The Age Verification Trap
Waydell D. Carvalho (Hacker News):
In cases when regulators demand real enforcement rather than symbolic rules, platforms run into a basic technical problem. The only way to prove that someone is old enough to use a site is to collect personal data about who they are. And the only way to prove that you checked is to keep the data indefinitely. Age-restriction laws push platforms toward intrusive verification systems that often directly conflict with modern data-privacy law.
This is the age-verification trap. Strong enforcement of age rules undermines data privacy.
[…]
When disputes reach regulators or courts, the question is simple: Can minors still access the platform easily? If the answer is yes, authorities tell companies to do more. Over time, “reasonable steps” become more invasive.
Repeated facial scans, escalating ID checks, and long-term logging become the norm. Platforms that collect less data start to look reckless by comparison. Privacy-preserving designs lose out to defensible ones.
This pattern is familiar, including online sales-tax enforcement. After courts settled that large platforms had an obligation to collect and remit sales taxes, companies began continuous tracking and storage of transaction destinations and customer location signals. That tracking is not abusive, but once enforcement requires proof over time, companies build systems to log, retain, and correlate more data. Age verification is moving the same way. What begins as a one-time check becomes an ongoing evidentiary system, with pressure to monitor, retain, and justify user-level data.
Today we’re providing an update on the tools available for developers to meet their age assurance obligations under upcoming U.S. and regional laws, including in Brazil, Australia, Singapore, Utah, and Louisiana. Updates to the Declared Age Range API are now available in beta for testing.
The government of California is implementing a law that requires operating system providers to implement some form of age verification into their account setup procedures.
Here’s where each of the “All Operating Systems must do age verification” laws are as of today.
This has bothered me, because every month that goes by I become more convinced that anonymous authentication the most important topic we could be talking about as cryptographers. This is because I’m very worried that we’re headed into a bit of a privacy dystopia, driven largely by bad legislation and the proliferation of AI.
Neil (Hacker News):
I have yet to see a well-considered proposal.
Worse, the question that they are trying answer is rarely stated clearly and concisely.
And it is unusual to see any consideration of broader sociological issues, let alone an emphasis on this, with a focus instead on perceived “quick win” technosolutionism.
But anyway…
I was pondering last night for which services I, personally, would actually be willing to verify my age or identity.
And… the answer is “none”.
Previously:
- France’s Social Media Ban
- Arizona Age Verification Bill
- UK Age Verification for VPNs
- UK Child Protections and Messaging Backdoor
- Texas Age Verification Suspended
- Australia’s Social Media Ban
- Tim Cook Opposes App Store Age Verification Bill
- iOS Declared Age Range API
1 Comment RSS · Twitter · Mastodon
So does this mean Linux distros will be required to verify age in California? Am I reading this correctly? Or do people at this point just assume that operating systems require online accounts?
I had hoped that this cataclysm of legislation would hurt social networks and lead to more decentralization. But who am I kidding? The vast majority of the population doesn't understand or care about any of this.
I agree completely with the last quote as was thinking essentially the same while reading the post. I think I'll just go back to paper. That alone should suffice as age verification.
