Age Verification Systems Will Be a Personal Identifiable Information Nightmare[

[bnew]

Age Verification Systems Will Be a Personal Identifiable Information Nightmare – Communications of the ACM

cacm.acm.org

Age Verification Systems Will Be a Personal Identifiable Information Nightmare​

Online ID checking is insecure, bad for privacy, and will not help children.

By Sarah Scheffler

Posted Jun 10 2024

• Share
• Download PDF
• Print
• Join the Discussion
• View in the ACM Digital Library
  
  
• Privacy and Security Difficulties
• Implementation Issues
• Where Do We Go from Here?
• References
• Footnotes

During the last few months, lawsuits have challenged new laws in Arkansas, Texas, California, Louisiana, and Utah that require showing government-issued photo ID to verify age when accessing social media websites. a More than 10 states have passed strict online age verification requirements on certain websites—and while some of the laws are narrowly targeted to pornographic websites, others cast a wider net and include categories such as social media under their umbrella. b

These new laws attempt to improve online child safety by strictly verifying the age of website visitors. Instead of the old approach—checking a box to indicate you are at least 18 years of age—the laws require that websites use a much more drastic method to verify your age: showing a government-issued photo ID. Some ID-verification services additionally require a “liveness check”: a fresh “selfie” image to confirm a person looks like their ID photo. Although some of the new laws do not specifically mandate ID checking, they all mandate a commercial age verification method “at least as good” as an ID check. The main commercial alternative is to use AI to estimate age based on a selfie image alone, c but IDs are still required to verify the age for anyone the AI guesses is too young.

While I share these policymakers’ desire to make the Internet a safer place for children, this isn’t the way to do it. This goes way beyond checking age. These laws effectively mandate the collection of an ID—the epitome of Personally Identifiable Information (PII)—from all visitors to these websites. These laws are a disaster for privacy, and create incentives that will only worsen the problem over time. They will be a security disaster, since all that ID information is a gold mine for identity theft. And they will not actually create the online environment we want for children.

Privacy and Security Difficulties​

These age-verification proposals create an immediate problem for privacy. In principle, age verification should only communicate a single yes/no bit of information: Do you meet the age requirement, or not? But the new laws go much further than simply verifying age. To meet the new requirements, an individual would have to show their entire ID, which contains a lot more information about a person’s identity than just date of birth.

Proponents of ID-based age verification compare this process to checking an ID at a bar to buy alcohol. But the situation online is quite different from that. When a bartender manually inspects an ID, we forgive this minor privacy violation partly because we deem it unlikely that the bartender is going to write down our name and address, record our activities, and sell the information to others for profit. Even though some bars use digital scanners to verify IDs, many states have laws regulating the purpose, data retention, and consent requirements of that procedure. d But this attention to privacy is rare online, where data brokering is the norm rather than the exception.

Beyond the privacy issues, these systems also pose a cybersecurity risk. In a world where data breaches and cyberattacks are commonplace, we generally encourage the collection of less, not more, sensitive information. A stored collection of government-issued photo IDs and face biometrics is a glaring target for hackers and identity thieves.

A few factors make the new age-verification laws stand out against the broader landscape of online security and privacy challenges. First, a government-issued photo ID has a sensitivity about it that even usernames and passwords do not. This is a significant expansion in the collection of PII even by today’s privacy-unfriendly standards. Anyone—child or adult—who does not want to show their full identity to access a website would simply be denied access. Second, the new laws are a significant expansion in the information that websites (or a third-party service) are required to collect. Any websites that wish to provide additional privacy and implement their own verification tool will risk opening themselves up to liability, unless they use an established ID-checking tool from the nascent ID verification service industry. And third, that new industry is driven by a profit incentive to deploy ID verification on more websites and collect more data, which will only exacerbate the privacy and cybersecurity issues over time. These laws result in both profit and legal incentives to track the ID information of visitors to any website sensitive enough to warrant age verification—and from social media to pornography, many of these are the exact websites where visitors want extra privacy.

All of these concerns would apply to any online ID collection, even if the goal was full identity verification. But these new laws force us to grapple with the same huge privacy and security issues, when the target goal is much narrower: verifying only age, not identity.

If the new age verification mechanisms catch on, we should require—not merely allow—these systems to be privacy preserving. If something is going to be tracked, we should insist that it is only age, not identity.

Implementation Issues​

These age-verification systems will also face practical challenges far beyond simple ID checking. The difficulties with parental consent serve to illustrate why online ID-based age verification is not the solution to helping children its proponents want it to be.

