With the news that the Digital Identity Regulation entered into force on 20th May 2024, all Citizens and Residents can now look forward to being offered at least one EU Digital Identity Wallet by their Member State by 2026.
Given how often age verification has been mentioned as a use-case for this new government-approved wallet, it is not surprising that many politicians, officials and regulators are assuming it will resolve the challenge of online age verification – and indeed, help you prove your age when physically in a bar or a supermarket. This is not a wild assumption, and the underlying technology being developed certainly has the potential to do so at some point, but it would be a mistake to assume this is;
- going to happen soon, or
- that it will be a comprehensive age assurance solution available to all who need it, or
- that it will be willingly adopted by everyone who uses the Internet for every age assurance purpose.
As a recent report published by the Commission states: “effective implementation of age assurance remains a complex endeavour. Since any approach must be case-and context-sensitive, there is no one-size-fits-all solution.”
This article will consider these questions, and set out a roadmap for how the EU digital ID wallet could begin to deliver age verification in some ways, but also look at the gaps that will still be left compared to a complete solution.
Accessibility
Often, the term age verification is associated with pornography. That was the highest profile early use-case, and in many ways the simplest to solve. There’s generally a common age of 18, and by then, most European adults have a passport, a driving licence, a national ID, or an authoritative record of their age held by their bank or on the electoral roll. Indeed, in theory, every Member State will be offering all 18 year olds an EU digital ID wallet by 2026 which can, if nothing else, be a reliable source of age data.
But there are other use-cases for online age checks required at ages below 18. Article 8 of GDPR sets a minimum age for giving consent as the basis for the processing of personal data of 16, but Member States have the discretion to reduce this as low as 13 years-old. So, before any data processor can rely on consent as the legal basis for processing personal data, they need to check if the user is above the relevant minimum “age of digital consent.” The number of 13-16 year olds with access to those same sources of authoritative age data available to adults is much more limited. And the rollout plans for wallets do not yet envisage comprehensive distribution to minors.
Even younger children will also need to be able to share their approximate age when the Code of Conduct for Age Appropriate Design is developed as part of the existing Better Internet For Kids+ strategy. If this mirrors similar initiatives in the UK and Ireland, then as a minimum, sites will need to put their child users into one of several age-ranges, offering different content and functionality dependent on which category a user falls into. So while we may see some young people in the 15+ range offered EU wallets in the medium term, perhaps reflecting the age at which national ID cards are currently issued in each Member State, no-one has yet suggested these should be issued to toddlers, creating an obvious gap with the current legal demands for age assurance effectively from the moment a child has their first contact with any connected device.
Inclusivity
And at every age, adult and child, we must consider how rapidly the wallet will be adopted. It is not possible to expect every EU citizen to download an approved app at the earliest possible opportunity. Many will, through no fault of their own, struggle to be included in the roll out – perhaps due to age, access to modern devices, or learning difficulties. Of course, use of the Internet in general is impeded by such challenges, but creating a single requirement to own and operate a digital wallet app to access much of the Internet may become a significant additional barrier. Current online age assurance processes offer a range of options, and interoperability will build on that, as well as ensuring there are alternative vouching mechanisms (e.g. references from trust professionals) available for those without the evidence they need to prove their age.
Practicability
As well as access and inclusivity, there is then the question of practicability. The EU Digital Wallet will be an important tool, offering access to highly sensitive online affairs, such as finance, healthcare or property sales. It is therefore being designed to a “High” security standard. That is going to require the user to take some action each time the wallet is used to prove identity or to selectively share one or more attributes of identity, including age. But we have already set out the wide range of reasons age assurance is going to be regularly required when online, perhaps 30 times in an hour when surfing the web to research a topic where sites will be applying age-appropriate design principles. For this, we need a solution which persistently enables digital services to assure the age of a user, ideally without interrupting the user experience.
A concept of “smart wallets” is being considered, where there is sufficient logic built into a wallet to enable it to select from appropriate credentials to meet the needs of multiple, diverse use-cases. A smart wallet may one day be able to recognise when a digital service needs to check the user’s age, find an age attribute that has been created to a sufficient level of assurance for the purpose in hand, confirm a user’s pre-existing consent to share their age with the site, and seamlessly complete the age assurance process, making the Internet sufficiently age-aware to guarantee the safety of children online. But this is not a feature of the current design for EU wallets, and even were such requirements to be added to the specification tomorrow, it would be many years before this was ubiquitously available. With some large platforms already facing enforcement action today by the Commission for their failure to apply rigorous age assurance, an alternative, if only interim solution is required right now.
Authentication
Another practical concern arises from the need to bind each age check to the user at the time it is done, to mitigate the risk arising from shared devices. The latest version of the Architecture and Reference Framework sets out how this is to be done:
6.6.3.8 Relying Party verifies or trusts User binding User binding (sometimes also called ‘holder binding’) is the property that the subject of the PID or attestation, meaning the natural or legal person described in the PID or attestation, is in fact the person that presents the PID or attestation to the Relying Party. User binding prevents an attacker from presenting a PID or an attestation that they are not legally allowed to use. The mechanism(s) available for User binding depend on the presentation flow type (proximity or remote, supervised or unsupervised, see also section 4.2.3), and on the attributes issued to the User by the PID Provider or Attestation Provider. In the first place, the Relying Party can always decide to trust the User authentication mechanisms implemented by the Wallet Instance and the WSCD (see [Topic 9]). This means that the Relying Party trusts that the Wallet Instance and the WSCD have properly authenticated the User before allowing the User to present the attributes. Note that:
- This trust is not based on the outcome of any verification by the Relying Party but is a-priori trust in (in particular) the certified WSCD used by Wallet Instance.
- Using this method implies that Relying Parties also trust device binding, as described in section 6.5.3. The Relying Party Instance in fact first verifies that the PID or attestation is bound to a WSCD trusted by the PID Provider or Attestation Provider, and then trusts that the Wallet Instance and the WSCD have properly authenticated the User.
- As a matter of fact, this User authentication method will always be carried out, since a Wallet Instance must authenticate its User when asking for User approval for presenting any attributes, and since device binding is also mandatory.
The mandatory requirement is to authenticate whenever asking for approval to present the age attribute to a digital service, so a user surfing 30 sites an hour will need to prove they are the rightful owner of that wallet 30 times too.
Cultural
The final question is whether people will be willing to use a government issued digital identity as widely as all the legal requirements for age assurance imply. There are those who may not wish to mix their use of adult content with their EU identity. And there are others who may simply wish to maintain a degree of separation to preserve their perception of privacy, no matter how much the technologists reassure them that their age attribute is the only information that is “selectively shared”. Of course, the age assurance industry has already had to contend with scepticism about data security and privacy, but does offer consumers a choice of suppliers, disconnected from government, and perhaps has a greater chance of securing consumer trust in some circumstances. Attitudes vary across cultures, and this may be a policy question rather than a technical matter, but it must be considered, as a vision and strategy for EU-wide age assurance emerges.
The Future, and Now
Stepping back from these specific issues, it is fair to argue that not all of them are insurmountable. Technical, policy and, not yet mentioned, economic solutions are possible in most cases, but it should be apparent, we are some way off a solution that meets the needs of compliance today. The latest invitation to tender for further large scale pilots includes age verification as one of four use cases. That can helpfully begin to address some of these challenges, but expectations need to be managed about the scale of the gap between what is currently being developed and what is already today required for the age assurance use-case. That is no reason not to start work but is also a good reason not to abandon existing alternative solutions that can solve this problem in months not years, such as euCONSENT 2.0 – the AgeAware tokenised ecosystem.