5D/ EUconsent - Interoperable Anon Age Verification Across Europe +

From IIW

euCONSENT - Interoperable, Anonymised online Age Verification Across Europe


Session Convener: Iain Corby

Notes-taker(s): Iain Corby

Tags / links to resources / technology discussed, related to this session:

www.euCONSENT.eu


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


The European Union has funded a consortium of universities, researchers, tech companies and age verification providers (through their trade body www.avpassociation.com) to develop interoperability across age verification providers.


This 18 month project concludes in August 2022. It has already run a successful pilot across 5 countries with 1600 adults and children successfully re-using previously completed age-checks, even where these were performed by a different AV provider from the one serving the age-restricted online service they wish to access.


The network mirrors eIDAS - the European digital identity scheme. When you complete an age check the providers drops a suite of first-party cookies from a domain on which the AV provider is a sub-domain. The cookies just let other AV providers - each their own sub-domain - know that a user has previously completed an age check to a particular level of assurance, and if that was recent enough e.g. 4 hours, not to prompt re-authentication for lower risk use-cases.


If the check is older than the determined period e.g. 4 hours, then the user is re-directed to the AV provider where they already completed a check, and re-authenticates. That AV provider then confirms to the second AV provider (currently using SAML because eIDAS does), that the user is old enough to access the service (just a “yes” or a “no” - not the actual age or date of birth or estimated age range). If the use-case is higher risk than the existing check, the new AV provider prompts the user to create a new age check to a higher level of assurance as required.


To make this work, we needed to define standardised levels of assurance, so AV providers can re-use apples as apples and pears as pears. We have 5, mirroring the identity standard in the UK, GPG45.


We also need a trust framework, with AV providers audited and certified before they are admitted to the network, to confirm their data privacy, security and the rigor of the age checks is sufficient.


AV providers need to reach bilateral commercial agreements before they can re-use each other’s age checks.


We are now considering how to take this forward. Technically we would like to upgrade to Open ID Connect not SAML. We need to keep pace with eIDAS as it becomes a wallet itself. And we need a governance framework to maintain the standards and apply the ethical principles such as ensuring all AV providers and their clients are supporting the UN Convention on the Rights of the Child. This makes this network a public good meriting government support.