The Euroepan Commission has published an update to their approach to making the internet a safer place for children across Europe, the Better Internet For Kids+ (BIK+) Strategy.
We were delighted to see a commitment to build on the work of euCONSENT – the AVPA is a member of the consortium delivering this EU-funded project to create interoperability for age checks and parental consent processes across Europe:
Building on ongoing work [euCONSENT is a EU funded pilot project aiming to design and test an interoperable solution for age verification and parental consent] and taking account of the new DSA [Digital Services Act] rules for online platforms, the Commission will support methods to prove age in a privacy-preserving and secure manner, to be recognised EU-wide. The Commission will work with Member States [primarily through the safer internet for children expert group] (who in line with national legislation can choose to issue electronic IDs to the under-18s under the recent proposal on a European Digital Identity), relevant stakeholders and European standardisation organisations to strengthen effective age verification methods, as a priority. This work will encourage market solutions through a robust framework of certification and interoperability.
Much of our effort to date has been focused on developing a new draft ETSI standard, a certification process and, of course, technical interoperability which is both privacy preserving and highly secure, so we are pleased to deliver a strong foundation for the revised strategy.
It would be easy to assume that plans for EU-wide electronic ID, also referred to as eIDAS 2.0 or the “European Digital Identity” will supersede the need for a dedicated solution for age verification and parental consent. However, there are short-term tactical reasons why this is not the case, and longer-term, more fundamental challenges to that line of thinking which lead us to believe there will be an ongoing need for an additional layer to the technical “stack” that ensures age-appropriate experiences for kids online.
Short term tactical reasons
- We need a solution today.
The stated goal is for Member states to “issue the new European Digital Identity Wallets one year after entry into force of this new Regulation. The aim is that by September 2022, Member States, in close cooperation with the Commission, agree on the Toolbox to implement the European Digital Identity Framework and that the eIDAS Expert Group publishes the Common Union Toolbox in October 2022.” This would then allow for testing of pilot projects, and there is currently a selection process underway for a grant due to be agreed by December 2022 to run four pilots. This suggests the piloting phase will run through 2023 with wider adoption only beginning in 2024.
In contrast, euCONSENT already integrates with the existing eIDAS through the Belgian provider, itsme, as well as allowing users to verify their age to international standards with a wide range of alternative methods. The network is operationally ready and has been proven through a largescale pilot. Private sector providers are committed to adopting it when it is launched, and several are already integrated through their involvement in the pilots.
- Children don’t use eIDAS
While Member States have the option to issue existing eIDAS credentials to children, very few already do so, and then usually only to older teenagers. It will be quite a change to provide digital identities to children, and there will be usability issues for younger kids which may make providing only age-appropriate content harder to do.
- Surfing the net requires session support
Typically, today using digital ID to prove your identity to a website will involve a user authenticating themselves by logging into their digital wallet, perhaps with a fingerprint, a password or facial recognition, then giving consent to share their identity with a specific third party. It may require scanning a QR code on a website, to trigger the process. This is not a practical solution for someone surfing the web and accessing multiple age-restricted services.
In the longer term, it will be possible to configure digital identity wallets to interplay with a tokenized system, but this is not likely to be a reality for the majority of citizens for several years to come.
- Non-EU and undocumented citizens don’t necessarily use eIDAS
With numerous immigrants living permanently in Europe, and many tourist and business visitors, restricting access to age-restricted content to eIDAS holders only would immediately exclude or delay a large number of people from accessing age-restricted content
Longer term challenges
- Privacy concerns
The European Digital Identity will be positioned as a government-issued ID. Many citizens are concerned about state surveillance of their activities and may be reluctant to use something as closely associated with government for their everyday online activities.; for instance, accessing sensitive age restricted goods and services
euCONSENT places anonymity at its heart, adopting a double-blind approach where the websites never know the identity of the user, and the age verification providers do not record which sites a user visits. Because an age credential can be established without even disclosing your name, address, or date of birth in the first place, using estimation techniques, users can have even greater confidence that their online behaviour is not being tracked.
- Inclusivity
The level of assurance for the eIDAS wallet is intended to be the “High” category. This means that, to have sufficient confidence in the identity, there is a high standard of proof required, typically achieved by relying on physical government-issued documents, such as a National ID card, Passport or Driving Licence. These are not ubiquitous amongst all children in Europe, and may not be available to a significant minority of the adult population, particularly when one considers refugees and asylum seekers. euCONSENT allows anyone to obtain an age credential just based on facial image analysis, for example. This is not the same level of confidence or exactitude required for eIDAS, but for most age-restrictions online will be sufficient for most of the population.
- Parental Consent
There is no mechanism envisaged within the published plans for eIDAS 2.0 to solve the problem of parental consent. Whenever an age check is not possible, or finds the user to be below the age of digital consent, services needing to process data on the basis of consent under GDPR need to obtain parental consent.
euCONSENT has developed an efficient approach to achieve this, and to improve on the level of confidence any existing process has that the adult nominated by the child is actually the legally responsible person.
Conclusion
The BIK+ initiative is based around the notion of content adapted to the user’s age. Unless eIDAS v2 immediately allows direct interrogation of user attributes from the online resources, users will be forced to authenticate with the device every time when navigating from one online resource to the next. EuCONSENT can play the role of intermediate layer that requests the user’s credentials based on a risk-based approach, permitting smooth usage.
It is of course possible that in the longer term, EU citizens grow to trust the privacy-preserving design of the European Digital Identity; that platforms, operating systems and browsers are adapted to draw upon the age information available in the digital ID; every EU resident has obtained one, and it works seamlessly across all devices. But we would not expect this to happen immediately, or indeed, within the next few years, which is a long time to leave children unprotected from the harms of the online world.
The European Commission has often made it clear that they support innovation and technology. We know it wants to stimulate the age verification market, not close it down by assuming eID will take is place. Their expectation is that any options offered by eID in years to come will sit happily alongside other commercial and possibly national solutions. Officials also note that are many categories of users who may never want or be eligible for an eID. They should be free to choose an age-verification system that works for them – whether a key factor is accessibility, nationality, or simple preference. For this reason, the Commission agrees with us that solutions which offer options for interoperability across borders and technologies – such as EUConsent – make eminent sense.
In other words eiD can be one useful option, among the different types of approach to robust age verification / assurance tools, all of which could meet the technical requirements of the planned European standard. We hope euCONSENT will lead the way in this field.