#

Hidden loopholes and privacy risks loom over online age check laws

LONDON — As the New Year dawned in Louisiana, the US state’s 4.5 million residents woke to a new rule that restricts their access to the internet — a measure aimed at stopping children from viewing pornography online.

Act 440, which requires residents to submit a digital driver’s license for third-party age verification before they can access adult websites, is among a clutch of new laws in the United States, Europe, and Britain seeking to protect children on the internet.

“Young people are very, very vulnerable online, and we really don’t think the online platforms do enough,” said Lisa Hallgarten, head of policy and public affairs at Britain’s Brook Health Centre, which advocates for children’s online safety.

Campaigners hope the advent of laws requiring age verification to access certain online content or particular websites could mark a turning point.

The European Union’s Digital Services Act and Britain’s Online Safety Bill require age verification — a way of changing a user’s internet experience according to their age — in order to stop targeted advertising for young people and block their access to adult and other content deemed harmful to minors.

At the same time, some large tech companies have introduced age verification measures, partly to ensure young children cannot open social media accounts.

While children’s safety campaigners broadly welcome such laws and safeguards, data experts warn that age verification and other forms of identity checking threaten the privacy of internet users of all ages through data gathering, storage, or possible leaks.

“As this becomes standard — social compliance essentially — with more sites requesting ID validation, it normalizes the behavior and consequently increases the risk of this information getting into the wrong hands,” said James Walker, chief executive of UK-based consumer data action service Rightly.

FRIENDS, FACE SCANS AND PHISHING
Age verification methods are not new. In the 1990s, the US Communications Decency Act restricted online pornography and gambling websites by requiring users to submit credit card information as a way to stop under-18s from accessing them.

As internet use increased and concern grew about phishing attacks targeting credit card users, companies tried to find less risky ways of detecting users’ ages.

Some adopted trust-based systems, such as a button confirming that a user is over 18 — a mainstay of pornography websites, but such controls have been criticized for being too easy to evade.

Last year, Meta’s Instagram platform rolled out social vouching, whereby three mutual followers confirm how old another user is.

The company also uses artificial intelligence (AI) to estimate a user’s age from their posts, interactions with other accounts, and certain types of content.

Digital rights experts say that method highlights just how much data tech firms can access.

“Social media sites already collect vast troves of deeply personal data. They should not be encouraged or compelled to collect even more through digital identity checks,” Mark Johnson, advocacy manager at the Big Brother Watch rights group, told the Thomson Reuters Foundation.

Meta also uses Yoti, a tool that scans video selfies to estimate a user’s age. It says the data is deleted as soon as the verification check is completed.

But accessing users’ cameras is inherently invasive, according to the French National Commission on Informatics and Liberty (CNIL).

The CNIL noted last year that face scans, especially if required for pornographic websites, may be used for blackmail, and has condemned all current forms of age verification.

Measuring reliability, data privacy, and whether the systems worked across all ages, the group found that there is “currently no solution that satisfactorily meets these three requirements (and) all the solutions proposed can easily be circumvented.”

DATA BREACHES
The success of online age verification is heavily constrained by the way the internet has been built, primarily through closed digital worlds of numerous, private-user accounts which pose a significant risk to user rights, experts say.

“Consumers hand over their email addresses to companies they don’t know, click on emails from organizations they aren’t familiar with, or sign up to competition sites without thinking of the consequences of sharing data,” said Mr. Walker at Rightly.

“Gathering personal information for age verification does run an inherent risk because the only person who can take back control of your data is you,” he added.

Young people’s data has already fallen into the wrong hands in an attempt to provide age verification measures.

In November, a database of 28 million children’s learning records was used by gambling websites to help develop age verification checks. The British government was later criticised by the regulator for its handling of the data in question.

The database included a child’s full name, date of birth, and gender, with optional fields for email address and nationality.

“No one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” John Edwards, the head of Britain’s Information Commissioner’s Office, a data protection watchdog, said at the time.

In Louisiana, critics say Act 440 is unlikely to achieve its goal of keeping children from seeing adult content, not least because the age checks can be easily bypassed by using mobile data or a Virtual Private Network that can route internet traffic from elsewhere.

“I imagine that there are going to be some other states that say this isn’t a bad idea, though I don’t think it’s going to be very effective,” said Ken Levy, a professor of Law at Louisiana State University.

Without a coordinated, global approach to keeping the internet safe, experts say there is only so much that lawmakers can do at a local or national level.
“They’re legislators, using the only tools they have in their toolkit,” Mr. Levy said. — Thomson Reuters Foundation