Commission President von der Leyen announces a ready solution for age verification that will enable anonymous surfing and hold platforms accountable.
The era of non-binding appeals to large tech corporations seems to be over in Brussels. In a joint statement on Wednesday, EU Commission President Ursula von der Leyen (CDU) and Vice-President Henna Virkkunen, responsible for tech sovereignty, gave the green light for a new era of digital youth protection. The core of the offensive is a Europe-wide app for age verification, already tested by several countries, which, according to von der Leyen, is now technically ready and will be available to citizens shortly.
The Commission is thus reacting to concerns about risks such as online bullying, addiction factors due to algorithmic design, and cyber-grooming, which involves approaching children and adolescents online. The Commission President’s diagnosis is grim: one in six children is bullied online. Furthermore, social media promotes addiction through endless scrolling, which can impair brain development.
Since platforms have so far been unable to provide effective mechanisms to protect minors from harmful content, the EU is taking matters into its own hands. The new app is intended to enable users to prove their age to online services without revealing their entire digital identity.
Data Protection to the Highest Standard
Technically, the project is based on the digital Covid certificate. As with the pandemic companion, the Commission relies on a model that works on smartphones, tablets, and computers. After downloading, the app is set up once with an identification document. Special attention is paid to privacy. Von der Leyen emphasized: The application meets “the world’s highest data protection standards.” Age is verified without revealing further personal information. The app is “completely anonymous – users cannot be traced.”
The application is based on Zero-Knowledge Proof. This cryptographic principle makes it possible to prove the correctness of information – in this case, reaching a certain age – without revealing the underlying data itself. This is intended to preserve informational self-determination. Platforms only receive confirmation of being “old enough” without having to scan the ID. Austria’s age control already relies on this procedure.
Enforcement of the DSA and EU Shoulder-to-Shoulder
The initiative is closely linked to the enforcement of the Digital Services Act (DSA). Virkkunen made it clear that the Commission is already taking action against companies like TikTok, Facebook, or Instagram for addictive designs. Measures have also been initiated against pornographic platforms, as they often do not use functional age controls. The new application now removes the excuse for corporations that there is no simple technical solution.
Countries like France, Italy, and Ireland are considered pioneers and plan to integrate the app into their national digital wallets. To avoid patchwork, Virkkunen intends to establish an EU-wide coordination mechanism for the accreditation of national solutions this month. The source code of the app is openly accessible as part of the EUDI digital citizen identity to build trust and facilitate integration into company solutions, for example. In Germany, an expert panel will initially develop recommendations for child safety online.
Surprise, the app is insecure hot trash: https://xcancel.com/Paul_Reviews/status/2044723123287666921
Furthermore, social media promotes addiction through endless scrolling, which can impair brain development.
I think this is the big one that’s driving this push for age verification. The issue of YouTube, Twitter, Reddit, and Lemmy rotting kids brains has gotten measurable and significant. I think Gen Alpha is the first generation to end up less academically capable than their parents. The status quo is considered untenable by voters, politicians, and the Epstein class alike. Not to mention the impacts on mental health. If anything the issue is that the legislation is too centered on kids. That’s problematic firstly because it requires proof of age, and secondly because adults aren’t immune to brain rot and addiction.
It is not hard to avoid social media and to keep kids off it. Most parents just don’t want to. And children are less academically inclined because of current culture not technology. Without this tech but culture being as it is now would result in the same thing.
Kinda fucked up honestly, companies paying billions for algorithms to maximise engagement and the government goes for the victims instead of the companies.
This is being pitched as a thing for kids, but kids aren’t champing at the bit to prove they’re children. So, presumably this just means that any time you access a service, you’re gonna have to use this to prove your age, as an adult, right?
Well, kinda. You can have access tiers. For instance no access for age<13, limited access for 13<age<18, full access for age>18.
Needless to say, I think this is (in most circumstances) the wrong approach.
We are talking about products that are often deliberately harmful and hostile to all users, and then we expect to have a child-safe version of these. Shouldn’t we try to get an adult safe version too? It would be way easier to protect children then.
For sure, but in all those access tiers, they would presumably need to verify MY age as well to be sure of which tier I fit into, right? The only reason I can see that I wouldn’t need to use this app is if I’m on a site that isn’t age gated, I think.
Edit: sorry, I didn’t even respond to your second point. I think you’re exactly right about the issue being with them being harmful to begin with. Fixing those issues should absolutely be the first priority.
And I wanna be clear, the idea of a zero proof system is the best I’ve heard of so far in all of these concepts. At least with that there aren’t some insane security issues being overlooked. I’m just wary of the surveillance state future everyone seems to be pushing for.
Assuming the technical implementation is sound (I’m techy but that’s still way over my head), there is something missing from the explanations I’ve been seeing so far.
