The risks of online age verification
Advertisement
Read this article for free:
or
Already have an account? Log in here »
To continue reading, please subscribe:
Digital Subscription
One year of digital access for only $205*
- Enjoy unlimited reading on winnipegfreepress.com
- Read the E-Edition, our digital replica newspaper
- Access News Break, our award-winning app
- Play interactive puzzles
*First annual payment billed as $205.00 + GST for one year. This annual subscription will automatically renew at $233.00 + GST every 52 weeks (10% off the regular annual price of $259.35). Offer available to new and qualified returning subscribers only. Cancel any time.
To continue reading, please subscribe:
Add Free Press access to your Brandon Sun subscription for only an additional
$1 for the first 4 weeks*
- Enjoy unlimited reading on winnipegfreepress.com
- Read the E-Edition, our digital replica newspaper
- Access News Break, our award-winning app
- Play interactive puzzles
*Your next Brandon Sun subscription payment will increase by $1.00 and you will be charged $17.95 plus GST for four weeks. After four weeks, your payment will increase to $24.95 plus GST every four weeks.
Read unlimited articles for free today:
or
Already have an account? Log in here »
As governments finally act on the obvious harms of social media and AI chatbots, bans and age restrictions on access to certain online content are under way. But the regulations and requirements to implement these protections could potentially be damaging to everyone. As rollouts of age verification take place in government rules and regulations, it’s important we get it right.
The easy solution is to do the same thing that is done in an offline world. Show your ID to the provider to prove you should be allowed to have the age-restricted service.
Showing your identification to a service provider online means uploading your ID document to the internet. Everything about that idea should be setting off alarm bells. This is a very bad idea and should not be allowed in any way, shape or form. Yet, some service providers are requiring users to upload some form of government-issued ID to access services.
Identity theft, scams, doxing, frauds of all types, privacy breaches, harassment, credit takeovers, etc., could result from having valuable IDs used in nefarious ways. If every service required ID uploading, your valid, valuable information could be on thousands of servers, ready for one cyberattack to expose it all. This can also be required for something seemingly trivial such as access to play an R-rated video game.
I would consider this to be an egregious example of a privacy violation and, if there is any government regulation regarding age verification, the uploading of official government ID documents such as driver’s licences must be made illegal.
Then how do we prove our ages online if not with our government identifications? A government ID is a multi-purpose document that is useful to prove our age and give us legal permission to drive, for example. But a service provider only needs the answer to one question: is the user over a certain age? It doesn’t need to see our pictures or know our dates of birth, eye colour, height, location or any other information you might find on a government ID. It only needs a verified answer for the question, nothing more.
Zero-knowledge proofs are one way to do this. Users have the “knowledge” of their birth date. An encryption process produces a proof “I am over 18” (or whatever age). The answer can be confirmed without revealing the sensitive data (the birth date) behind the proof. The provider (the website) can run an algorithm on the proof to verify the claim. The protocol and public parameters mean a false proof cannot be generated. This keeps the sensitive information out of the hands of a provider while presenting the proof for verification.
Another method is a token-based system. This would involve an ID token provided by a trusted source that can verify the question and can only provide that the user is who they say and answer “yes” or “no” to the query. A valid token with an answer is sent to the provider to prove the user meets the criteria required by the provider.
The exchange of tokens and the answer would be encrypted. Age could be verified, while preserving sensitive information. In this case, the trusted source, which could be a government agency, already has the information to answer the question, but does not send any sensitive information to the provider requiring proof.
Using any form of sensitive data to confirm identity or age could result in a ticking time bomb for teens.
A teenager following ill-conceived laws could be obligated to upload their newly-acquired driver’s licence to prove that they are 16 and allowed to access social media. The provider takes the identification and stores it on their servers for verification to follow the government regulations. Both are following the rules. Two years later, when the teenager turns 18 years old, suddenly they are inundated with messages from credit agencies asking for payments for credit cards that were fraudulently obtained using their government identification that somehow got hacked from any one of the providers.
They would start their adult life needing to fight possibly numerous fraudulent uses of their identity. This could be the result of dangerously implemented age verification laws that jeopardize not only the teen’s identity, but everyone’s.
If you need to verify teens’ ages to allow or deny them access, everyone else will need to be checked as well.
The political upside of saying you will protect children is obvious. Who could object? Technology companies support the uploading of government identification. Which means you know it’s something that shouldn’t be allowed to happen. Our data is their power.
The consequences of misuse of that data will be on us. We cannot give them access to perhaps the most important data we have. That would be a colossal unforced error we could avoid with a little foresight and careful implementation.
David Nutbean writes on science and technology.