Online age verification: the CNIL is not satisfied with the existing solutions

Clicking “I’m over 18” is a small barrier to preventing minors from accessing adult content online. However, this is the only verification that many pornographic sites have imposed for many years, but a law passed in July 2020 has tightened the noose on site publishers. In December 2021, Arcom had thus given formal notice to five of the most consulted pornographic sites in France to comply with legal obligations under penalty of being blocked. In March, noting that the publishers had not complied, Arcom sued several of them.

Regulatory screw turn

The law of July 2020, and more particularly its implementing decree published in June 2021 relating to the verification of the age of Internet users, had the effect of a thunderclap for online services subject to the obligation to verify the age of users. The text of the law clearly specifies that the simple declarative regime that applied until then was no longer sufficient, without however advancing a real solution allowing an alternative solution to be proposed.

On the subject, it is up to Arcom to publish its directives, but that does not prevent the CNIL from deciding on the subject. The commission was thus led to express itself on the decree of June 2021, and yesterday published an assessment of the various approaches envisaged to offer suitable age verification tools.

The CNIL’s analysis sought to verify the compliance of age verification solutions on three criteria: “sufficiently reliable verification, complete coverage of the population as well as respect for data protection and privacy. individuals and their safety. »

No perfect solution in the eyes of the CNIL

The first solution envisaged by the CNIL is that of age verification by validating a payment card, a solution “already implemented by a certain number of players” specifies the Commission. The CNIL sees this as an imperfect method, which notably presents risks in terms of phishing: by multiplying the requests for the Internet user’s credit card, the latter could be more likely to be fooled by a fake site seeking to steal his credit card data for malicious purposes.

Second solution, facial recognition. The CNIL sees several disadvantages in this: first of all a clear tendency to make errors, in particular for “minors and minors close to 18 years old or young adults and adults. But the intrusive nature of the solution, which necessarily accesses the user’s webcam, also leads the CNIL to recommend the use of certified trusted third parties to deploy this type of solution.

In the same way, the solution consisting in encouraging users to acquire a “scratch card” offline allowing them to recover an identifier and password for accessing an online service is not without flaws. The CNIL thus indicates that “this method requires specific governance, with an authority issuing the cards and managing the authentication systems. »

The other solutions considered, age verification by analysis of identity documents, the use of verification tools offered directly by the state face the same challenges, with the establishment of a certified ecosystem capable of Supervise the actors responsible for identity verification, while creating a risk of “associating an official identity with intimate information and a supposed sexual orientation” in the case of state authentication solutions.

The last approach considered, “age verification by inference” systems, which consist of “guessing” the age of the Internet user based on certain third-party information, such as the browsing history, his answers to a questionnaire or analysis of navigation on the services specific to the site editor. Three solutions which obviously do not suit the CNIL, which judges them to be incompatible with data protection, unreliable or reserved for a small number of players.

Sketch tracks

While the CNIL finds fault with all the solutions analysed, it nevertheless outlines a path developed by its own services: designed by the CNIL’s digital innovation laboratory in collaboration with the digital regulation expertise center, the Commission highlights its tool demonstrating the feasibility of a privacy-friendly age verification mechanism. This is based on a cryptographic concept, “zero-knowledge proof”, which allows people to prove their majority without having to reveal other information.

However, the solution also relies on an ecosystem of certified third parties and a control authority capable of issuing these certifications. For now, the CNIL demonstration is just a proof of concept, first presented in June, but it invites those interested to experiment with its solution. This is available on github, adullact and

Source link -97