:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/C7DDPQF5LZGJZOEOOL5374W67I.jpg)
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/2a429887-bb72-4814-bd40-0cbf79fe8d51.png)
Nobody wants children to be able to access harmful or age-inappropriate material on the internet, particularly pornography.
Many countries, including Ireland, are seeking an age-verification solution to safeguard those too young to legally access adult content, while keeping the personal data of visitors to such sites private, protected and compliant with data-protection and privacy laws. Unfortunately, right now, no such system is available. Current age-verification schemes create privacy and data risks, and pose additional serious harms.
There’s plenty of evidence for this disappointing reality. Many governments have backed away from age-verification proposals after taking a closer, more considered look. Courts and national data-protection bodies have blocked implementations. Laws have been easily circumvented. Studies have shown the difficulty of achieving workable systems.
[ Meta’s Mark Zuckerberg issues dramatic apology at US Senate hearing on child safety ]
Australia spent years trying to implement a so-called porn passport system that was to involve government-issued identification and the issuance of tokens for adult site access. But late last year the Australian government abandoned those plans over privacy and security concerns.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/3LYYUMIKQK4LO5ERM52BMYXQEE.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/5K36B2PV7EP5BT7VIMU72H5OIY.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/TIQFULWLDFEIPJ6ASBXLTHNE3Y.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/SALWMXFOSJHRDBANB6BQQ3MCAI.jpg)
France and Germany have brought in age-verification requirements. But France’s data-protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), noted in a 2021 opinion that several principles must be followed to balance age verification with privacy and data protections. These include “no direct collection of ID, no estimation of age based on the web surfer’s browsing history and no processing of biometric data for uniquely identifying or authenticating a natural person (for example, by comparing, via facial-recognition technology, a photograph on an ID with a self-portrait or selfie).”
The French view is particularly notable because, as I noted in last week’s column, in a recent interview the executive chair of Ireland’s new broadcasting and online regulator Coimisiún na Meán (CnM) floated an alarming “gold standard” approach for Ireland (potentially extending to other European Union states) that could require people to upload passport details, plus a selfie for biometric comparison, to porn or perhaps third-party websites. CnM’s rebuttal was that this was just one possibility. Yet this, or using “a live selfie each time you want to access [the porn site] and they use biometrics to check” were the only methods mentioned, both in direct contradiction with the considered opinion of a prominent EU data-protection authority.
Privacy lawyer Mihnea Dumitrascu has stated that age verification is extremely difficult. Collecting identification documents poses “the risk of identity theft in case of disclosure and misappropriation”, and using biometric data violates GDPR’s article nine “since consent would not be freely given, as it would be a condition for access to the content”.
Coimisiún na Meán, effectively the baseline internet regulator for the EU as well as Ireland, has offered the public the worst examples of risky and privacy-compromising age-verification implementations
The advocacy group European Digital Rights (EDRi) has published a position paper representing the views of 20 civil-society organisations. It notes the lack of evidence that age verification keeps children safe, adding: “Currently available measures to undertake age verification come with potentially serious human rights impacts – in particular for the children they are supposed to protect.” These include imposing a chilling effect on accessing information about sexuality and sexual health, giving companies control over what children view online, and violating children’s privacy and data rights. EDRi states that no current age-verification approach avoids these problems.
[ New broadcasting and online regulator has not had an auspicious start ]
Irina Raicu, director of the internet ethics programme at Santa Clara University, told Wired last year: “Many regulators and others seem to think of age verification as a solved problem; technologists and privacy activists, including activists focused on protecting children, are trying to explain that’s not the case.”
Public debates everywhere have acknowledged that age verification on domestic pornography sites will just make external sites – often, more extreme and riddled with malware – an obvious alternative. Spoofed age-verification checks on those sites could harvest identification documents and accompanying photographs for dark-web sale, plus offer obvious blackmail opportunities.
At any rate, geo-blocked sites can be accessed easily using free virtual public networks (VPNs) or the anonymising gateway Tor. Nearly half of 16 to 17 year olds in a UK survey had used such technologies to access porn. When the US state of Virginia implemented age verification, one of the largest US pornography sites just blocked Virginia users – spiking online searches for VPNs.
I argued last week that CnM’s age-verification proposals could morph worryingly to involve social-media platforms and thus gatekeep our daily web activity. The UK research noted above indicates why: more teenagers viewed pornography on social media (63 per cent) and search engines (51 per cent) than on pornography sites (47 per cent). It makes little sense to target only porn sites, except as a PR exercise to be seen to be doing something.
But still-immature age-verification technology isn’t the answer. CnM, effectively the baseline internet regulator for the EU as well as Ireland, has offered the public the worst examples of risky and privacy-compromising age-verification implementations. This raises serious questions about the regulator’s understanding of the online space and age-verification debates.
We should be concerned about attempts to impose age-verification systems. Until technologies improve, such plans threaten the privacy, data and online security of us all.
- Sign up for Business push alerts and have the best news, analysis and comment delivered directly to your phone
- Find The Irish Times on WhatsApp and stay up to date
- Our Inside Business podcast is published weekly – Find the latest episode here
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)