (AWS) ‘Rekognition’.”

“As a result, AgeGO’s selfie verification method not only transmits to AWS the user’s webcam feed but also exposes their IP address, user agent, and the fact that they are accessing an 18+ website via AgeGO (the “origin” field of the requests being set as https://my.agego.com). While the exact platform among those using AgeGO is not transmitted, this may appear to constitute a significant disclosure.”

Age assurance has a category problem

AgeGO, then, does not develop age assurance software, but has signed on as an aggregator of age verification services for porn sites and other businesses looking to comply with the DSA. It is effectively a middle man – and, in keeping with that model, it appears to be skimming data from users in the course of shepherding it to an age verification provider that observes strict privacy rules. 

AI Forensics says “Arcom’s October 2024 technical guidelines define ‘double anonymity’ as an option in which the age verification provider – in this case, AgeGO – must not know for which service (i.e. which pornographic website) the verification is performed.” 

But AgeGO is something different than an age verification developer: a verification enabler, who has allegedly piggy-backed on legitimate methods to collect sensitive user browsing data. 

The discovery demands a response from age assurance providers, who are at a critical moment in the mission to build lasting trust with the public. Age check laws have already caused uproar over privacy concerns. The din becomes much harder to calm every time a story like this one breaks. 

AgeGo is not a member of the Age Verification Providers Association (AVPA), but the group’s Executive Director Iain Corby points to potential challenges with the way the system is set up.

“France’s rules require that at least one age check uses double anonymity,” Corby wrote in an email to Biometric Update. “Providers have tried faithfully to implement these regulations. They clearly protect users’ privacy but raise practical questions about billing and audit. If suppliers cannot see which site a user is accessing, how do they invoice? If platforms cannot see which provider supplied a check, how do they rely on it? The answer may come from interoperability – an ecosystem that counts usage anonymously and certifies participating providers so platforms can trust checks without revealing the site or the supplier. Otherwise, it is hard to see how a commercially viable market can operate in France within the rules.”

The situation also calls into question the further development of the lexicon for age assurance. Yoti is a company that develops algorithms and software for various methods of age assurance, both biometric and otherwise. In that, it is a “provider.” But if this label also applies to what AgeGO does – package and sell other companies’ age verification technologies – surely it is too broad, and warrants further refinement at the legal level.  

For its part, AgeGO is careful in its privacy policy to refer to what happens “during the age verification process” – which is not where the issue lies. 

The policy also says that “AgeGO will not provide Users’, End Users’, and Business Customer data to third parties, understood as third parties that do not carry out a function on behalf of or commissioned by the service provider or data controller, that is, AgeGO.” This allows plenty of leeway to share data with any entity that “carries out a function on behalf of” or “is commissioned by” AgeGO.   

The company has not provided public comment on the AI Forensics report. 

Article Topics

age verification  |  AgeGo  |  Amazon Web Services (AWS)  |  data privacy  |  double-blind age assurance  |  EU age verification  |  face biometrics  |  France  |  selfie biometrics