The Cnil has reviewed the systems that can be used to control the age of Internet users. None are perfect. But that doesn’t mean it shouldn’t be used at all. Recommendations are made in this regard.
This is a new rule enshrined in law: pornographic sites that are accessible in France have the obligation to effectively verify the age of Internet users, so as to prevent minors from accessing content that is not of their age. The goal is commendable: today children have too easy access to X and this must stop.
But the legal scaffolding that has been erected to compel the publishers of X sites to react, under penalty of blocking by Internet service providers after a court decision, is rickety because it is incomplete. Neither the legislator nor the regulator (Audiovisual and digital communication regulatory authority) gives the recipe to follow.
In short, it is up to the sites to manage. Arcom then evaluates the chosen solution and indicates whether it is appropriate or not. And for the moment, nothing finds favor in his eyes: the Arcom has for example given notice to the site “Jacquie et Michel” to do better, under penalty of access restriction. However, the site is paradoxically one of the few to attempt real control.
How to check the age of Internet users on X sites?
It is in this strange context that the National Commission for Computing and Liberties (Cnil) made its contribution on July 26, 2022. The authority endeavored to review the existing systems (verification of the age by payment card validation, by facial analysis, by offline verification, by analysis of identity documents, by tools offered by the State, by inference).
The conclusions were predictable: these devices, which contribute to the protection of minors, are never perfectly effective and workarounds are possible “. In addition, the CNIL warns that certain solutions ” may also pose privacy risks » : personal data is at stake in this verification process.
For example, a bank card can be granted to a minor. A child can also possibly steal a parent’s credit card to trick the system. An analysis of facial features also has its limits: in addition to the symbolically quite disturbing character in this context, facial recognition sometimes encounters errors.
As for the solutions that could be considered, the CNIL warns that they may be based on binding technical prerequisites or may not have reached a sufficient degree of maturity. Age verification systems by inference, for example, which consist among other things in guessing the maturity of an Internet user via a questionnaire, are uncertain.
However, it is not because a track is not absolutely perfect and that it does not completely satisfy objectives which can be contradictory that nothing should be done. The Cnil admits the limits of such an exercise, but nevertheless makes recommendations and supports the development of solutions that do not compromise privacy.
“In the absence of being able to aim for absolute efficiency, it is advisable to choose relevant and secure devices to achieve the best possible result. »
CNIL
First and main request: the solution which makes it possible to check the age must be operated by a trusted third party, completely independently of site X. To establish the reliability of this third party, a labeling or certification system could be imagined, with objective criteria to be met, capable of providing sufficient guarantees.
Another obviously major requirement: that the degree of security of the solution be high enough to limit incidents, such as a data leak. Implicitly, we guess that it is necessary to secure the exchanges and to encrypt the possible data being the subject of a storage. Furthermore, data collection should be minimal and as provisional as possible.
The plan imagined by the Cnil involves a process crossing three platforms: the X site, the site which verifies the age by knowing the identity of the Internet user and the site which is the link between the two. It would be “a triple protection of privacy”, estimates the National Commission for Computing and Freedoms. She has also produced an infographic to schematize her idea:
- whoever provides the proof of age knows the identity of the user, but does not know which site is consulted;
- whoever transmits the proof of age to the site may know the site or service consulted, but does not know the identity of the user;
- the site or service subject to age verification knows that the Internet user is of legal age and that a person is consulting it, but does not know their identity.
With the future arrival of the digital identity application, combined with the national electronic identity card, one could imagine that it could generate authentication tokens which would confirm the major or minor character of the Internet user, without expose his identity. But the use of such a sovereign service to access X will not be unanimous.
In short, the challenge that emerges is to determine what is the degree of requirement that we seek to achieve with this age control on websites prohibited to minors, knowing that absolute efficiency does not exist not and that we face contradictory necessities — to verify with certainty the age of an individual, but without jeopardizing too much his private life.
A sacred square of the circle to solve, in short. And in the absence of a perfect solution, we must keep the essential objective of the law: to avoid too easy access by minors to pornographic content. Will we be able to prevent all minors from seeing X? Probably not. But compared to the current situation, where it is open barit will not be worse.