How age verification to access porn works in France: ‘They won’t know anything about you, other than that you’re an adult’
Olivier Blazy, one of the architects of the French system, says that it is possible to protect children without undermining the privacy of internet users
The effects of early access to porn on minors are alarming more and more countries. France, Germany and the U.K. have implemented age verification systems for accessing such content. In the U.S., eight states have already done so, and several others are considering it. The Spanish government is preparing its own tool, which should be ready by the end of the summer.
There is some international consensus around the need to delay the age at which young people start watching online porn. In Spain, this begins on average at just eight years of age, according to the Spanish Data Protection Agency (AEPD). But it is less clear what steps should be taken. Many privacy experts fear that these systems will put an end to the digital anonymity of internet users. They have reason to be wary of this, since these mechanisms often manage personal data, which in turn means this sensitive information can be hacked and used to extort money. “Age verification systems are surveillance systems,” argues the Electronic Frontier Foundation, a benchmark institution for the protection of digital freedoms, in no uncertain terms.
What techniques are being used to verify that the person who is trying to access pornographic content is of legal age? There are three main ways to do it. The first is for an adult website to ask the user for a credit card, which usually implies that the cardholder is an adult. The second consists of requesting the user’s identity card, which must be verified manually or using artificial intelligence (AI). The third option is to use an automatic facial recognition system. In all three cases, the user must share sensitive data.
There is a fourth way. Since 2023, the National Commission for Informatics and Liberties (CNIL), the French equivalent of the AEPD, has been testing an online age verification system that is more respectful of privacy. It consists of putting a digital intermediary (a program) between the age verification service and the website that is being blocked from children. The idea is that the system does not have access to data that identifies the user and that the verifier does not know which website the user is accessing.
“They won’t know anything about you, other than that you are of legal age and that someone is asking you to verify your age,” says Olivier Blazy, a computer scientist and professor at the École Polytechnique, from Palaiseau, on the outskirts of Paris. Blazy has worked with the CNIL on developing the French system. “What we are trying to demonstrate is that an age verification tool can be designed that respects the anonymity of users,” says the specialist.
This system is run via the FranceConnect portal, where all French people who pay social security contributions have an account. Blazy and his colleagues have used it as a gateway to access the program they have devised. This ensures that the authorities do not know which websites the user is trying to visit (in other words, which website requires age verification). “When you try to access a website that requires verification, the website will send you a challenge. That challenge is done at a verification provider, which in turn gives a group signature to the user. So the destination website only receives a group signature, with no user details. This is very basic cryptography, which has been around for 15 years, but has never been used in this context,” explains Blazy.
Weaknesses of existing methods
The French method has advantages over the other three systems. “It is relatively easy to hack systems based on scanning ID documents. And its consequences can be serious for users: they can be impersonated or credit can be requested in their name,” explains Blazy. The implications of using facial recognition are even more serious. “Storing biometric data is always dangerous,” he says. This data unequivocally identify users, making them a treasure for cybercriminals.
Regarding the most used system — paying zero dollars to prove that you have a bank account — this means that the data of these accounts and their holders must be stored. What’s more, it no longer serves as a way to verify that a user is an adult, because some banks allow minors to have an account. “Children can also take a parent’s credit card and pretend to be them. Our method factors in authentication, so it’s going to be harder for them to cheat the system,” Blazy explains.
The French system is not perfect either. For example, unless a VPN is used — a connection from a virtual private network — the websites accessed keeps the user’s IP, which is the identifier or license plate of the device with which it is accessed. “So you are not completely anonymous,” explains Blazy, who also explains that foreigners who visit France and want to access pornographic content must open an account on FranceConnect and follow the process described above: “In total, it takes about 10 minutes. It is not a lot of time, but to the users of these portals it can seem that it is a world away.”
Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition