The Age Verification Trap: Verifying age undermines everyone's data protection

We'll try everything, it seems, other than holding parents accountable for what their children consume.

In the United States, you can get in trouble if you recklessly leave around or provide alcohol/guns/cigarettes for a minor to start using, yet somehow, the same social responsibility seems thrown out the window for parents and the web.

Yes, children are clever - I was one once. If you want to actually protect children and not create the surveillance state nightmare scenario we all know is going to happen (using protecting children as the guise, which is ironic, because often these systems are completely ineffective at doing so anyway) - then give parents strong monitoring and restriction tools and empower them to protect their children. They are in a much better and informed position to do so than a creepy surveillance nanny state.

That is, after all, the primary responsibility of a parent to begin with.

I work at a European identity wallet system that uses a zero knowledge proof age identification system. It derives an age attribute such as "over 18" from a passport or ID, without disclosing any other information such as the date of birth. As long as you trust the government that gave out the ID, you can trust the attribute, and anonymously verify somebodies age.

I think there are many pros and cons to be said about age verification, but I think this method solves most problems this article supposes, if it is combined with other common practices in the EU such as deleting inactive accounts and such. These limitations are real, but tractable. IDs can be issued to younger teenagers, wallet infrastructure matures over time, and countries without strong identity systems primarily undermine their own age bans. Jurisdictions that accept facial estimation as sufficient verification are not taking enforcement seriously in the first place. The trap described in this article is a product of the current paradigm, not an inevitability.

Age verification is very hard, because parents will give their children their unlocked account, and children will steal their parents' unlocked account. If that's criminalized (like alcohol), it will happen too often to prosecute (much more frequently than alcohol, which is rarely prosecuted anyways). I don't see a solution that isn't a fundamental culture shift.

If there's a fundamental culture shift, there's an easy way to prevent children from using the internet:

- Don't give them an unlocked device until they're adults

- "Locked" devices and accounts have a whitelist of data and websites verified by some organization to be age-appropriate (this may include sites that allow uploads and even subdomains, as long as they're checked on upload)

The only legal change necessary is to prevent selling unlocked devices without ID. Parents would take their devices from children and form locked software and whitelisting organizations.

If we're going to do this at all, it should be on the device, not the website/app. Parents flag their child's device or browser as under 18, and websites/apps follow suit. Parents get the control they're looking for, while service providers don't have to verify or store IDs. I guess it's just more difficult to pressure big dogs like google/apple/mozilla for this than pornhub and discord.

There are alternatives to ID verification if the goal is protecting children.

You could, for example, make it illegal to target children with targeted advertising campaigns and addictive content. Then throw the executives who authorized such programs in jail. Punish the people causing the harm.

There is missing a solution.

Give our personal devices have the ability to verify our age and identity securely and store on device like they do our fingerprint or face data.

Services that need access only verify it cryptographically. So my iPhone can confirm I’m over 21 for my DoorDash app in the same way it stores my biometric data.

The challenge here is the adoption of these encryption services and whether companies can rely on devices for that for compliance without having to cut off service for those without it set up.

The purpose of a system is what it does.

Undermining data protection and privacy is clearly the point. The fact that it's happening everywhere at the same time makes it look to me like a bunch of leaders got together and decided that online anonymity is a problem.

It's not like kids having access to adult content is a new problem after all. Every western government just decided that we should do something about it at roughly the same time after decades of indifference.

The "age verification" story is casus belli. This is about ID, political dissent, and fears of people being exposed to the wrong brand of propaganda.

> And the only way to prove that you checked is to keep the data indefinitely.

This is a false premise already; the company can check the age (or have a third party like iDIN [0] do it), then set a marker "this person is 18+" and "we verified it using this method at this date". That should be enough.

[0] https://www.idin.nl/en/

Most of this debate makes more sense if the actual goal is liability reduction, not child safety. If it were genuinely about protecting kids, you'd regulate infinite scroll and algorithmic engagement optimization, not who can log in.

Big tech likes this because there are a lot more face recognition technologies in the wild in real life and being able to connect all real life data to online data is quite valuable. It's also quite possibly the largest training set ever for face recognition if ids are stored and given how ids and images are sold across many companies it seems very high probability that some company will retain the data rather than delete after use.

I worked for a decade in what I would consider the highest level of our kids' privacy ever designed, at PBS KIDS. This was coming off a startup that attempted to do the same for grownups, but failed because of dirty money.

Every security attempt becomes a facade or veil in time, unless it's nothing. Capture nothing, keep nothing, say nothing. Kids are smart AF and will outlearn you faster than you can think. Don't even try to capture PII ever. Watch the waves and follow their flow, make things for them to learn from but be extremely careful how you let the grownups in, and do it in pairs, never alone.

The purpose is to control the Internet. They've been trying this for ages. They tried with terrorism and other things. Now the excuse is protecting children.

Not exactly a good moment for this caste of politicians to pretend they care about children's well-being, though.

>Some observers present privacy-preserving age proofs involving a third party, such as the government, as a solution, but they inherit the same structural flaw: many users who are legally old enough to use a platform do not have government ID.

So there is absolutely no way to change that and give out IDs from the age of 14? You can already get an ID for children in Germany https://www.germany.info/us-de/service/reisepass-und-persona...

This is a problem that has to be solved by the government and not by private tech companies.

This is a lazy cop out to say "we have tried nothing and we are all out of ideas"

Even if you design the perfect system, kids will just ask parents for an unlocked account, many parents will accept, myself included. My kids have full access to the internet and I never used parental control, I talk to them. Of course, I don't want to give parenting advice, that would be presumptuous. But, my point is that a motivated kid will find a way, you have to "work" on that motivation.

Many of the worst present on the internet is not age gated at all, you have millions of porn websites without even a "are you over 18" popup. There are plethora of toxic forums...

Of course it's a complex problem, but the current approach sacrifice a lot of what made the internet possible and I don't like it.

Zero-knowledge proofs exist, that verify that a user's id holds certain properties, without leaking said ID.

I would like to take the discussion in the other direction. How about we offer safe spaces instead of banning the unsafe spaces for kids.

Similar to how there is specific channels for children on the TV. Perhaps the government can even incentivize such channels. It would also make it easier for parents to monitor and set boundaries. Parents would only need to monitor if the tv is still tuned to disney channel or similar instead of some adult channels.

Similarly this kind of method could be applied to online spaces. Ofcourse there will be some kids that will find ways around it but they will most likely be outliers.

We are missing accessible cryptographic infrastructure for human identity verification.

For age verification specifically, the only information that services need proof of is that the users age is above a certain threshold. i.e. that the user is 14 years or older. But in order to make this determination, we see services asking for government ID (which many 14-year-olds do not have), or for invasive face scans. These methods provide far more data than necessary.

What the service needs to "prove" in this case is three things:

1. that the user meets the age predicate

2. that the identity used to meet the age predicate is validated by some authority

3. that the identity is not being reused across many accounts

All the technologies exist for this, we just haven't put them together usefully. Zero knowledge proofs, like Groth16 or STARKs allow for statements about data to be validated externally without revealing the data itself. These are difficult for engineers to use, let alone consumers. Big opportunity for someone to build an authority here.

Parents are competing with multi-trillion dollar companies who have invested untold amounts of cash and resources into making their content addictive. When parents try to help their children, it's an uphill battle -- every platform that has kids on it also tends to have porn, or violence, or other things, as these platform generally have disappointingly ineffective moderation. Most parents turn to age verification because it's the only way they can think of to compete with the likes of Meta or ByteDance, but the issue is that these platforms shouldn't have this content to begin with. Platforms should be smaller -- the same site shouldn't be serving both pornography and my school district's announcement page and my friend's travel pictures. Large platforms are turning their unwillingness to moderate into legal and privacy issues, when in fact it should simply be a matter of "These platforms have adult content, and these ones don't". Then, parents can much more easily ban specific platforms and topics. Right now there's no levers to pull or adjust, and parent s have their hands tied. You can't take kids of Instagram or TikTok -- they will lose their friends. I hate the fact that the "keep up with my extended family" platform is the same as the "brainrot and addiction" one. The platforms need to be small enough that parents actually have choices on what to let in and what not to. Until either platforms are broken up via. antitrust or until the burden of moderation is on the company, we're going to keep getting privacy-infringing solutions.

