What information is an age verification provider supposed to collect when checking ID?
ADVERTISEMENT
An age verification provider working with several porn sites in France was found to provide information to Amazon in order to check a user’s age, a new report has found.
European non-profit AI Forensics analysed “network traffic” data to find that Spanish age verification provider AgeGO, used by several porn sites including Xvideos, XNXX, and Tnaflix, sends user data like a webcam stream, the user’s internet protocol (IP) address and that they are above the age of 18 to an Amazon Web Services (AWS) program called “Amazon Rekognition.”.
Amazon Rekognition is an artificial intelligence (AI) service provided by AWS that analyses “millions of images, video streams and stored videos within seconds,” the company says.
The provider also collects emails that might not be necessary for age verification, constituting a “dark pattern,” under EU regulation by asking users for more information than needed.
The report comes a month after France’s regular ARCOM issued formal notices to five porn sites to comply with new regulations to put in place age verification. These systems are also on the rise throughout Europe, with systems already in place in France, the United Kingdom, Germany, Spain and Italy.
So is this a problem with one specific provider or does it apply to other age verification sites?
What information is provided to age verification services?
France’s regulator describes age verification as a system that is put in place to give users access to pornographic content.
AgeGO provides the user with several ways to verify their age, including taking a selfie or uploading a photo of a government ID or a credit card.
ARCOM says under its regulations that age verification has to be done on sites with a third-party provider and give users at least one “double-anonymity” method where the site doesn’t know the identity of the user or the site they are using.
Identity documents also cannot be stored unless the user has chosen to store their data so they can be recognised for a future login attempt, the legislation says.
Vincenzo Tiani, EU senior policy counsel at the Future of Privacy Forum think tank, told Euronews Next that any data that a third-party age verification service provider collects should be deleted as soon as it’s verified.
However, he noted that the data can sometimes be delayed but shouldn’t be kept for more than 30 days.
“The principle is that if you don't need the data, you should not have it … because of course, (a) data leak, data breach could happen,” Tiani said, noting that it is not clear from the AI Forensics report what AWS does with the data when it is received.
Tiani said if there is a doubt from a user about whether their data has been stored or not, they can go to their local authority or data controller, who could decide to launch an investigation.
Euronews Next reached out to ARCOM for a reaction to the AI Forensics report but did not receive a reply at the time of publication.
In an interview with the French newspaper Le Parisien, the regulator said it is working on the report.
Euronews also reached out to AgeGO, Amazon and all three porn sites to find out more about how long their information is stored.
Digital wallet safest age verification method, expert says
Tiani said that there is potential that other age verification sites are working with their data in a similar way to AgeGO.
Providers who are also working with foreign companies such as Amazon, which is based in the United States, would also have conducted a data protection impact assessment, he added.
The safest way for users to provide their data for age verification would be through a digital wallet, like the one used by Belgians called It'sMe, Tiani said.
The app “basically shares with the provider only the data that is required” and not all of a user’s personal information.
The European Union is looking to roll out its European Digital Identity Wallets (eID) by the end of 2026.
