France Identité app launches sandbox for iOS, proves age check privacy bona fides

France Identité, the French government’s mobile app for digital identity verification, has made its sandbox build available in iOS.

Writing on LinkedIn, technical director Anthony Carmoy says “this means that early testers can now experiment with France Identité sandbox builds on both Android and iOS, and validate concrete end-to-end flows across the two main mobile ecosystems.”

Carmoy says both Android and iOS sandbox builds now support OID4VP 1.0, “to support interoperability testing with relying parties and verifiers preparing for the European Digital Identity Wallet.”

France Identité is working on adding more credentials and supported protocols to progressively expand testing possibilities.

The team behind the French identity app has been busy lately, announcing last month a successful first ‘unlinkability’ test for age assurance in real conditions, in which no tracking warnings were detected on the age proof.

A post from Florent Tournois, director of identity at France Identité says this effectively delivers on the app’s privacy by design promise.

France hard on porn, eyeing social media

On its website, the Age Verification Providers Association (AVPA) notes that “France has one of the most developed and enforceable age-verification regimes in the European Union. The framework is primarily focused on preventing minors from accessing online pornographic content, supported by criminal law, sector-specific legislation, and active regulatory enforcement.”

France is associated with the double-blind method for age assurance, having written the requirement into its adult content legislation: at least one offered method for age assurance must operate such that the adult platform knows nothing about the user except that they are allowed in, and the age assurance provider has no way to know which sites a user is visiting.

Legislation on age restrictions for social media is likely coming, as well.

Don’t put Big Tech in ‘middle of every verification event’: Braxman

AVPA has itself been characteristically busy. A new article posted to its LinkedIn account reflects on a video from Rob Braxman Tech, in which Braxman argues that if an age signal is anchored in hardware and tied to a platform account (Apple ID, Google account, Microsoft ID), “then Big Tech sits in the middle of every verification event.”

“You may be anonymous to the website, but if the underlying mechanism is hardware attestation, where the TPM chip cryptographically vouches for the device state to the platform’s cloud, your activities may become even more visible to the platform.”

Could such hardware-bound credentials, asks AVPA, allow activity to be correlated across unrelated services, “creating a persistent identifier that, unlike a browser cookie, you cannot simply clear?”

Moreover, “if the trust root sits inside a Big Tech account, does the age verification framework inadvertently hand them yet more data, regardless of how privacy-preserving the signal is to the websites and apps receiving it?”

As alternatives, the post points to passkey-based interoperability (FIDO2), which binds credentials to a device without requiring an OS vendor in the trust chain, and PWA token models that bypass the app store layer entirely.

But the overarching point is simple: don’t let Big Tech monopolize yet another online service.

AVPA takes on Big Tech in New Mexico trial

AVPA’s executive director, Iain Corby, was in the U.S. this week to give evidence in the next stage of a trial in New Mexico, where Meta has already been fined $375 million for harms arising from CSAM and addiction under product safety laws.

Per a summary sent to Biometric Update, questions from the attorney representing the State of New Mexico focused on the cost of age checks, and interoperability. As has been his wont recently, Corby highlighted the proximity principle applied in public health and safety, which dictates that the protection should be as close to the risk as possible.

Meta continues its tireless campaign to push back against age verification laws for platforms; in New Mexico, its lawyers argued that Corby, who represents age assurance providers, was biased in favor of age assurance; asked what he knew about New Mexico; and insisted their internal inference model – which it calls “heuristics” and the UK Information Commissioner’s Office (ICO) calls “profiling” – works just fine, despite concerns about yet more exploitation of user data.

The Silicon Valley giant, which runs Facebook and Instagram, has proven to be ineffective (or uncooperative) in complying with Australia’s Social Media Minimum Age requirement: data from a recent survey shows that, of the total number of users under 16 who had accounts on Instagram before the prohibition, some 70 percent maintained access.

Article Topics

age verification  |  AVPA  |  double-blind age assurance  |  France  |  France Identité  |  interoperability