Current Region:
Global

A response to Professor Jeff Kosseff Opinion on Daily Beast

June 1, 2023

An OpEd on Daily Beast by Professor Jeff Kosseff argues “Social Media Age Requirements Are Anti-Free Speech.” First, we’d encourage him to look at how data-minimised, privacy-preserving Age Verification (AV) has been developed in Europe, with no need to retain Personally Identifiable Information (PII).

The associate professor of cybersecurity law in the United States Naval Academy’s Cyber Science Department does rightly highlight the risk that websites will feel compelled to retain evidence of age checks for each individual user to defend against claims. We aim to educate regulators that they should audit the AV process instead, and not encourage creation of new PII databases.  Courts will also need to weigh the damaging impact of deciding cases against websites which prioritise data security over retaining PII to fight off individual lawsuits.  Indeed, it would be better if any further state laws passed make this clear in statute, as otherwise lawmakers are encouraging the creation of honeypots for hackers which we would never support, and is arguably already illegal in Europe if the data minimisation principle is properly applied.

Without an equivalent data protection regime to Europe’s GDPR, some of the better state laws requiring AV are rightly requiring that personal data supplied to verify age is not retained or used for other purposes. This is perfectly feasible, as our members can demonstrate.  Once an age check has been completed, whether based on ID documents, checking with a database, or using estimation techniques, the evidence need not be retained and can simply be deleted, in many cases leaving only an anonymized record of a user (e.g. MickeyMouse123) and their date of birth or approximate age-range. Some providers are zero-data based.  Others operate entirely on the user’s device.  Or users can selectively release on their age attribute from a re-usable digital identity they’ve created. For the purposes of preventing children stumbling across porn on the internet, all these options have been deemed quite sufficient by Europe’s regulators.

The Professor points to ” the steady drumbeat of data breaches over the past decade” and is wise to state that “no company can guarantee the safety of personal information” – but by not creating any new databases of personal information, age verification creates no new opportunity for hackers to identify online users.  That is not only a legal requirement in Europe but a commercial necessity globally – websites do not fare well after they are hacked, so most certainly don’t want to entrust al their users’ personal data to be stored by a third party.

But what is really required is Federal legislation. Websites may otherwise face 50 separate AV regimes, inconsistent privacy protections, and the technically impossible challenge of confirming in which state each user is currently located – the laws make no exception for VPNs!  VPNs are ever-more widely available and cheap or even free-to-use. We also need to put in place an interoperable solution, so once a user has proven their age for one site, they can re-use that same check across other adult sites without sharing personal data.  The EU funded a largescale pilot of such a network, www.euCONSENT.eu which successful proved this concept and could easily be established to serve the US market.

Applying the same restrictions we place on children in the real-world, such as not walking into strip joints downtown unchallenged, to the virtual world is technically straightforward.  Indeed, it can be done in a more privacy-preserving way that when a full drivers’ license is shown at the door of a club, as online only a simple “yes” to the question “is this user 18+”? needs to be shared with the website being accessed.

Age verification does not put online anonymity at risk.  The essence of age verification is proving your age online without disclosing who you are. But we will look back in a decade on the current free-for-all and be astonished at what we exposed our children to without any attempt to prevent exposing minors to what is rightly termed adult content.

Privacy; a foundational concept for age verification

Privacy; a foundational concept for age verification

Perhaps the most frequent concern raised about age verification is a risk to privacy.  But the essence of age assurance is the ability to prove your age online WITHOUT disclosing your identity.  Our industry would not exist were there not the absolute need to preserve...

AVPA responds to Ofcom consultation on Pornographic websites

The AVPA has responded to the consultation by Ofcom on how it intends to regulate pornographic websites under Part 5 of the Online Safety Act. We were broadly supportive of their approach, but there is one major ommission - the definition of "highly effective age...