Protection of Minors in Telemedia

Closed user groups

As specified in the Interstate Treaty on the Protection of Minors (JMStV), pornographic content, certain listed (indexed) content and content which obviously seriously impairs minors may be distributed in the internet only on the condition that the provider ensures that access to the content is possible only for adults by means of a closed user group. To ensure the proper functioning of closed user groups, so-called age verification systems are used.

Key criteria

The KJM has developed key criteria concerning closed user groups which have to be met in a two-step process.

1. Identification

In a one-off identification process verifying that a person is of age, personal contact is required. For the reliable verification, natural persons must be personally identified, also regarding their age. Personal identification is needed to prevent any fraud or other danger of the safeguards being circumvented.

Persons interested in entering a closed user group have to identify themselves at least once via a personal contact. “Personal contact” means a face-to-face control procedure including a comparison with an official document of identification (ID card, passport). The data required for identification can be gathered in different locations (e.g. post office counter, various sales outlets such as shops of mobile operators, lottery shops, banks and building societies etc.). For a location to be rated suitable for gathering data, it must employ reliable staff which is qualified and sufficiently trained for this task.

Under certain conditions it is also possible to resort to a face-to-face control process which has already taken place. This can be the case in the event of the “identity check including quality bit” procedure of the SCHUFA or identification procedures resorting to personal data which were collected in the process of taking out a contract (e.g. contracts for a mobile phone). However, in this case the access permission must be forwarded by registered mail or in a similarly qualified manner ensuring personal contact. This is due to the fact than an identity which was claimed at the start of such a process must be verified in relation to the true identity of a person. Forwarding the access permission in other ways such as e-mail or via the bank statements is not sufficiently secure or reliable.

The control of ID card numbers (so-called perso-check procedure) or the presentation of a certified copy of an ID card is not sufficient as this only confirms the identity of the document, but not the identity of a person. Likewise, identification via webcam does not provide sufficient reliability and thus does not meet the requirements regarding their reliable identification as specified in the KJM assessment criteria.

2. Authentification

Authentification presents the second step for each instance of accessing a closed user group:

It ensures that only the identified person who has been verified as being of age can gain access to a closed user group. The risk of passing on access entitlements to persons which are not entitled to access a closed user group such as minors is thereby made more difficult. Alongside securing closed user groups via a specific, individually allocated adult password, the protective measures must make multiplication and the use of access permissions by unauthorised third parties more difficult. The relevant data can be protected against passing on via technical measures, e.g. hardware solutions including protection against duplication such as ID chips, SIM cards, DVDs, CD-ROMs, token generators, PCs requesting the processor ID etc.

Procedures

The JMStV does not specify any procedure for certifying closed user groups or age verification systems. The KJM has therefore developed a positive assessment procedure and assesses concepts at the request of a manufacturer of service provider. In this way, the protection of minors in the internet can be improved; at the same time, the service offers more legal and planning security to providers. Devising an internet offer in line with the requirements of the JMStV is the responsibility of the content provider, not the KJM. The provider can make use of technical concepts for the protection of minors which have already been given a positive rating by the KJM.

The KJM assesses both complete package solutions as well as partial solutions (modules) for closed user groups. The assessment of modules makes it easier for users to implement their concepts. For instance, providers can combine modules which have been positively assessed by the KJM to produce a modular comprehensive solution meeting the requirements of the JMStV and the KJM. Modules can, for instance, be procedures for identification only, or for authentication or for other major components of an age verification system.

The KJM only assesses concepts. The assessment of issues relating to content depends on the practical implementation of the closed user groups.