Since today’s “Are you over 18?” checkboxes work perfectly fine to block accidental underage access, it would seem one of the goals of strict ID-based age verification is to block intentional access. But tools already exist that limit intentional access—and in a much more flexible and privacy-respecting way than ID verification. Parental controls on devices, operating systems, networks, and routers already limit access to these websites, and they do so without collecting any IDs at all.

Those tools also provide parents with the freedom to choose their own limits for their children. Some of the laws—especially those age-gating social media—make an exception for minors who have obtained parental consent to access age-restricted websites. But as pointed out in the recent age-verification lawsuits e parental consent is even more difficult to rigorously verify than age. It involves not only knowing the identity of the child and parent/guardian but also the relationship between them. That problem is not solved by IDs alone, and it has many edge cases due to the many arrangements between parents, guardians, and children.

This need for flexibility is a requirement, not an afterthought. Some of the age verification proposals go well beyond pornography and include social media; some apply to the ambiguous term of “adult content”—a term that to some encompasses sexual education, religious content, violent content, or portrayal of gender non-conformance. Many parents will feel strongly that their children should be able to access some of these sites. So the flexibility of parental consent must be a core consideration—it cannot be an afterthought that renders the whole ID checking system moot.

Where Do We Go from Here?​

In many ways, today’s wave of age verification laws is a reminder of the 26-year-old U.S. Supreme Court case Reno v. ACLU, (1997), which found the Communication Decency Act’s methods for “protect[ing] minors from indecent and patently offensive communications on the Internet” to be too broad under the free speech guarantees of the First Amendment. Many of the difficulties discussed in this column were litigated in that case as well, including parental consent, accidental rather than intentional access, and the fuzzy lines around “adult content.” In Reno, the Court concluded that the well-intentioned goals of the law would ultimately restrict and overburden adults’ access to information, imposing upon their free speech.

The new laws pose all the same free speech difficulties—and also bring a new privacy nightmare of widespread ID collection. If we are serious about protecting privacy, then I see three potential paths for age verification.

Path 1: Legal protections. If the current strict ID-based age verification laws are here to stay, we should accompany them with strong legal privacy protections. Moreover, we should ensure this privacy protection applies to any ID usage in general. Every time a website or third-party service collects an ID for any purpose, it should use and share only the single bit representing whether the visitor is over the age limit—using, selling, or sharing any other info from the ID should be prohibited. Age verification, or any ID verification, should not be used as an excuse to collect and broker massive datasets of legal names, addresses, ID numbers, or biometrics. At minimum, policymakers should ensure that digital ID verification adheres to at least the same privacy protections granted to physical ID scanning—and should revisit those policies in light of the modern data-sharing age.

Path 2: Cryptography. Second, we could use cryptography to verify only age from IDs, rather than revealing all identity information to the age verifier. Anonymous credentials allow someone to prove some fact about themselves (such as being at least 18 years old) without revealing their entire identity. The core idea dates back to a 1985 post in Communications by David Chaum.

Since then, many developments have been made to the technical functionality, but these have struggled to reach widespread adoption due to practical key management barriers. Recent research by Rosenberg et al. builds anonymous age verification by storing cryptographic proofs from ID providers on a shared public ledger via the Etherium blockchain. 1 However, significant practical barriers remain, including dealing with the messy details of location and jurisdiction, the interface between traditional IDs and the necessary cryptographic proofs, and the need to utilize a single public ledger that stores many large cryptographic objects. This cryptographic approach would be a definite improvement for privacy and security over raw ID verification, but it will struggle to deal with the flexibility and implementation issues of parental consent I described earlier.

Path 3: Use existing tools. Or, we could leave the question of blocking intentional access to adult content to existing parental controls that are better suited to the job. Websites should continue using existing age-gates to warn users about the contents of the site, preventing accidental access without impacting free speech and privacy. Parental controls and safe searches already provide mechanisms to prevent viewing age-inappropriate content, and do so in a much more flexible and privacy-respecting way than heavy-handed ID verification.

Online ID checking is a privacy and security disaster waiting to happen, and is not a practical approach to age verification. While I continue to look for ways to make the Web a safer place for children, widespread ID collection puts us all at risk—including the very minors these new laws are supposed to protect.

 

[bnew]

https://www.washingtonpost.com/technology/2025/08/31/age-verification-uk-porn-sites/

‘Scan your face’ laws for the web are having unexpected consequences​

The age-verification laws rapidly expanding across the United States and United Kingdom are bringing with them some surprising downsides, including bursts of traffic to seedy parts of the web.

August 31, 2025 at 7:05 a.m. EDT Today at 7:05 a.m. EDT

(Washington Post illustration; iStock)

By Drew Harwell

When the United Kingdom began requiring thousands of websites to verify their users’ ages last month, one group saw an enormous burst of traffic: pornography sites ignoring the law.

