Commission President von der Leyen announces a ready solution for age verification that will enable anonymous surfing and hold platforms accountable.
The era of non-binding appeals to large tech corporations seems to be over in Brussels. In a joint statement on Wednesday, EU Commission President Ursula von der Leyen (CDU) and Vice-President Henna Virkkunen, responsible for tech sovereignty, gave the green light for a new era of digital youth protection. The core of the offensive is a Europe-wide app for age verification, already tested by several countries, which, according to von der Leyen, is now technically ready and will be available to citizens shortly.
The Commission is thus reacting to concerns about risks such as online bullying, addiction factors due to algorithmic design, and cyber-grooming, which involves approaching children and adolescents online. The Commission President’s diagnosis is grim: one in six children is bullied online. Furthermore, social media promotes addiction through endless scrolling, which can impair brain development.
Since platforms have so far been unable to provide effective mechanisms to protect minors from harmful content, the EU is taking matters into its own hands. The new app is intended to enable users to prove their age to online services without revealing their entire digital identity.
Data Protection to the Highest Standard
Technically, the project is based on the digital Covid certificate. As with the pandemic companion, the Commission relies on a model that works on smartphones, tablets, and computers. After downloading, the app is set up once with an identification document. Special attention is paid to privacy. Von der Leyen emphasized: The application meets “the world’s highest data protection standards.” Age is verified without revealing further personal information. The app is “completely anonymous – users cannot be traced.”
The application is based on Zero-Knowledge Proof. This cryptographic principle makes it possible to prove the correctness of information – in this case, reaching a certain age – without revealing the underlying data itself. This is intended to preserve informational self-determination. Platforms only receive confirmation of being “old enough” without having to scan the ID. Austria’s age control already relies on this procedure.
Enforcement of the DSA and EU Shoulder-to-Shoulder
The initiative is closely linked to the enforcement of the Digital Services Act (DSA). Virkkunen made it clear that the Commission is already taking action against companies like TikTok, Facebook, or Instagram for addictive designs. Measures have also been initiated against pornographic platforms, as they often do not use functional age controls. The new application now removes the excuse for corporations that there is no simple technical solution.
Countries like France, Italy, and Ireland are considered pioneers and plan to integrate the app into their national digital wallets. To avoid patchwork, Virkkunen intends to establish an EU-wide coordination mechanism for the accreditation of national solutions this month. The source code of the app is openly accessible as part of the EUDI digital citizen identity to build trust and facilitate integration into company solutions, for example. In Germany, an expert panel will initially develop recommendations for child safety online.
Well, kinda. You can have access tiers. For instance no access for age<13, limited access for 13<age<18, full access for age>18.
Needless to say, I think this is (in most circumstances) the wrong approach.
We are talking about products that are often deliberately harmful and hostile to all users, and then we expect to have a child-safe version of these. Shouldn’t we try to get an adult safe version too? It would be way easier to protect children then.
For sure, but in all those access tiers, they would presumably need to verify MY age as well to be sure of which tier I fit into, right? The only reason I can see that I wouldn’t need to use this app is if I’m on a site that isn’t age gated, I think.
Edit: sorry, I didn’t even respond to your second point. I think you’re exactly right about the issue being with them being harmful to begin with. Fixing those issues should absolutely be the first priority.
And I wanna be clear, the idea of a zero proof system is the best I’ve heard of so far in all of these concepts. At least with that there aren’t some insane security issues being overlooked. I’m just wary of the surveillance state future everyone seems to be pushing for.
Assuming the technical implementation is sound (I’m techy but that’s still way over my head), there is something missing from the explanations I’ve been seeing so far.
The state is of course the one who should be proving my identity, and the website has (usually) no business knowing who I am or holding a copy of my documents. The state however has no business knowing what I’m browsing, and a pinky promise is not enough.
I can’t understand whether this is something that the proposed system offers, or whether it’s a property of zero-proof systems in general.
Obviously something like this must necessarily be Free and Open Source if any trust at all must be put into it.
Yah that’s my sticking point too!
I believe that under good faith, Zero Knowledge Proof could work and guard privacy from both the gov and the sites.
But “good faith” is doing heavy lifting. The desire to corrupt the system in some way that turns ZKP into secretly non-ZKP is going to be huge. Even if it begins OK, we will all become locked into it. And if it gets corrupted years later, too bad so sad, because we’re locked into it!
We’ve already seen intelligence agencies trying to corrupt encryption standards, to look secure when they have a secret flaw. That’s the kind of corruption I worry about with ZKP age gates.
You cannot turn a ZKP into being secretely not ZKP without significant effort though.
Take the following example protocol:
The government will not know which social media site was used, the social media site will not discover anything about your identity beyond a binary “is above 18 years old” statement. This is because you control all communication.
To discover anything else, they would BOTH have to collude in some significant way. They can only do so in step 5, by having the social media app send the value you gave it to the government. Maybe there exists a protocol that you control that works against this threat as well, I’m not sure.
But if they collude in step 5 - what prevents the social media company from sending all information it has about you to the government already all the time, even without age verification? Like IP addresses, phone number, access time etc. If the government further controls all the ISP servers and log which traffic from where goes where, it could certainly identify you already.
First, I wanna say I appreciate your reply. It’s well made. I believe you, mathematically, about how ZKP’s work.
I just think that when rubber meet road, there will be potholes. Example, strong encryption cannot be broken, practically speaking. The social media companies make real E2EE. But they control the client. So they simply scrape post decryption from the user’s device. It’s true, the E2EE was secure. But that didn’t matter in the end. There was a way to circumvent.
We’ll see about ways like that with ZKP. I’m not smart enough to know how it may happen. Only that the incentives will be big. Encryption isn’t defeated by breaking the math. Neither ZKP. It’ll be some other way. Something sleazy.
I would say, social media can already discover most ppl’s identity. Without having to collude at all. There’s a whole ass industry of identity resolution, even when ppl don’t mean to give their own identity. Would social medias stop doing that, just because now ZKPs? I’m afraid it may deliver a false feel of security.
Can you explain a little what you mean with:
As far as I know, no social media company’s posts are E2EE. After all: It’s not possible to have both public posts and E2EE. “Direct messages” to other users can be E2EE but you’d have to trust the company with the encryption keys.
The only condition that requires Zero-Knowledge Protocols to function is that your device is not hijacked by hackers (and there are no deliberate backdoors and such). This can be achieved by having the app be open source with regular security audits. The social media company can do nothing to identify you, nor could the government (unless again, they collude and share secrets).
But yeah, social media can already identify most users because of surveillance capitalism. The goal however is to ensure identification is not in any way made easier via age verification.
Well, it depends what you mean about “adult safe”.
There are still regulations to make sites free of harmful content. Problem is that is not enforced enough.
But do you want governments to decide what’s “adult safe”? It seems that’s an even worse approach with far more overreach than already proposed.
Adult safe should mean porn ban or explicit content, if you want to make unified rules for all ages.
We should also take into account that there factually is a difference between kid brains and adults. This is not coming from nothing, even though the proposed solution ends up being a privacy nightmare.