SUMMARY
- In March, 405 cybersecurity and privacy experts from 30 countries signed an open letter warning about how mandating age verification could break the internet’s security model.
- Countries across the world and many states in America have pushed for mandatory age verification at the device, app, or website level.
- Free speech groups have argued that age verification sacrifices one’s age and puts sensitive data a risk and even makes it easier to track dissenting voices.
- An increasing number of data leaks from age verification systems have exposed users’ private information to be exploited by malicious actors.
- While there are some methods – like zero-knowledge proofs – that have the potential to verify age without undermining anonymity, these have not been mandated in any of the major policies in the US or around the world.
Governments across the globe have moved to mandate face-scanning or identity document scanning as a precondition for accessing the internet. Advocates for age verification believe that verifying a user’s age is vital to protect children from harmful online content and the negative consequences of social media platforms.
The Foundation for Freedom Online previously documented the global and domestic push for digital IDs via age verification.
However, cybersecurity and privacy experts believe that the proposals for age verification go far beyond comparable offline age verification such as checking ID to obtain alcohol or to enter a casino.
“We observe with great concern that the introduction of age assurance threatens to eliminate all these benefits without any guarantee that such a measure would be the solution to the harms that worry us all, while at the same time establishing an infrastructure that could be exploited to ban access to Internet services for reasons unrelated to safety,” the hundreds of security and privacy scientists and researchers wrote.
The experts wrote:
- Proposed age verification checks can often be bypassed or defeated by virtual private networks (VPNs), bought or borrowed credentials, or even props or AI tools such as deepfakes or AI-generated profiles.
- Age estimation and age inference to verify one’s age is highly privacy-invasive, which would require processing of sensitive, private data, including biometrics, use of language, and other data. More so, they note that age verification service usually rely on AI-based inferences, which often fail.
- Data collected by verification services can often be abused or exposed by data breaches, such as the infamous breach that led to 70,000 users to have their government IDs exposed attempting to start an age verification service on Discord.
- Enforcing age verification would have down-order effects of combatting the use of VPNs, which many use to protect user privacy and security.
“At the heart of the issue is there is fundamentally no tool that can verify a user’s age without inherently violating a user’s privacy. Any accurate models require extremely invasive measures like biometrics or government IDs—and the IDs are something that even social media companies are hesitant to request because of the ID gap in which 15 million Americans lack any identification,” Catherina Giono writes for Fortune Magazine.
Some disagree with this opinion, pointing to zero-knowledge proof (ZKP) as a method for verifying age without revealing a person’s identity. In a ZKP system, a secure verifier grants a user a unique anonymous token after confirming their age, allowing the user to provide proof of age to other parties (such as websites, app stores, and operating systems) without revealing anything else about their identity.
However, even ZKP systems require users to trust at least one party (the verifier) with their identity, with privacy-minded parties including the Brave browser and the Electronic Frontier Foundation (EFF) critiquing their limitations. “What ZKPs don’t do is mitigate verifier abuse or limit their requests, such as over-asking for information they don’t need or limiting the number of times they request your age over time,” writes EFF.
