Age verification is a mess but we do it anyway

Within a few years, age verification has gone from being an idea to standard practice on large parts of the Internet. Striving to prevent children from accessing pornography, other inappropriate content, or social media altogether, Laws requiring age restrictions It quickly spread around the world, reaching the United Kingdom, the United States, Australia, France, Brazil and many other countries. The problem is how to verify that the user is not lying about his stated age. Unfortunately, every method that politicians have settled on has major flaws – and although experts have ideas for improving them, these remain just concepts for now.

One popular method is age inference, which uses artificial intelligence to “guess” the age of users based on their activity on a particular platform. Another is third-party services that promise to prioritize user privacy. The third reason is that app stores and operating systems perform age checks before users can download apps. But each of these approaches comes with significant trade-offs, even under new rules that force platforms to deploy them widely. It’s 2026, and we live on an increasingly age-restricted, but technology-appropriate internet Still Not there.

It begins by inferring age

Before intimidating users by asking for an ID or facial scan, many platforms try to guess their age using data already on file. Meta, for example, uses an AI-based system to identify and locate locations teens on Instagram to more restricted accounts. Google and YouTube It also started scanning accounts for users suspected of being under 18, while Discord does just that It plans to roll out the system later this year.

Inference systems look at a variety of signals. One simple reason is account age – if you joined Instagram before 18, for example, you’re likely over 18. Others are more speculative. YouTube uses artificial intelligence to analyze the types of videos you searched for. Sedition He said It will use device and activity data, along with “high-level aggregated patterns across Discord communities,” while Instagram may flag an account if someone wishes it “Happy 14th Birthday” in a post.

Ideally, the upside of inference is that no one has to provide additional data. He has disagreement He said most users will not be affected By subtracting the incoming age verification due to the AI ​​age guessing system. “You don’t need to know a person’s identity to know their age, which is why, in theory, age inference techniques could be less invasive of privacy,” says Coupon Zweifel Keegan, managing director at the International Association of Privacy Professionals. Edge.

But age inference alone often cannot reliably predict someone’s age, and may not meet standards set by government regulators. When the system is unsure of someone’s age – or falsely declares them to be a minor – users are asked to disclose personal data about themselves anyway.

To verify that someone is at least 18 years old, an age identification system typically needs to collect revealing details about them, and this raises a whole new set of privacy trade-offs. For example, government-issued photo ID is a very accurate indicator of age but could cause serious issues if it were exposed in a data breach, which has happened. numerous times. Third-party vendors like k-ID, Persona, and Yoti can save each company the need to run their own system and allow them to offload some of the risk. For users, there is still a fundamental security issue that these services are trying to mitigate, but have not solved.

Scanning a user’s face and automatically determining their age has become a popular alternative to photo IDs. It does not require collecting a legal document, and can even be done On the user’s deviceso no identifying information is stored somewhere that might leak out.

Unfortunately, as I noticed By the Electronic Frontier FoundationFace-based age estimation remains often inaccurate — especially for people of color and women — and He has been deceived With a variety of methods, including using the face of a video game character, e.g Stranded deathSam Porter Bridges. If facial scans are leaked virtually, it’s possible that powerful third-party facial recognition tools will be able to identify people through those tools as well.

Meanwhile, on-device verification — while touted as more private than sending information to a server for analysis — faces its own set of problems. Server-side authentication is often preferred because it’s easier to create vulnerabilities in on-device systems, says Rick Song, CEO of Persona. Bypassing on-device systems “is relatively easy, which is why everything is starting to move toward servers,” Song says, despite the fact that it will be cheaper for companies like Persona to run on-device systems. “If we could get it to work effectively on a phone, I would do it in a heartbeat, but that’s not possible at the moment.”

Another drawback of on-device verification — at least from Song’s perspective — is that older phones may not be powerful enough to run the AI ​​models used to analyze a user’s face. “A large percentage of the world is still using older Android devices, and a large percentage of the world is still using pre-iPhone 10 devices,” Song adds. “Their devices can’t even run the model, so you get this bifurcation where only people with newer devices get more privacy, and people without them don’t.” These people will still need to upload an ID, with all the security risks that entails.