If you support privacy, you should support antitrust, else we're going to be seeing these same bills again and again and again until parents can effectively protect their children.

"Age-restriction laws push platforms toward intrusive verification systems that often directly conflict with modern data-privacy law" - when you make rules contradictory, someone always violate these laws, and you can use selective persecution to "convince" companies to favor you, the incumbent politician. You don't even have to use such power, just a "joke" may be enough to send have any rational CEO licking your shoes.

European proponents of "anti-big-tech action" make it pretty explicit - broad discretionary power should be given to executive branch, because otherwise "international corporations" will use "loopholes" (and these "loopholes" are, in practice, explicitly written laws used as intended).

> Some observers present privacy-preserving age proofs involving a third party, such as the government, as a solution, but they inherit the same structural flaw: many users who are legally old enough to use a platform do not have government ID. In countries where the minimum age for social media is lower than the age at which ID is issued, platforms face a choice between excluding lawful users and monitoring everyone. Right now, companies are making that choice quietly, after building systems and normalizing behavior that protects them from the greater legal risks. Age-restriction laws are not just about kids and screens. They are reshaping how identity, privacy, and access work on the Internet for everyone.

This rebuttal to privacy preserving approaches isn't compelling. Websites can split the difference and use privacy preserving techniques when available, and fall back to other methods when the user doesn't have an ID. I'd go further and say websites should be required to prioritize privacy preserving techniques where available.

There is a separate issue of improving access to government ID. I think that is important for reasons outside of age verification. Increasingly voting, banking, etc... already relies on having an ID.

I have no idea where this idea that Internet is toxic to children is coming from. Is that some type of moral panic? Weren't most of you guys children/adolescents during the 2000's?

Here is an example of the problem with inference-based verification:

https://streamable.com/3tgc14

Surprisingly there is solutions that work just fine.

It's like bankid or myid works in Scandinavian countries.

When you need to identify yourself you are challenged by a 3rd party trusted service.

Making this a age verification should be very easy.

https://www.mitid.dk/en-gb/about-mitid/?language=en-gb

I'm certain there is a way to verify age without compromise of privacy or identity. I'm sure it's possible to build some oAuth like flow that could allow sites to verify both human-ness and age. The systems and corporations that gate that MUST (in the RFC sense) be separate from the systems and corporations that want the verification.

Do we need laws to make this happen? What methods can be used to aid adoption? Do site operators really want to know the humanness and ages or are those just masks on adding more surveillance?

How about we accept age verification but every parliamentary type that voted in favor goes to jail for just one year for each data breach?

Practically that means all of them will be imprisoned for life, of course.

I like the solution Tim Burners-Lee is working on. Lets hope he has some success.

https://solidproject.org/

https://www.theguardian.com/technology/2026/jan/29/internet-...

> "Social media is going the way of alcohol, gambling, and other social sins: societies are deciding it’s no longer kids’ stuff."

Oh, remember those good old times when alcohol was kids' stuff.......

Age Verification is very hard to do without exposing personal information (ask me how I know). I feel it should be solved by a platform company - someone like Apple (assuming we trust apple with our personal information but seems like we already do) - and the platform (ios) should be able to simply provide a boolean response to "is this person over 18" without giving away all the personal information behind the age verification.

Now the issue of which properties can "ask to verify your age" and "apple now knows what you're looking at" is still an unsolved problem, but maybe that solution can be delivered by something like a one time offline token etc.

But again, this is a very hard problem to solve and I would personally like to not have companies verify age etc.

The thing that needs to be age banned, or really just banned, is algorithmic feeds with infinite scroll. Kids (and adults) need to just interact with their friends, and block all the bait.

What's always got me about this is when I was in school I had it absolutely drilled into me that I should never expose personal information online to anyone, I completely saw the logic in that and so heavily limit the personal data I give out. Now we're just expecting people to completely go against that and give away the most personal details possible to companies who cannot prove what they are or are not doing with it just because governments have decided that's best now?

