“2023 will see the end of access to pornographic sites for our children,” said French Digital Minister Jean-Noël Barrot at the beginning of February, in his latest affirmation, reported Le Figaro. And by mid-month, politicians on the National Assembly culture committee voted to finally get this underway and include social media companies such as TikTok and Instagram.
Pornography will be reserved for those over 18, and social media will be capped at 15 unless parents supply permission. A technical solution involving “double anonymity” is being proposed and could be in place for testing as soon as March, states Le Figaro.
Barrot is hoping for a world-first, where porn and social media will be digitally ring-fenced. The technicalities are not yet fixed. He said the proofing (“attestation numérique”) could be via a telecom provider, digital identity provider or other organization. Failure to do so could lead to fines of 1 percent of global turnover, reports Politico.
Reuters reports that non-compliant sites could also be banned from publishing in France.
The concept for double anonymity is that the provider of proof of age will generate a token saying the person is of age, but does not itself know where the token will be used. The porn site or social media site will then accept the token for the individual, but does not know his or her identity.
Politico reports that the bill still needs to pass through plenary session and the Senate. The audio-visual regulator Arcom (formerly CSA) and data privacy regulator CNIL will enforce the new legislation and are also expected to release the technical guidelines soon.
“Our conclusion at the moment is that there are no real practical solutions that can match all the necessary requirements for security, privacy protection etc,” Erik Boucher de Crèvecoeur, IT expert at the Digital Innovation Lab (LINC) at CNIL said at the euCONSENT 2022 Conference in June.
They will not accept biometric identification (not proportional) or age estimation base on browsing history. A trusted third-party should be used. De Crèvecoeur and colleague presented a cryptographic signature instead which creates a challenge that needs to be signed and which the internet user takes to a third party to tick off. Neither party would know the individual’s identity, but the certifying authority would know which providers have signed which certificates.