The Age Verification Trap
Waydell D. Carvalho (Hacker News):
In cases when regulators demand real enforcement rather than symbolic rules, platforms run into a basic technical problem. The only way to prove that someone is old enough to use a site is to collect personal data about who they are. And the only way to prove that you checked is to keep the data indefinitely. Age-restriction laws push platforms toward intrusive verification systems that often directly conflict with modern data-privacy law.
This is the age-verification trap. Strong enforcement of age rules undermines data privacy.
[…]
When disputes reach regulators or courts, the question is simple: Can minors still access the platform easily? If the answer is yes, authorities tell companies to do more. Over time, “reasonable steps” become more invasive.
Repeated facial scans, escalating ID checks, and long-term logging become the norm. Platforms that collect less data start to look reckless by comparison. Privacy-preserving designs lose out to defensible ones.
This pattern is familiar, including online sales-tax enforcement. After courts settled that large platforms had an obligation to collect and remit sales taxes, companies began continuous tracking and storage of transaction destinations and customer location signals. That tracking is not abusive, but once enforcement requires proof over time, companies build systems to log, retain, and correlate more data. Age verification is moving the same way. What begins as a one-time check becomes an ongoing evidentiary system, with pressure to monitor, retain, and justify user-level data.
Today we’re providing an update on the tools available for developers to meet their age assurance obligations under upcoming U.S. and regional laws, including in Brazil, Australia, Singapore, Utah, and Louisiana. Updates to the Declared Age Range API are now available in beta for testing.
The government of California is implementing a law that requires operating system providers to implement some form of age verification into their account setup procedures.
Here’s where each of the “All Operating Systems must do age verification” laws are as of today.
This has bothered me, because every month that goes by I become more convinced that anonymous authentication the most important topic we could be talking about as cryptographers. This is because I’m very worried that we’re headed into a bit of a privacy dystopia, driven largely by bad legislation and the proliferation of AI.
Neil (Hacker News):
I have yet to see a well-considered proposal.
Worse, the question that they are trying answer is rarely stated clearly and concisely.
And it is unusual to see any consideration of broader sociological issues, let alone an emphasis on this, with a focus instead on perceived “quick win” technosolutionism.
But anyway…
I was pondering last night for which services I, personally, would actually be willing to verify my age or identity.
And… the answer is “none”.
Previously:
- France’s Social Media Ban
- Arizona Age Verification Bill
- UK Age Verification for VPNs
- UK Child Protections and Messaging Backdoor
- Texas Age Verification Suspended
- Australia’s Social Media Ban
- Tim Cook Opposes App Store Age Verification Bill
- iOS Declared Age Range API
Update (2026-03-17): Barbara Booth (via Nick Heer):
In many implementations, verification vendors — not the websites themselves — process and retain the identity information, returning only a pass-fail signal to the platform.
Gewirtz Little said Socure does not sell verification data and that in lightweight age-estimation scenarios, where platforms use quick facial analysis or other signals rather than government documentation, the company may store little or no information. But in fuller identity-verification contexts, such as gaming and fraud prevention that require ID scans, certain adult verification records may be retained to document compliance. She said Socure can keep some adult verification data for up to three years while following applicable privacy and purging rules.
Civil liberties’ advocates warn that concentrating large volumes of identity data among a small number of verification vendors can create attractive targets for hackers and government demands.
meta-lobbying-and-other-findings (Hacker News):
An open-source intelligence investigation into how Meta Platforms built a multi-channel influence operation to pass age verification laws that shift regulatory burden from social media platforms onto Apple and Google’s app stores.
14 Comments RSS · Twitter · Mastodon
So does this mean Linux distros will be required to verify age in California? Am I reading this correctly? Or do people at this point just assume that operating systems require online accounts?
I had hoped that this cataclysm of legislation would hurt social networks and lead to more decentralization. But who am I kidding? The vast majority of the population doesn't understand or care about any of this.
I agree completely with the last quote as was thinking essentially the same while reading the post. I think I'll just go back to paper. That alone should suffice as age verification.
"The only way to prove that someone is old enough to use a site is to collect personal data about who they are. And the only way to prove that you checked is to keep the data indefinitely."
That's not true. There is a pretty simple, privacy-preserving solution to this. The government issues a digital ID that is stored locally on a user's device. The service asks the digital ID for an age threshold proof. The digital ID responds and provides an anonymous receipt that the service can store.
The problem is that most people live in societies where trust in their governments has degraded to a point where they won't even demand a solution like this (which is intentional; most large corporations profit from mistrust in governments and fund politicians who destroy trust in governments; see, for example, OpenAI executives' donations to Trump).
