Ministry of Family Affairs develops "data-saving age verification"

Age verification online is a crux of the matter. Researchers believe this is essential in order to create a safe online environment for all users. However, there is currently no method "that adequately protects the fundamental rights of the individual". Media watchdogs, the EU Commission and regulators are calling ever more loudly for the use of robust online age verification systems (AVS).

In view of this dilemma, Federal Minister for Family Affairs Lisa Paus (Greens) has commissioned the Fraunhofer Institute for Secure Information Technology (SIT) to develop a concept for "data-saving age verification". A results paper is now available, and experts worked on its implementation in a workshop.

The risks associated with the implementation of age verification include invasions of privacy, data leaks, behavioral monitoring, identity theft and limited user autonomy. Experts consider common procedures such as video identification procedures, the Schufa identity check, the use of ID cards with an electronic identification function (eID) or youth protection programs or credit card verification to be dangerous from this perspective or associated with too high usage hurdles.

According to their concept study published by Netzpolitik.org in July, the Fraunhofer researchers aimed to enable users to prove their age online without having to create an account or disclose personal data. Their solution: a trustworthy body should use a sophisticated protocol to confirm that a user belongs to a certain age group, i.e. is over 12, 16 or 18 years old.

Service providers such as operators of social networks or erotic portals only find out this so-called age cohort. The intermediary, on the other hand, does not find out for which provider and which type of service the user requires proof of age.

Challenges, especially for the trust center

The scientists describe the verification process as follows: the provider sends the user the age requirement and a random number created by the provider in a standardized format with a short validity period. The user authenticates himself to a verifier of his choice and sends him the data received from the service provider.

The independent body then checks whether the authenticated user meets the age requirement received. It signs the result with the random number. This proof of age is sent back to the provider via the user, who can determine the integrity and authenticity of the data and, if necessary, grant the user access to age-restricted services.

According to the concept, the process can be implemented manually as a browser extension, stand-alone app or via "raw data". In addition to restrictive country-specific rules, the team describes the potential spying or disclosure of access data as a challenge. In addition, the implementation of a public key infrastructure (PKI) with a central, state-commissioned, independent certification authority that does not pursue any commercial interests and can check verifiers neutrally and expertly is necessary for such data-saving age verification.

The Ministry of Family Affairs is working on the implementation in several workshops. According to the documentation of the third relevant meeting in December, also published by Netzpolitik.org, possible verifiers include civil registers, banks, health insurance companies and the Federal Motor Transport Authority. As practical examples, the participants discussed the Savings Banks and Giro Association, which has been offering proof of age for the Kulturpass since October, as well as the mediation service for digital identity management in schools (Vidis). This allows secure registration for a variety of educational services and acts as an interface between identity providers and service providers. Vidis can therefore be considered as a verification point for learners.

(nie)