Mandating the use of a State-run digital identity as a pre-condition for holding or using a social media account — in the name of either age-verification or “to block anonymous accounts” — would vastly compound these issues and represent a profound expansion of government control.

In a democratic society, governments must answer critical questions before any moves to make the above a reality, including:

• What is the clear and limited purpose of this system and is there a legitimate aim?
• Is the system necessary and proportionate to address the stated problem? What demonstrable evidence is there?
• How effective will this system be and what are the assessment metrics? Could the system be circumvented or spoofed?
• What risks would such a system pose for the human rights and freedoms of citizens?
• Will the design and architecture of the system, along with the implementation source code, be made public ahead of any trial or launch for expert analysis and auditing?
• Will human rights impact assessments, including Data Protection Impact Assessments, be performed and published prior to the deployment of this system?
• Will the State publish the details of the privacy guarantees of the design and the deployment of the system?
• Will the government run the entire infrastructure for this system? If not, which private entities will the government depend on to run (parts of) this infrastructure?
• Will the public be forced to rely on “wallets” from companies such as Google or Apple, effectively pressuring the entire population into participating in corporate surveillance and further embedding Big Tech into our daily lives?
• What legal basis and statutory oversight mechanisms exist in respect of the system?

The risks to human rights and technical challenges here cannot, and should not, be underestimated, which is why questions like these are critical.

ZKP is not the answer 

Many supporters and vendors of age-verification systems make much of the concept of ‘zero-knowledge proof’ (ZKP) — a cryptographic way of letting one party prove to another that they hold a specific knowledge or credential without revealing it. While the idea of ZKP is 40 years old, in recent years, they have become efficient and fast.

One of us is a cryptographer and can attest that ZKP does not solve all the problems these age-verification systems present. ZKP is not without pitfalls and it only addresses some of the privacy risks.

ZKP is not a full solution. It needs to be integrated into a system and the actual reality of creating such a privacy-preserving age-verification system is hugely complex.

In addition, currently ZKP has limitations: insufficient privacy protections, centralisation risks, and the risk of excluding parts of the population. But even when these issues are addressed, ZKP should not be seen as a complete solution to a sociotechnical problem, which could be insurmountable.

It was for these reasons that before Christmas, ICCL, along with Digital Rights Ireland, called on the minister for communications Patrick O’Donovan to clarify his plans following his sudden announcement that he would launch a new digital wallet to verify the age and identity of social media users in Ireland.

That this announcement was made without any public, democratic debate of all the issues concerned or questions outlined above, is deeply unsettling.

MyGovID 

That concern is considerably heightened by the fact that his proposal is based on the existing MyGovID, an online identity authentication service provided by the Department of Social Protection for people aged 16 and over.

MyGovID itself has no legal basis in Irish legislation and it is inextricably linked to the illegal Public Services Card, the State’s de facto national ID card created by stealth over nearly 15 years.

The MyGovID app has received consistently poor reviews on the Apple and Google Play stores and has been the target of sophisticated phishing scams.

Despite all of these issues and concerns, the minister plans to steamroll ahead with a pilot in a matter of weeks. 

This is a pilot without details of how it is expected to empirically measure the impact of the scheme; how it will affect rights; or how it is expected to demonstrate the alleged benefits. Even a recent pilot of the wallet for public servants had no details.

This mirrors a pattern: State-run pilots, such as the Garda bodyworn camera pilot and the sudden Garda Taser pilot, are utterly opaque with no information on how these are being evaluated. 

As others have pointed out, this recent Government approach to pilots, amidst its further embracing of techno-solutionism, does not augur well for Irish society.

And remember these plans to dismantle online anonymity coincide with Government plans to dangerously undermine, if not eviscerate, offline anonymity with bills that would allow the guards to (1) find and categorise us based on our biometric data (e.g. our facial features or gait) and, (2) identify us with the use of facial recognition technology.

Ireland’s approach contradicts the EU’s 

Given these serious legal and technical concerns around age-verification systems, but in particular the concerns around minister O’Donovan’s plans, it is instructive to compare Ireland’s approach with the EU’s digital identity framework.

By the end of 2026, all EU countries will be required to offer a digital identity wallet that would allow people to access public and private services and to store and display digital documents from their mobile phones.

While states will be required to offer people a means to digitally identify themselves, as it stands there will be no legal obligation for citizens to use it.

This is to ensure that people who can not, or do not wish to, use it are not discriminated against and continue to have full access to public and private services by other existing means.

Anonymous, no more 

The European Commission will not be providing a unique European Digital Identity. Rather, each member state will create their own national digital identity wallet. 

In Ireland, the Irish version of this wallet is being developed by the Department of Public Expenditure and Reform and the Office of the Government Chief Information Officer (OGCIO) and at the centre of it is… MyGovID. 

Are we heading for a “mandatory but not compulsory” part deux?

The problems for the Government, by building on a faulty and legally dubious system, are piling up and, in turn, the Government is risking our rights to privacy, data protection and security as it embarks on potentially creating a State surveillance infrastructure.

Child safety is a real concern and a legitimate aim. But obliterating online anonymity is a blunt, dangerous measure that will chill speech and sacrifice the privacy, free expression and security of everyone, with no proven benefit to children. 

That’s a dangerous trade-off we must not accept.

• Olga Cronin, Surveillance and Human Rights senior policy officer, ICCL 
• Dr Kris Shrishak, senior fellow, ICCL