If governments do attempt to build something like this, they will end up being punished, because the cynics don't trust them anyway, and using the new system is more complex than just using non-privacy-preserving age verification, so the non-cynics will just go with the path of least resistance.
Even doing age verification through things like Apple’s API is still an anti democratic thing to do to the internet.
Do we really want access to internet services gated first through a government ID and then through a corporate identity system?
I’ve yet to see a cogent explanation of the problem that’s trying to be solved here beyond “won’t someone please think of the children.”
A fair point has been made that if the goal is to protect children then the verification actually needs to go the other way around, not keeping children off adult sites but keeping adults off of services meant for children. That’s where the real problems happen but nobody talks about that.
> That’s where the real problems happen but nobody talks about that.
Sure, keeping adults out of spaces that are supposed to be just for children is important, but it isn't the only problem by any sane definition.
But, if you are contending that that is the only problem, we are never going to find common ground.
And for the record, I'm not defending the specifics of California's law. It being from California, I suspect that I disagree with it a lot, but I'm not up on the specifics.
I'm just saying that there are real problems here and I have little patience for people who just dismiss it out of hand.
I’m not dismissing it out of hand or saying that’s the only problem.
My only point is that I’ve yet to hear a clear articulation of what specific problem age verification means to resolve.
Adult sites that aren’t already illegal have generally been good at self policing and actually policing this, and we prosecute the criminals that don’t care.
I don’t see how a government technocracy identification system is going to result in tangible improvements.
"I don’t see how a government technocracy identification system is going to result in tangible improvements."
You yourself pointed out that it would be helpful for preventing adults from invading spaces meant for children.
> Adult sites that aren’t already illegal have generally been good at self policing and actually policing this, and we prosecute the criminals that don’t care.
This is one of the most hilarious things I've ever heard. Anyone with a browser can access hard core porn easier than I could checkout a library book.
@Plume but will it? And how can it without collecting PII from minors?
@gildarts hardcore porn isn't illegal, and the vast majority of obvious places to get it are easily blocked via parental control. At some point personal responsibility has to enter in to the equation.
My point is that introducing a blanket mass identification system co-run by a government and one of the largest corporations on Earth just doesn't seem like it has more upsides than downsides.
Not to belabor the point, but we had many comments on the issue a while back with Paris getting locked out of the Apple account and it being extremely disruptive to nearly every aspect of life.
Do we really want to start gating every Internet service behind first a government issued ID, and then a corporate identity system which has proven to be flawed and without real recourse?
I'm not saying that focusing on better ways to protect children from predators and inappropriate online is a bad thing, I just question the efficacy of this solution vs is unintended (or not openly admitted) consequences.
> hardcore porn isn't illegal
It is to serve to minors, and zero porn companies I'm aware of have anything approaching real controls for it.
> ... are easily blocked via parental control
I don't believe you have ever seriously looked at the available parental controls and how reliable they are if that is your opinion.
Sure, you can lock down Apple devices using white lists and such, but it is incredibly hard for non-techies to administer in a way that doesn't break everything. And even if you do that you have to deal with them spontaneously turning themselves off randomly.
I'm at the point that I jumped through the hoops to create an LLC, signup with Apple Business Manager and an MDM provider to attempt to lock down my children's devices effectively.
>And how can it without collecting PII from minors?
Look at my first comment.
>Do we really want to start gating every Internet service
>behind first a government issued ID
No, but there clearly *are* Internet services where it would make sense to age-gate them. And, tbh, I'm not even thinking about porn. I don't care if kids watch porn; even if we lock down all porn websites, they'll still figure out a way to watch porn, because watching porn is fun, and you don't need the Internet to do it.
> ... are easily blocked via parental control
LOL.
I generally agree that doing some kind of more rigorous age-gating will probably be of limited usefulness, depending on how it's implemented. Kids will probably find a way through it, especially if it's implemented stupidly. But the degree to which young children can -- and apparently do -- access the troubling breadth of popular hardcore porn is very concerning.
Here's a thought: why not implement the age gate using something like Privacy Pass or some other blind signature protocol? Set it up so that any number of authorized third parties can verify someone's age and issue tokens, and then interested websites have no idea who you are just based on the token. All they know is that you're an adult.
Frankly I think the near total silence regarding such a technique speaks volumes: this isn't about protecting children but forcing everyone to associate their real identity with their internet activity, so they can be profiled, monetized and controlled.
@Bri thank you for getting my actual point.
>Frankly I think the near total silence regarding such a technique speaks volumes: this isn't about protecting children but forcing everyone to associate their real identity with their internet activity, so they can be profiled, monetized and controlled.
Well said. No system will be perfect. I'm more concerned about the incentives being misaligned as so often (always, eventually?) happens.