The sites that complied — by mandating that users show their government IDs or scan their faces through their webcams, so an algorithm could estimate whether they were adults — saw visits from British internet addresses collapse. But some of the biggest porn sites that disregarded the “scan your face” rule entirely have been rewarded with a flood of traffic, a Washington Post analysis found. Some have doubled or even tripled their audiences in August compared with the same time last year.

Federal and state lawmakers in the United States have pushed to enact similar age-verification laws — not just for porn, but for social networks and video sites, too — arguing that protecting children online warrants government-mandated ID or face scans for all users. Sen. Mike Lee (R-Utah) said the technology could help “stop those who profit from stealing the innocence of America’s youth.”

But tech and privacy experts have warned that the laws bring with them some unavoidable downsides, including potentially driving people to seedier corners of the web. John Scott-Railton, a researcher at the Citizen Lab at the University of Toronto who studies surveillance and digital rights, called the U.K. case “a textbook illustration of the law of unintended consequences.”

The law “suppresses traffic to compliant platforms while driving users to sites without age verification,” he said. “The more the government squeezes, the more they reward the very sites that scoff at their rules.”

In the U.S., 25 states have passed laws requiring age verification for adult websites since 2022, according to the Free Speech Coalition, a porn-industry group that has fought the laws in court. A tech-industry effort arguing the laws violate the First Amendment failed in June when the Supreme Court affirmed Texas’s law, which Justice Clarence Thomas said had “only an incidental effect on protected speech.”

Texas’s age-verification law for adult websites withstood a First Amendment challenge by the tech industry, a case in which Supreme Court Justice Clarence Thomas, above, called its effect on protected speech “incidental.” (Jabin Botsford/The Washington Post)

The proponents of “age assurance” laws like the U.K.’s Online Safety Act have likened the idea to requiring people to show their ID before stepping into a nightclub. The checks depend on a small group of private contractors, such as Yoti and Incode, that have developed artificial-intelligence software allowing people to prove their age on porn sites by flashing their driver’s licenses, consenting to a facial age analysis or sharing access to their bank or credit card accounts.

Supporters say such measures are a necessary corrective for a wild web. “Clicking a box that says ‘Yes, I am 18’ is not gonna prevent a 15-year-old boy from going on that website,” Ohio state Rep. Steve Demetriou (R), who proposed a similar law, told a local journalist in March.

But civil liberties advocates have warned that the systems require both children and adults to give sensitive information to scattered websites, exposing them to data breaches or misuse. And leaks already happen all the time: Tea Dating Advice, an app where women anonymously reviewed their dates with men, said last month that a cyberattack had exposed thousands of women’s selfies and driver’s license photos, which the site had requested to assure that its users were women.

Some activists have warned that the “censorship movement” could expand far beyond porn to “wall off huge sections of the internet, with the government as the sole gatekeeper,” as the privacy group Fight for the Future said in an online petition. In the U.K., the music service Spotify, the social networks Bluesky and X, the chat apps Discord and Telegram and the message-board giant Reddit have all begun checking some users’ ages through measures like face scans.

Companies seeking to comply with the law must pay for the age checks, whose costs can quickly climb; an Indiana judge said last year that one porn site, Pornhub, faced potential charges of more than $13 million a day. A Yoti representative said last year the company typically charges between 10 and 25 cents per face.

Those kinds of costs aren’t shouldered just by big tech companies. Red Passion, a volunteer-run message board for fans of the Wrexham soccer club in Wales, said it faced “substantial legal and operational burdens” in complying with the U.K. law “that are disproportionately difficult for small platforms like ours to manage.” Some sites have blocked access to the U.K. entirely.

The face scans themselves can bring their own risks, sometimes misclassifying adults as children and vice versa. One 25-year-old woman with dwarfism told The Post last year that her TikTok account had been banned after the app falsely flagged her as a child. And they can be fooled: On social media, guides have proliferated showing how to trick the systems using the faces of video game characters.

 

[bnew]

“It’s a lot more complex than showing your ID before you enter a pub,” said Aliya Bhatia, a policy analyst at the Center for Democracy and Technology, a Washington think tank that has received some funding from tech companies. She said the U.K.’s law “rests on two false notions: that there’s a silver bullet — an easy, rights-respecting, affordable way to do age verification online — and that users don’t care about their rights and privacy.”

Pornhub’s compliance with age check laws could cost it more than $13 million a day, an Indiana judge said last year. (Leon Neal/Getty Images)

To evaluate the early effectiveness of the law’s rollout, The Post gathered U.K. visitor estimates over the past year for 90 of the largest porn sites as ranked by the market intelligence firm Similarweb. The Post then used a software tool known as a virtual private network, or VPN, to appear online as a U.K. user and check whether the sites verified a visitor’s age.

