Curated Resource ( ? )

Age Verification Architecture (IETF)

my notes ( ? )

An IETF Internet-draft (a working document) which "describes solution-agnostic and technology-neutral schema for how various intermediaries can gate content and services based on age" Two dimensions are analysed:

  • "efficacy of permitting or restricting access based on age,
  • privacy costs of doing so.

The document concludes with recommendations as well as critical privacy, security and human rights considerations."

key background points

  • Existing systems
    • "large user platforms ... industry standard...: Define, detect, evaluate, enforce, appeal, educate."
    • "In parallel... network operators ... implemented ... age-based access control that rely on content categorization or DNS-level filtering ... classifying destination domains or content types into broad categories—such as adult, gambling, or violence ... do not require identity documents or individual profiling
  • new: "proposals to protect children via age gate... [eg] in the analog world ...entry through hard document checks at liquor stores". But online provokes "tensions between accuracy and privacy". There's been a lot of work - the post provides summaries and links.

"Uploading hard documents to verify identity"

This "often create an illusion for policy makers... However any such system is expensive, difficult to scale, and introduces data protection liability and privacy risks to users— including potential data breaches or the exclusion of users who do not possess traditional identity documents ... unnecessarily scales the risk of privacy, access, and equity harms ... for all users on all apps all the time."

This is not theoretical: Upload government papers to go online? That may be our new terrifying future

Also, "Many age verification methods conflict with data-protection frameworks and data minimization principles". In conclusion:

  • "Requiring all users on all platforms to submit verifiable credentials can create large, sensitive data troves in centralized intermediaries that are vulnerable to breaches, fraud, or misuse.
  • Once compromised, this information is difficult—if not impossible—to secure again...
  • centralizing or repeatedly exchanging such verification data may also create systemic risks to resilience, security, and interoperability... introduce new attack surfaces and potential points of failure ".

The rest of the draft provides terminology, an analysis of age gating methods, enforcement and...

concluding recommendations

, including:

  • "Reducing harm to children on the internet ... cannot be solved by age verification alone."
  • lawmakers can do better than relying on "hard documentation meant for operating automobiles... or social services entitlements"
  • "age-based signup requirements would risk harm to user privacy and free expression for all users"
  • age-gating without these harms through "advanced technical approaches... are currently infeasible or have significant downsides"
  • "Content moderation ... by platforms and services continues to be an established and effective ... with proper recourse and remedy mechanisms"
  • "A more resilient approach ... a plurality of mechanisms operating at different layers... —service, device, and network—each limited in scope and aligned with privacy-by-design principles ... improve overall robustness and inclusiveness while reducing dependence on any single trust anchor."
  • "if widely implemented without ... safeguards, age-verification systems could still result in mass data collection on both adults and children ... Any deployment should be proportional and narrowly tailored to the specific harm it targets, rather than a blanket requirement
  • This is bad for news and other publishers (incl. pornographers), so "The economic argument for a publisher to simply ignore the law is strong, particularly where a law is enacted in a jurisdiction where that publisher has no legal entity ... likely to produce many more non-compliant sites than compliant ones... likely to be non-compliant in other ways too"

It then continues through security, privacy and human rights considerations, and ends with dozens of references.

Read the Full Post

The above notes were curated from the full post www.ietf.org/archive/id/draft-knodel-age-arch-01.html.

Related reading

More Stuff I Like

More Stuff tagged age verification , atprotocol , decentralised , unfinished

See also: Bluesky and the ATmosphere

Cookies disclaimer

MyHub.ai saves very few cookies onto your device: we need some to monitor site traffic using Google Analytics, while another protects you from a cross-site request forgeries. Nevertheless, you can disable the usage of cookies by changing the settings of your browser. By browsing our website without changing the browser settings, you grant us permission to store that information on your device. More details in our Privacy Policy.