Reacción a "Pedro Sánchez announces that Spain will ban children under 16 from accessing social media"

Any age verification system must also ensure the privacy of the person whose age is being verified. An example: a little while ago on Bluesky, I saw that I had a direct message, so I went to open it and was told that direct messages are not activated unless I verify my age. One of the options it gives me for age verification is to provide a credit card, but you can always steal your father's credit card, and besides, it means putting your credit card in the hands of a company whose security measures you don't know are good or bad.

The next option is biometric recognition, which will protect minors at the cost of all large corporations having their faces and those of all users scanned. People who work in facial biometrics will tell you that it's not actually your face that's scanned, but certain points, and that these physical graphs are stored cryptographically. But the truth is that once that facial recognition is stored, it can be recognised anywhere in the world, even if the photo isn't stored, because the data needed to recognise you again is stored.

The third option it gives me is to scan my national identity card, but the Spanish Data Protection Agency has already made it clear that scanning or photocopying your ID card, as they were doing in hotels, is excessive; all you can do is show it. How can I be sure that a Californian start-up like Bluesky will not be bought by a large corporation tomorrow and that all that data will not remain stored there? In other words, we have to find systems that allow age verification, but with the necessary anonymity, which may seem strange, but is technically possible. I don't think age verification is a bad thing, but of course, what methods should be used? That is the question.

If the method has to be the European Digital Identity Wallet (EUDI Wallet), which theoretically should be available in Spain by the end of this year and which many of us have been working on for a long time, it has the ability to generate a presentation, which can be a QR code, pulling real data from a person and saying that this person is over 16 years old, without saying who the person is or what their name is. It uses a technology called Zero Knowledge Proof, which means that someone, a trusted third party, attests that you are of legal age and the whole system works so that you can trust that information. This can work in Spain because minors can have a national identity card.

Age verification is a problem that we have been dealing with since the birth of the Internet, and now it can be done with very specific measures, which are not cheap, if we want to ensure the privacy of our citizens. It seems to me that if we are talking about digital sovereignty, the first thing is that no country should have access to the biometric data of our citizens.

And on the subject of the criminal liability of CEOs, I think we are aware that any measures we take will only come into force when the CEO sets foot on Spanish territory. Although it may be of little use in the short term, I find it very interesting, because a CEO will think twice when he or she will be personally liable with their own assets for what happens in any country in the world. It is not the same to be held civilly liable as it is to be held criminally liable. In fact, the case of Pavel Durov with Telegram in France is significant.