The analysis found that 14 sites didn’t do an age check, and that all 14 had seen major boosts in their traffic from U.K. users. One explicit site saw its U.K. visitor count double since last August, to more than 350,000 visits this month.

Even the sites attempting to comply with the law showed some odd or awkward results. Several sites showed explicit ads and thumbnail images, or allowed visitors to watch the first few minutes of its videos before prompting for their age.

Many of the sites voiced outrage at the law, linking to an unsigned porn-industry blog post on the “scam of age verification” that said lawmakers should push for better parental controls instead of “mass surveillance and regulatory theater.”

Other sites instructed users how to navigate around the age gate by, for instance, using a special browser called Tor, which was built to browse what’s known as the “dark web.” One site directed British users to sign a petition urging Parliament to repeal the law alongside the comment, “Ur gov is dumb.”

The Post shared its findings with the U.K.’s internet regulator, Ofcom, which declined to comment on individual sites. The agency said late last month that it had launched four investigations into porn companies over whether they had complied with the age-check rule, but only one of the 14 sites identified in The Post’s analysis was named in those cases.

An Ofcom spokesperson said the agency is monitoring daily user numbers for thousands of porn sites and added that certain indicators — including sites that saw huge swells of traffic or that encouraged circumventing the law — would play a role for investigators in deciding which companies to prioritize.

Ofcom representatives have met with officials in the adult-entertainment world — including at a porn-industry conference last year in Los Angeles, called XBIZ — in hopes of boosting compliance. The regulator has warned that it could impose penalties in the tens of millions of dollars on noncompliant sites and, in the most serious cases, forbid advertisers or internet service companies from working with the sites, effectively shutting them down.

The industry, however, remains divided over how well the law will work. Aylo, the owner of Pornhub, said in a statement last month that it believed in Ofcom’s “intent and ability” but that similar laws in other places were failing. Viewers who refuse to verify their age don’t stop looking for adult content, the company said; they just move on to more unmoderated and “irresponsible platforms.”

Some site owners have warned that copycat porn services that are “openly hostile to enforcement” will just mask their operations and multiply so they can sidestep regulatory action. A porn-industry blog post estimated that thousands of “clones” of their sites were already stealing their content and were “soon to be massively rewarded.”

Some sites have also vowed to fight the law in court. The anonymous message boards ***** and Kiwi Farms sued Ofcom in U.S. District Court for D.C. on Wednesday, saying the British regulator’s threats to fine the American companies violated their First Amendment rights to host content from users who declined to share their ages. “American citizens do not surrender our constitutional rights just because Ofcom sends us an e-mail,” Preston Byrne, a lawyer for *****, said in an emailed statement.

An Ofcom spokesperson said any service visited by a significant number of U.K. users must comply with the law, “no matter where in the world it is based.”

Several U.S. states have gone beyond targeting adult-content sites, passing age-check laws for users to access social media. Most of them are being challenged in court and have yet to take effect. The Supreme Court this month declined to block one of the more aggressive laws, in Mississippi, which demands that all social media platforms identify the name and age of any user in the state and get a parent’s permission for anyone younger than 18.

The state argued the law asked only for “efforts of reasonable care based on a platform’s resources,” but it has already led to its own ripple effects. Bluesky said last week it would block access to Mississippi users rather than shoulder the “substantial” age-check costs that “can easily overwhelm smaller providers.” Ashton Pittman, the editor of the Mississippi Free Press, a news outlet that had built a robust audience on Bluesky, wrote in a column that the move had severely undermined its ability to promote its reporting.

More laws could be on their way. Last month, South Dakota and Wyoming began requiring age verification for all websites hosting anything that could be deemed “harmful to minors,” a loose definition that the civil liberties group Electronic Frontier Foundation has warned could include Barnes & Noble and Netflix. Wyoming’s law, the group noted, also says parents can sue any website they think is violating the law, “effectively turning anyone into a potential content cop.”

In the U.K., officials have celebrated their age-gate law’s first weeks of enforcement. But they have also urged people to think twice before looking for a way around the scans, including by using VPNs, which people can use to pretend they’re logging in from another country.

Peter Kyle, a member of Parliament and the British government’s secretary of state for science, innovation and technology, said in a BBC appearance last month that the law represented the “biggest step forward in child safety since the internet was created” and told “everybody who’s out there thinking of using VPNs … let’s just not try and find a way around.”

The message was received — but likely not how he wanted. In the days afterward, VPN apps soared to the top of the country’s app-store download charts.

“The government getting on national TV to warn that VPNs let people slip past age verification,” Scott-Railton said, “might be the slickest free advertising the VPN industry has ever received.”