“If we can put a man on the moon, we can make the internet ‘age aware’ without threatening our privacy” <== Musk's management of Twitter and SpaceX has demonstrated how online governance questions are much harder problems to solve than putting humans on the moon.

In the CNIL article of Sept 22 2022, it also states;

“The CNIL also recommends, more generally, the use of a trusted independent third party to prevent the direct transmission of identifying data about the user to the site or application offering pornographic content. With its recommendations, the CNIL is pursuing the dual objective of preventing minors from viewing content that is inappropriate for their age, while minimising the data collected on Internet users by the publishers of pornographic sites.”

and

“In order to preserve the trust between all of the stakeholders and a high level of data protection, the CNIL therefore recommends that sites subject to age verification requirements should not carry out age verification operations themselves, but should rely on third-party solutions whose validity has been independently verified.”

Our members meet these objectives. We are engaging with CNIL to add some of the further cryptographic protections they have been exploring into the AV industry’s standards.

CNIL is also clear that:

“Pending the implementation of a suitable framework, and for a transitional period only, the CNIL believes that some of these solutions may make it possible to strengthen the protection of minors, provided that care is taken with regard to their implementation and in particular to the additional risks generated by their use.”

There is no doubt that technology can deliver privacy-preserving age verification. It is somewhat inconvenient at present as interoperability has not yet gone live. But it is far from impossible. If we can put a man on the moon, we can make the internet ‘age aware’ without threatening our privacy.

I’ve approved your comment even though there is a lot of misdirection and obfuscation in it. The spin starts in the second line, where you describe vendors as “privacy-preserving age assurance technology.” 7 months ago, CNIL said “The CNIL has analysed several existing solutions for online age verification, checking whether they have the following properties: sufficiently reliable verification, complete coverage of the population and respect for the protection of individuals’ data and privacy and their security. The CNIL finds that there is currently no solution that satisfactorily meets these three requirements.” https://www.cnil.fr/en/online-age-verification-balancing-privacy-and-protection-minors

Also, your point #1 seems to completely misunderstand my point about the intractability of contractual “consent” from children, which is either due to a misunderstanding of the US landscape or as a misdirection (or both).

1. Where age assurance is required for 18+ the #infinitecircle (we’d call it “Catch 22”) problem does not arise as only adults are being asked to prove their age so can of course give consent. (The UK data protection authority also issued a statutory opinion that it was legal to process children’s data for the purpose of age assurance as it was in the public interest to do so – consent is only one of several legal bases to process data under GDPR.

2. Consent is sought before any age assurance process our members offer so that can deal with BIPA. If two clicks are required as asserted above, then residents of Illinois will need to click twice

3. Age estimation does not require sufficient facial data to uniquely identity an individual so it has been judged, again by the globally respected UK ICO, not to use sensitive personal data. The mathematical map drawn of a face for analysis to estimate age is relatively simple. You certainly cannot use that data to subsequently spot the person in a crowd or reconstruct a photo.

4. No facial data is retained after a facial age estimation. Any audit is against the process and technology not a specific user’s actual test (unless there was a specific legal requirement to retain such detailed proof but we have not seen that anywhere else in the world – just as not every liquor store takes a photo of a customer’s license)

5. Previous constitutional challenges were built heavily on the argument that age checks were disproportionate inconveniences to adults to protect children. With interoperability, once age check can be used across multiple websites so this has been addressed eg http://www.euconsent.eu

The main issue presented in the US is the inconsistency arising from a patchwork of differing state laws. Geolocation is of limited use given users can pretend to be elsewhere, as the online gambling industry learnt fast.

It is not surprising that these arguments are coming up again but technology is smart – it can allow you to prove your age without disclosing who you are and do so efficiently.

We don’t let kids walk into strip clubs, casinos and bars in real life; why should that not apply in the Metaverse?