It's kind of weird to me how every article on this topic here has people rushing to comment within a couple minutes with some generic "yes I too support ID checks for internet use!". Has the vibe really shifted so much among tech-literate people?

Isn't it a simpler solution to create some protocol for a browser or device announce an age restricted user is present and then have parents lock down devices as they see fit?

Aside from the privacy concerns, all this age verification tech seems incredibly complicated and expensive.

people really believe this coordinated push across jurisdictions is about kids and verifying their age? this excuse to try to end pseudonimity on the web is as old as the mainstream internet itself

to a lot of people it never sat well that people could just go online and say whatever they want, and communicate with each other unsupervised at large scale, and be effectively untargetable while doing so - that model of the internet was only allowed because it happened under the radar and those uncomfortable with it have been fighting it since they got the memo

Well there are technical solutions for this: blind signatures.

I could generate my own key, have the government blind sign it upon verifying my identity, and then use my key to prove I'm an adult citizen, without anyone (even the signing government) know which key is mine.

Any veryfying entity just need to know the government public key and check it signed my key.

Why is no one talking about using zero knowledge proofs for solving this? Instead of every platform verifying all its users itself (and storing PII on its own servers), a small number of providers could expose an API which provides proof of verification. I'm not sure if some kind of machine vision algorithm could be used in combination with zero-knowledge technology to prevent even that party from storing original documents, but I don't see why not. The companies implementing these measures really seem to be just phoning it in from a privacy perspective.

Does each service really need to collect this data from the user directly? They could instead have the user authorise them by e.g. OAuth2 to access their age with one of the de-facto online-identity-providers. I would be surprised if they didn't implement an API for this sometime soon, cause it would place them as the source of truth and give them unique access to that bit of user data. Seems like a chance and position they wouldn't want to lose.

Isn't clear whether the paradox is biometric verification or ID data collection.

"Verifying age undermines everyone's data protection"

That's the whole point, right? A pretense to remove any remaining anonymity from communications?

Governments are endlessly infested with the worst people. They look back at historical attempts at totalitarianism and think to themselves, "Let's facilitate something like that, but worse".

The internet isn’t the same as it was when we were growing up, unfortunately. I miss the days of cruising DynamicHTML while playing on GameSpy but… yeah. It became an absolute clusterfuck and I’m not surprised they now want to enforce age restrictions.

Maybe TBL is right and we need a new internet? I don’t have the answer here, but this one is too commercialized and these companies are very hawkish.

Someone explain me like I'm 5: there are some solutions already in effect that are based on cryptographically generated, anonymous, one-time use tokens that allow to confirm adults's age without being tied up yo your ID. Why on earth even technically skilled people completely ignore those? Is this pure NIMBY ignorance or am missing something?

I would argue that this has nothing to do with age verification, but everything to do with getting identifiable data on all of us.

In my experience the people who want "privacy preserving age verification" are the same people who want "encryption backdoors but only for the good guys." Shockingly the technically minded among them do seem to recognize the impossibility of the latter, without applying the same chain of thought to the former.

It's insanely dangerous to have so much data stored on so many servers that are inevitably not maintained.

Every age verification scheme is really an identity verification scheme, "age" is just the acceptable entry point. Once the infrastructure exists to verify you are 18, it can verify you are not on a watchlist, verify your creditworthiness, verify your political associations.

You are not building a parental filter. You are building rails.

"Protect the children" is the canonical playbook for every surveillance expansion since forever. The children get protected for six months. The infrastructure stays forever.

This is my problem with the Discord situation too:

Big tech don't have wait for an outright government ban when they can just say that we are a teen-only site by default and everyone have to verify if they are over 18 or not. This age verification will affect everyone no matter what.

I don't get the alcohol analogy as in most places it's 100% legal for minors to consume alcohol in the home with parental permission in the USA. In public it's a different story.

I‘m not too knowledgeable about this, but couldn’t you just provide a government issued key to every citizen and give a service provider that key and it‘s only valid if you’re above a certain age?