Put the device makers on the spot

Increasingly, law and policymakers have settled on a seemingly elegant solution to age classification: just make app stores do it. Under these proposals, app store owners would be obliged to verify the age of users before they can download or purchase apps. The idea is backed by technology companies including Meta, Spotify, Match, and Garminwho argue that having a single point of age verification is more efficient than verifying ages on a platform-by-platform basis.

Proponents of these rules typically focus on Apple’s iOS App Store and Google’s Android Play Store, but other operating systems are getting into the mix, too — and that’s where things get especially complicated. Under the jurisdiction of California Digital Age Security ActFor example, operating systems such as Windows, macOS, and Linux must ask users for their dates of birth when they set up a device starting in 2027. The operating system is then supposed to pass a “flag” containing the user’s age range to apps offered within the system’s app store.

This puts open source operating systems, such as various versions of Linux, in a precarious position, as most of them currently do not force users to create an account that can store and pass the user’s age. Developers Battling behind popular Linux distributions With new requirements. GrapheneOS, a privacy-focused version of Android, has drawn a line in the sand: it Age verification will not be enforcedAnd if its devices “can’t be sold in a region due to its regulations, so be it.” Furthermore, it’s not clear whether App Store-level age verification laws apply to Linux repositories, such as APT or Pacman.

The fractured landscape of age verification laws isn’t easy for tech companies to navigate, either. Like California’s age verification law, Texas and Louisiana have enacted legislation to institute age verification processes at the app store level. Other countries, though, e.g Tennessee, Floridaand Virginiathey go after the platforms themselves. Both approaches struggle to withstand constitutional scrutiny, with no laws regarding either Get on the side Blocked by Federal courts.

“It is not difficult for companies to estimate or verify ages using different techniques,” says Zweifel Keegan. “They have all kinds of different tools, but it’s hard for the (U.S.) government to require that. And once the government starts saying you have to do it, it actually starts coming under First Amendment scrutiny. So far, we haven’t seen that hold up particularly well.”

With a confusing global patchwork of rules, some online platforms, such as Discord and… RobloxThey’ve introduced verification even when they’re not asked to – and with it, many technical trade-offs.

Isn’t there a better way?

Amid all this, privacy experts are working in the background to develop a way to limit data collection. One option is zero-knowledge proof (ZKP), an encryption method that proves someone is over 18 without revealing personal details to a third party, as described By the French Data Privacy Agency in 2022. under This proposed systemthe government agency responsible for issuing someone’s ID will give users proof of age indicating whether they are over or under 18, rather than requiring them to disclose their full date of birth or other personal information directly to a website or third party. Users can then store this proof of age within a digital wallet or other trusted service, allowing them to submit it to websites or app stores with verification requirements. Google is one of the companies Support the development of this technologyAlthough it is not without flaws.

like The researchers at Brave notedmany systems implementing ZKP “may not actually provide zero knowledge” if set up incorrectly. These systems may also erode privacy if a user is asked to prove they are an adult multiple times, especially if the service requires information about their age group. “For example, a user who first verified that he was between 20 and 22 years old, and then two months later verified that he was over 21, had actually revealed a narrow interval of his exact date of birth,” Brave Research says.

The European Union, which is developing specifications for an open source age verification app, lists ZKP as an “experimental” feature that it will add later. The application that says European Commission President Ursula von der Leyen “Technically ready” Users will be asked to upload their files ID card, passport, or age verification through the bank or school. Once the app verifies their age using a “trusted list” of EU-registered age verification providers, the app creates proof of age that does not contain “any identifying information to track the user.” Users can then use the app’s proof of age to access age-restricted platforms.

Future of Privacy Forum He also highlighted other options, such as a system that could perform an initial age check using an ID card or facial scan, and then use it to generate a “hard, irreversible encryption key” that could be made available elsewhere. Daniel Hales, a policy advisor at the Popular Front for Liberation, says: Edge This method can be paired with other age verification solutions, including reusable credentials stored on the browser or device. “This can reduce the amount of age verifications, but it can also mitigate the risk of devices or certain credentials for one person being shared between multiple people,” Hills says.

But these methods are still just concepts. For now, Hills says it’s important for companies and lawmakers to think through “the balancing act between privacy and safety.” It’s a problem that no policy or age verification provider has fixed yet, and it’s putting all of us at risk while they figure it out.