The state is of course the one who should be proving my identity, and the website has (usually) no business knowing who I am or holding a copy of my documents. The state however has no business knowing what I’m browsing, and a pinky promise is not enough.
I can’t understand whether this is something that the proposed system offers, or whether it’s a property of zero-proof systems in general.
Obviously something like this must necessarily be Free and Open Source if any trust at all must be put into it.
and a pinky promise is not enough.
Yah that’s my sticking point too!
I believe that under good faith, Zero Knowledge Proof could work and guard privacy from both the gov and the sites.
But “good faith” is doing heavy lifting. The desire to corrupt the system in some way that turns ZKP into secretly non-ZKP is going to be huge. Even if it begins OK, we will all become locked into it. And if it gets corrupted years later, too bad so sad, because we’re locked into it!
We’ve already seen intelligence agencies trying to corrupt encryption standards, to look secure when they have a secret flaw. That’s the kind of corruption I worry about with ZKP age gates.
You cannot turn a ZKP into being secretely not ZKP without significant effort though.
Take the following example protocol:
- Social media app sends you a token to verify.
- You append a private secrete string to the token and hash it with a known, collision resistant hash function.
- You send the hash to the government’s server and request an “18+” signature. The signature should correspond to a public key.
- You send the signature back to the social media app, including the secret you used.
- The social media calculates the hash of its token + your secret and then checks whether the governmen’t signature is valid with that value.
The government will not know which social media site was used, the social media site will not discover anything about your identity beyond a binary “is above 18 years old” statement. This is because you control all communication.
To discover anything else, they would BOTH have to collude in some significant way. They can only do so in step 5, by having the social media app send the value you gave it to the government. Maybe there exists a protocol that you control that works against this threat as well, I’m not sure.
But if they collude in step 5 - what prevents the social media company from sending all information it has about you to the government already all the time, even without age verification? Like IP addresses, phone number, access time etc. If the government further controls all the ISP servers and log which traffic from where goes where, it could certainly identify you already.
First, I wanna say I appreciate your reply. It’s well made. I believe you, mathematically, about how ZKP’s work.
I just think that when rubber meet road, there will be potholes. Example, strong encryption cannot be broken, practically speaking. The social media companies make real E2EE. But they control the client. So they simply scrape post decryption from the user’s device. It’s true, the E2EE was secure. But that didn’t matter in the end. There was a way to circumvent.
We’ll see about ways like that with ZKP. I’m not smart enough to know how it may happen. Only that the incentives will be big. Encryption isn’t defeated by breaking the math. Neither ZKP. It’ll be some other way. Something sleazy.
the social media site will not discover anything about your identity beyond a binary “is above 18 years old” statement.
To discover anything else, they would BOTH have to collude in some significant way.
I would say, social media can already discover most ppl’s identity. Without having to collude at all. There’s a whole ass industry of identity resolution, even when ppl don’t mean to give their own identity. Would social medias stop doing that, just because now ZKPs? I’m afraid it may deliver a false feel of security.
Can you explain a little what you mean with:
So they simply scrape post decryption from the user’s device.
As far as I know, no social media company’s posts are E2EE. After all: It’s not possible to have both public posts and E2EE. “Direct messages” to other users can be E2EE but you’d have to trust the company with the encryption keys.
The only condition that requires Zero-Knowledge Protocols to function is that your device is not hijacked by hackers (and there are no deliberate backdoors and such). This can be achieved by having the app be open source with regular security audits. The social media company can do nothing to identify you, nor could the government (unless again, they collude and share secrets).
But yeah, social media can already identify most users because of surveillance capitalism. The goal however is to ensure identification is not in any way made easier via age verification.
Well, it depends what you mean about “adult safe”.
There are still regulations to make sites free of harmful content. Problem is that is not enforced enough.
But do you want governments to decide what’s “adult safe”? It seems that’s an even worse approach with far more overreach than already proposed.
Adult safe should mean porn ban or explicit content, if you want to make unified rules for all ages.
We should also take into account that there factually is a difference between kid brains and adults. This is not coming from nothing, even though the proposed solution ends up being a privacy nightmare.
Such an ID could be used to keep adults (pedos) off children specific sites.
How would that work? How would you distinguish the “pedos” visiting from anyone else? Whatever these “children specific sites” you’re referring to, are children going to create, host, and manage them all on their own without any adults ever to help them at any level?
Doesn’t have to be specifically, children-only sites. Shouldn’t be that difficult to keep anyone without a Minor ID from interacting with those with the Minor ID.
“Children specific sites” in your mind means children will own and manage the sites? HF I don’t what to say to that. Do you really think children are doing IT on YouTube Kids?
Except it will not only be used for this.
