By Jarek Sygitowicz, Co-Founder and Chief Strategy Officer at Authologic
It has been just a few weeks since new age verification rules were introduced in the UK as part of the Online Safety Act (OSA). The law was introduced ostensibly with the goal of keeping children safe on the internet by mandating age checks on certain platforms and websites.
However, the Act has been met with outrage and frustration among people across the political spectrum, with privacy fears at the heart of the backlash. According to Bloomberg, UK-based signups for the VPN service Proton surged by 1,800% in the days immediately following the passing of the legislation. Unable to avoid the identification checks on British servers, people flocked to a service that would allow them to circumvent them. Some people have turned to even more creative methods, such as inputting the hyperrealistic faces of video game characters to pass facial age estimation checks.
It’s unsurprising. People rightfully still care about their digital privacy, and they fear the considerable risks that come with voluntarily submitting their data to third-party sites. Even citizens of other countries, having watched the backlash from afar, are now striving to keep their governments from passing similar legislation, with groups like the Electronic Frontier Foundation coming out in strong opposition to similar bills in the U.S. and E.U.
Age verification itself is not the problem, and its implementation is largely inevitable. It makes the internet safer for minors, and scrapping it altogether is a losing policy. This doesn’t have to mean sacrificing user privacy, nor should it.
Photo uploads of physical IDs and biometric facial scans are where the real risk lies. And we have the technology to overcome this: with privacy-preserving digital IDs.
Ideally, the UK would have launched eIDs and then boosted their adoption by passing regulations that promote them. In reality, we lack a cohesive plan to implement eIDs en masse and in coordination with these new OSA regulations.
Safer verification methods, safer internet
Government-issued electronic IDs (eIDs) and digital identity wallets present genuine privacy-preserving capabilities when it comes to online ID checks. When implemented in the right way, they can enable a process called zero knowledge verification. This allows for a single piece of identifying information – such as age – to be confirmed without giving third party systems access to the full information stored on the eID. In practice, a digital ID could be used to confirm that an individual is over 18, without sharing their ID or specific date of birth. The website would never
have access to the person’s sensitive information, but would know that they are on the right side of the age limit, and that this information has come from a reliable, government-backed source.
Zero knowledge verification works, and so do eIDs. Widespread issuance, however, requires a coordinated effort on the part of the government. Some countries are already moving full steam ahead, right on track with eIDAS 2.0 regulations that mandate Bloc-wide issuance by 2026. In Poland, roughly 10 million citizens have and use digital IDs. Meanwhile, Italy is formally rolling out the digital IT-Wallet to all citizens after a successful pilot program involving 50,000 people. Other countries, including Denmark and Portugal, are also making major strides.
In comparison, the UK lags seriously behind. The pushback against new age verification rules has underscored the critical need for eIDs among the UK population. People value their online privacy, and they are not willing to give it up. They’re already voting with their wallet, proving that they would rather shell out money for VPNs than risk falling victim to identity fraud and data theft. A more robust strategy for eID issuance, that enables zero knowledge verification for citizens, is crucial to countering this opposition and keeping the Online Safety Act alive.
Electronic IDs and OSA’s future, in the long and short term
The UK has taken some steps towards a more comprehensive eID program. The government is reportedly beginning to seriously consider proposals to issue so-called Britcards en masse, a move that has been met with bipartisan support. But this is not a pioneering move. It’s a game of catchup, and long overdue.
The effectiveness and longevity of the Online Safety Act may hinge upon the British government’s ability to enforce it in a way that demonstrably protects users’ privacy. It’s unfortunate that it has happened in this order.
In an ideal world, issuance would have come before regulation. Now that the toothpaste is out of the tube, so to speak, the only option is for the government to respond with a coordinated eID push as soon as possible.
Online age verification is an effective measure for protecting minors on the internet. It’s not going away, nor should it. Even so, it cannot come at the cost of privacy. The only truly privacy-protecting middle ground is zero knowledge proofs, enabled by eIDs. Until the British government is able to implement those effectively, it will face a population rightfully weary of the Online Safety Act, and ready to sidestep it whenever possible.
Authologic is the global eID hub bridging the gap between traditional KYC processes and the future of identity verification.
