Commission President von der Leyen announces a ready solution for age verification that will enable anonymous surfing and hold platforms accountable.
The era of non-binding appeals to large tech corporations seems to be over in Brussels. In a joint statement on Wednesday, EU Commission President Ursula von der Leyen (CDU) and Vice-President Henna Virkkunen, responsible for tech sovereignty, gave the green light for a new era of digital youth protection. The core of the offensive is a Europe-wide app for age verification, already tested by several countries, which, according to von der Leyen, is now technically ready and will be available to citizens shortly.
The Commission is thus reacting to concerns about risks such as online bullying, addiction factors due to algorithmic design, and cyber-grooming, which involves approaching children and adolescents online. The Commission President’s diagnosis is grim: one in six children is bullied online. Furthermore, social media promotes addiction through endless scrolling, which can impair brain development.
Since platforms have so far been unable to provide effective mechanisms to protect minors from harmful content, the EU is taking matters into its own hands. The new app is intended to enable users to prove their age to online services without revealing their entire digital identity.
Data Protection to the Highest Standard
Technically, the project is based on the digital Covid certificate. As with the pandemic companion, the Commission relies on a model that works on smartphones, tablets, and computers. After downloading, the app is set up once with an identification document. Special attention is paid to privacy. Von der Leyen emphasized: The application meets “the world’s highest data protection standards.” Age is verified without revealing further personal information. The app is “completely anonymous – users cannot be traced.”
The application is based on Zero-Knowledge Proof. This cryptographic principle makes it possible to prove the correctness of information – in this case, reaching a certain age – without revealing the underlying data itself. This is intended to preserve informational self-determination. Platforms only receive confirmation of being “old enough” without having to scan the ID. Austria’s age control already relies on this procedure.
Enforcement of the DSA and EU Shoulder-to-Shoulder
The initiative is closely linked to the enforcement of the Digital Services Act (DSA). Virkkunen made it clear that the Commission is already taking action against companies like TikTok, Facebook, or Instagram for addictive designs. Measures have also been initiated against pornographic platforms, as they often do not use functional age controls. The new application now removes the excuse for corporations that there is no simple technical solution.
Countries like France, Italy, and Ireland are considered pioneers and plan to integrate the app into their national digital wallets. To avoid patchwork, Virkkunen intends to establish an EU-wide coordination mechanism for the accreditation of national solutions this month. The source code of the app is openly accessible as part of the EUDI digital citizen identity to build trust and facilitate integration into company solutions, for example. In Germany, an expert panel will initially develop recommendations for child safety online.
Yah that’s my sticking point too!
I believe that under good faith, Zero Knowledge Proof could work and guard privacy from both the gov and the sites.
But “good faith” is doing heavy lifting. The desire to corrupt the system in some way that turns ZKP into secretly non-ZKP is going to be huge. Even if it begins OK, we will all become locked into it. And if it gets corrupted years later, too bad so sad, because we’re locked into it!
We’ve already seen intelligence agencies trying to corrupt encryption standards, to look secure when they have a secret flaw. That’s the kind of corruption I worry about with ZKP age gates.
You cannot turn a ZKP into being secretely not ZKP without significant effort though.
Take the following example protocol:
The government will not know which social media site was used, the social media site will not discover anything about your identity beyond a binary “is above 18 years old” statement. This is because you control all communication.
To discover anything else, they would BOTH have to collude in some significant way. They can only do so in step 5, by having the social media app send the value you gave it to the government. Maybe there exists a protocol that you control that works against this threat as well, I’m not sure.
But if they collude in step 5 - what prevents the social media company from sending all information it has about you to the government already all the time, even without age verification? Like IP addresses, phone number, access time etc. If the government further controls all the ISP servers and log which traffic from where goes where, it could certainly identify you already.
First, I wanna say I appreciate your reply. It’s well made. I believe you, mathematically, about how ZKP’s work.
I just think that when rubber meet road, there will be potholes. Example, strong encryption cannot be broken, practically speaking. The social media companies make real E2EE. But they control the client. So they simply scrape post decryption from the user’s device. It’s true, the E2EE was secure. But that didn’t matter in the end. There was a way to circumvent.
We’ll see about ways like that with ZKP. I’m not smart enough to know how it may happen. Only that the incentives will be big. Encryption isn’t defeated by breaking the math. Neither ZKP. It’ll be some other way. Something sleazy.
I would say, social media can already discover most ppl’s identity. Without having to collude at all. There’s a whole ass industry of identity resolution, even when ppl don’t mean to give their own identity. Would social medias stop doing that, just because now ZKPs? I’m afraid it may deliver a false feel of security.
Can you explain a little what you mean with:
As far as I know, no social media company’s posts are E2EE. After all: It’s not possible to have both public posts and E2EE. “Direct messages” to other users can be E2EE but you’d have to trust the company with the encryption keys.
The only condition that requires Zero-Knowledge Protocols to function is that your device is not hijacked by hackers (and there are no deliberate backdoors and such). This can be achieved by having the app be open source with regular security audits. The social media company can do nothing to identify you, nor could the government (unless again, they collude and share secrets).
But yeah, social media can already identify most users because of surveillance capitalism. The goal however is to ensure identification is not in any way made easier via age verification.