Under pressure from child protection groups, governments across Europe are starting to tackle the issue of underage access to adult content websites, writes Liudas Kanapiensis, CEO and co-founder of Ondato. However, concerns about data privacy, censorship, and the exploitation of sex workers if sites are forced underground, make it essential to strike the right balance between protection and privacy in the EU.
"I plan to put an end to this scandal", France’s Digital Affairs Minister, Jean-Noel Barrot, told daily newspaper Le Parisien in February.
He was talking about underage access to adult content websites, a subject of mounting concern in France and across the EU. In 2022, a report by French senators ("Hell Behind the Scenes" - "l'Enfer du Décor") concluded that there is "massive, ordinary, and toxic" viewing of porn by children, with two-thirds of children aged 15 or underexposed to pornographic content.
President Macron promised to make protecting children from porn a priority during his bid for re-election last year. In November, he came good on that promise with the Children Online Protection Laboratory, charged with finding ways to shield minors online.
Across the border in Germany, the amended Youth Protection Act of 2021 now requires platforms to take precautionary measures. The German Commission for the Protection of Minors in the Media (KJM) is a supervisory body that has approved over 100 ways of achieving age verification so far, including “Postident”, offered by the German post office, and online age checks.
Elsewhere in the EU, Ireland has proposed a new Online Safety and Media Regulation Bill with powers to issue binding codes of practice on age verification. Spain has passed a new law on the protection of children and adolescents from online violence, and The Netherlands has launched a pilot project to test an age verification app that does not reveal the user’s identity or personal data. The app uses blockchain technology and biometric authentication to create a secure and anonymous digital identity.
Does solving one challenge create another?
Not everyone subscribes to the idea that people need protection from adult content. A libertarian response would be that censorship is inherently unjustifiable and self-defeating. And people working in the industry are concerned that regulation might result in even worse issues in the future.
Paulita Pappel, co-founder of adult content site Lustery, told Wired magazine that such moves are “comparable to China's censorship” and could put the pornography industry back decades in terms of its reputation. She asked what might happen if France and Germany succeed in shutting out local pornographic content providers. “That would push production companies even further to the margins. They would probably move their servers… Smaller companies, queer performers of colour, these are the people that are going to suffer the most”.
The international dimension
Given that EU member states seem to be set on exclusionary measures, what about platforms that are outside the jurisdiction of the bloc? As Pappel points out, all Germany’s precautions for platforms based there do little to prevent German children from accessing international porn sites.
Foreign providers nevertheless have to comply with German law, said the KJM’s Eumann. The KJM, together with state media authorities, is taking action against four platform providers based in Cyprus and which have host providers in the Netherlands or the USA. The requests from KJM to add age verification to those sites have now turned into a legal tussle in Düsseldorf’s administrative courts.
In reality, enforcing any court order will require Germany's biggest ISPs – including Vodafone, Deutsche Telekom, O2 and 1&1 – to block specific websites at the Domain Name System (DNS) level. The ISPs are unlikely to do this voluntarily and any legal imposition by governments is likely to drag on for years. It appears German internet providers refused to block one named site when requested in October 2020. “We've already talked to them - they are not happy,” Eumann said.
Back in France, the government has threatened to block pornographic websites that don’t put age verification systems in place. The data protection and media regulators CNIL and Arcom are set to announce their latest proposals to rein in porn websites. Arcom has taken legal action against five porn sites for failing to implement effective and privacy-friendly age verification systems, as required by a 2020 law. As In Germany, the regulator wants the court to order internet service providers to block access to these sites until they comply with their obligations.
Cyprus, where a number of adult sites operate, is of course an EU member. The EU’s Audiovisual Media Services Directive already requires companies to put measures in place to protect children. And, on top of that, the eIDAS regulation establishes a legal framework for electronic identification and trust services in the EU. eIDAS enables cross-border recognition of electronic IDs, such as national identity cards or digital certificates, and facilitates the use of electronic signatures, seals and timestamps. It can support the implementation of ID verification for adult content providers and consumers in the EU.
Alongside the Directive, the Digital Services Act (DSA), which entered into force on 16 November 2022 and will be directly applicable across the EU by 17 February 2024, does not specifically address age verification of users, but it does require online platforms to take appropriate measures to protect minors from harmful content, such as pornography.
But Germany and France, with their respective legal actions against international operators and apparent readiness to impose blocking orders via local ISPs, appear to be where real change in the EU is likely to happen soonest.
Can technology square the circle of user privacy and protection?
There is a delicate and controversial balance between protection and privacy. ID verification technologies are tools that aim to verify the age of online users and prevent minors from accessing inappropriate or harmful content, such as pornography, gambling or violence. However, these technologies also pose challenges for the data privacy of minors, as they may require them to provide sensitive personal information, such as their identity documents, biometric data or credit card details, which could be misused, leaked or hacked by third parties.
For example, Simone van der Hof, professor of law and digital technologies at Leiden University in the Netherlands, has studied age-verification systems under Europe’s GDPR and found that they might not meet data rules. He says an age-verification system might attempt to overreach - all it needs to do is say whether you are over 18. It doesn’t need all the details on your passport.
Some examples of ID verification technologies that do respect the principles of data minimisation, proportionality, security and transparency are:
Identity document validation technologies (IDVTs) can establish the authenticity of ID documents by checking the security features contained on the document and comparing against other data sources and using biometrics.
Zero-knowledge proofs (ZKPs), are cryptographic techniques that allow a user to prove that they possess certain information or credentials without revealing the information itself. In this case, a user could prove they are over 18 without disclosing their date of birth.
Decentralised identity (DID), which is a form of digital identity that is controlled by the user rather than by a central authority or intermediary. DID relies on distributed ledger technology (DLT) or blockchain to create secure and verifiable identifiers for users, which can be linked to different types of credentials or attributes.
Within IDVTs, AI technologies that can estimate the age of the user based on a photo only are forms of biometric verification that use facial recognition algorithms to analyse the features and characteristics of a face and compare them with a database of age-related patterns. These technologies can provide a fast and convenient way to verify the age of the user without requiring them to provide any other personal information. Other functions make it impossible to trick the systems with still images. Facial biometrics, where a customer simply takes a selfie and an algorithm recognises the age group and assigns it to them, are already able to screen out fake pictures and deliver accurate assessments in 95% of cases. That leaves a relatively small number of users where sites need to ask for backup ID verification.
Finding the right balance
There are clear shifting preferences and behaviour towards adult content consumption online, as users seek alternative ways to access adult content without compromising their privacy or security.
As far as the adult sites are concerned, some may choose to ignore the move towards greater regulation and go into the shadows. But the big players in the market will accept the terms and look at the matter responsibly.
It is clear that EU governments are moving rapidly towards mandatory age verification, even for platforms operating outside their immediate jurisdiction. There is no real problem here because effective ways to determine the age of users already exist, without requiring excessive information. Pretending this is an issue that will blow over one day is no longer credible and all adult content platforms need to be planning their strategies today.