(16)
> In order to prevent and combat online child sexual abuse effectively, providers of hosting
services and providers of publicly available interpersonal communications services should
take reasonable measures to mitigate the risk of their services being misused for such abuse,
as identified through the risk assessment. Providers subject to an obligation to adopt
mitigation measures pursuant to Regulation (EU) 2022/2065 may consider to which extent mitigation
measures adopted to comply with that obligation, which may include targeted measures to
protect the rights of the child, including age verification and parental control tools, may also
serve to address the risk identified in the specific risk assessment pursuant to this
Regulation, and to which extent further targeted mitigation measures may be required to
comply with this Regulation.
"reasonable measures" assumes a lot, especially coming from agencies that believe client-side-scanning doesn't undermine e2ee.
This is the first mention of "age verification" in the document, but it comes up quite a lot afterward. Usually that line of thinking converges on requiring people to provide some government id in order to use the internet, which is terrible for a multitude of reasons...
Thomas Lohninger of epicenter.works gave a talk at the recent chaos communication camp about what the EU is doing in this area:
https://media.ccc.de/v/camp2023-57548-digital_identity_and_digital_euro
he notes that the EU is working on some methods to do age verification without disclosing government id explicitly - some involving zero knowledge proofs - but he makes a few critical points:
1. the "digital wallet" system they are proposing is going to be a very high-value target with a fairly large attack surface
2. government-issued hardware wallets are not accessible to undocumented migrants
3. not everyone has a phone they can use for this purpose
(16a) says the age verification should be "non-discriminatory and accessible", but I don't see how that's possible given the points above without falling back to scans of government id
Thomas Lohninger of epicenter.works gave a talk at the recent chaos communication camp about what the EU is doing in this area:
https://media.ccc.de/v/camp2023-57548-digital_identity_and_digital_euro
he notes that the EU is working on some methods to do age verification without disclosing government id explicitly - some involving zero knowledge proofs - but he makes a few critical points: