Jason Kelley and Adam Schwartz write:
Age verification systems are surveillance systems. Mandatory age verification, and with it, mandatory identity verification, is the wrong approach to protecting young people online. It would force websites to require visitors to prove their age by submitting information such as government-issued identification. This scheme would lead us further towards an internet where our private data is collected and sold by default. The tens of millions of Americans who do not have government-issued identification may lose access to much of the internet. And anonymous access to the web could cease to exist.
Why We Are Against Age Verification Mandates
Age verification laws don’t just impact young people. It’s necessary to confirm the age of all website visitors, in order to keep out one select age group.
Once information is shared to verify age, there’s no way for a website visitor to be certain that the data they’re handing over is not going to be retained and used by the website, or further shared or even sold. While some age verification mandates have limits on retention and disclosure of this data, significant risk remains. Users are forced to trust that the website they visit, or its third-party verification service, both of which could be fly-by-night companies with no published privacy standards, are following these rules.
Further, there is risk that website employees will misuse the data, or that thieves will steal it. The more information a website collects, the more chances there are for it to get into the hands of a marketing company, a bad actor, or someone who has filed a subpoena for it. This would inevitably lead to further data breaches, because these laws won’t just affect companies that are big enough to have robust data protection. If a website misuses or mishandles the data, the visitor might never find out. And if they do, they might lack an adequate enforcement mechanism. For example, one recent age verification law requires a user to prove “damages resulting from” the unlawful retention of data, in order to hold the website accountable in court—a difficult bar to reach.
These mandates wouldn’t just kick young people offline. There are tens of millions of U.S. residents without a form of government-issued identification. They could also be kept offline if age verification is required. These are primarily lower-income people who are often already marginalized, and for whom the internet may be a critical part of life.
No Age Verification Method Is Foolproof
Last year, France’s Audiovisual and Digital Communication Regulatory Authority ordered several sites with adult content to implement age verification. Then France’s National Commission on Informatics and Liberty, CNIL, published a detailed analysis of current age verification methods. It found that no method has the following three important elements: “sufficiently reliable verification, complete coverage of the population, and respect for the protection of individuals’ data and privacy and their security.” In short, every age verification method has significant flaws.
Whether it’s called “age assurance,” “age verification,” or “age estimation,” there are only a few ways the technology can work. Verification usually requires a website or its contractor to analyze every user’s private information, like the information on government-issued identification cards. A potential alternative is for the website to communicate with third-party companies like credit agencies, but they are known for often having mistaken information. A third option is age estimation via facial analysis, which is used by Instagram. But such face recognition technology has its own privacy and other problems, including clear evidence that errors abound.
EFF and many other privacy organizations have been concerned about age verification laws for decades. We opposed a previous federal law, COPA, the Child Online Protection Act, which included an age verification requirement. It was struck down as unconstitutional nearly twenty years ago for limiting the First Amendment rights of adults.
No one should have to hand over their driver’s license just to access free websites. That’s why EFF opposes mandated age verification laws, no matter how well intentioned they may be. Dozens of bills currently being debated by state and federal lawmakers could result in dangerous age verification mandates. We will resist them.
This article originally appeared on EFF.
Jason Kelley and Adam Schwarz of the Electronic Frontier Foundation recently published the article above arguing that “Age Verification Mandates Would Undermine Anonymity Online.“
We must start by thanking them for this contribution to a debate that will only grow in importance as more states in the US, and globally, seek to pass legislation that applies a higher level of protection to children than adults in the online world, as we have done for a century in real life.
2023 is the centenary of the first law in the UK setting the minimum age for buying alcohol at 18
As the global trade body representing suppliers of age verification (AV) technologies, we hope an equally measured and thoughtful response is helpful in shedding more light on this issue.
First of all, the authors are absolutely right to identify a risk to privacy as the fundamental concern. The specialist AV sector was established in anticipation of a law passed in 2017 requiring British users to prove they were at least 18 before they accessed pornography. From the outset, AV providers knew that users would be very concerned about their online activities being tracked, and the risk of blackmail or of exposure through hacking. But in the wake of major breaches such as Ashley Madison in 2015, the adult sites themselves were equally as worried about creating a new attack vector for hackers who could destroy their business overnight.
So from the start, privacy-by-design through data minimisation has been a founding principle of the AV industry. Our members do not create new central databases of either identities or online behaviour. Neither users nor clients would risk this. The only unhackable database is no database at all – and that principle underpins the design of age verification solutions. Instead, once age has been established, personal data accessed by the provider for this purpose is deleted and users are anonymised. Sites seeking to know if a user is old enough are only informed “yes” or “no” and no record is kept of which site enquired about which user. So there are no risks of “misuse, theft or subpoena” except during the moments an age is being ascertained, which is in any case designed to be a secure process. While the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL) is going even further and developing a “double-blind” cryptographic mechanism to remove any capability of an AV provider knowing which website a user is accessing (which we would support and aim to adopt if it works effectively), it still recommends the use of third-party age verification providers at present:
Read the full statement at https://avpassociation.com/thought-leadership/a-response-to-the-electronic-frontier-foundation/