438 Experts Said Age Verification Is Dangerous. Legislators Are Moving Forward With It Anyway.
In early March, 438 security and privacy researchers from 32 countries signed a massive open letter warning that age verification mandates for the internet are technically impossible to get right, easy to circumvent, a serious threat to privacy and security, and likely to cause more harm than good. While many folks (including us at Techdirt) have been calling out similar problems with age verification, this was basically a ton of experts all teaming up to call out how dangerous the technology is - by any reasonable measure, a hugely significant collective statement from the scientific community on an active area of internet regulation.
It got about a day of press coverage, and then legislators everywhere went right back to doing the thing the scientists just told them was dangerous.
Since the letter was published, Idaho signed a law mandating parental consent and age verification for social media. Missouri moved forward with age verification measures for minors using social media and AI chatbots. Greece announced plans to ban teens from social media entirely. At least half of US states have now passed some form of age verification or digital ID law with many others considering similar laws. The European Union continues to push age assurance requirements through various regulatory channels. Australia is trying to get other countries on board with its own social media ban for kids. All of this, proceeding as though hundreds of the world's foremost experts on security and privacy had said nothing at all.
We've been writing about the serious problems with age verification mandates for years now. The arguments haven't changed, because the underlying technical realities haven't changed. But this letter deserves far more attention than it received because of how thoroughly it tears apart every assumption that age verification proponents rely on.
The letter starts by acknowledging what should be obvious: the signatories share the concerns about kids encountering harmful content online. This matters, because the go-to response to any criticism of age verification is to accuse critics of not caring about children. These are hundreds of scientists saying: we care, we've studied this, and what you're proposing will make things worse.
We share the concerns about the negative effects that exposure to harmful content online has on children, and we applaud that regulators dedicate time and effort to protect them. However, we fear that, if implemented without careful consideration of the technological hazards and societal impact, the new regulation might cause more harm than good.
Some will argue that this is meaningless without a proposed fix" to the problems facing children online, but that's nonsense. As these experts argue, the focus on age verification and age gating will make things worse. It's the classic we must do something, this is something, therefore we must do this" fallacy dressed up as child protection.
The fact that child safety problems are specific and complex is exactly why simplistic bans and age-gating cause so much damage. And it's a genuine indictment of our current discourse that refusing to embrace a non-solution somehow gets read as not caring about the problem itself.
From there, the letter walks through the actual problems with these commonly proposed solutions in a level of detail that should be mandatory reading for any legislator voting on these laws. (It almost certainly won't be, but we can dream.)
First, the biggest problem: these systems are ridiculously easy to circumvent. This point gets hand-waved away constantly by politicians who seem to think that because something sounds like it should work, it must. The scientists have a different view, grounded in actual evidence from actual deployments:
There is ample evidence from existing deployments that lying about age is not hard. It can be as easy as using age-verified accounts borrowed from an elder sibling or friend. In fact, there are reported cases of parents helping their children with age circumvention. There is evidence that, shortly after age-based controls appear, markets and services that sell valid accounts or credentials quickly arise. This enables the use of online services deploying age assurance at an affordable price or even for free. This is the case even if the verification is based on government-issued certificates, as shown by the ease with which fake vaccination certificates could be acquired during the COVID pandemic
We just recently talked about the evidence in Australia showing that a huge percentage of kids have simply learned how to get around age gates. Australia's biggest accomplishment: teaching kids how to cheat the system.
The letter makes a point that almost never appears in the legislative debates: The threat model for age verification is fundamentally broken because the people building these systems assume the only adversary is a teenager. But since every adult internet user will also be subjected to these checks, and many adults will not want to submit to this kind of surveillance, we're going to be creating huge incentives for adults to get around these age checks as well, meaning that new industries (some likely to be pretty sketchy) will arise to help people of all ages avoid this kind of surveillance. And that, alone, will make it easier for everyone (kids and adults) to bypass age gates (though in a way that will likely make many people less safe overall):
As its main goal is to restrict the activities of children, it is common to believe that the only adversary is minors trying to bypass age verification. Yet, age verification mechanisms also apply to adults that will have to prove their age in many of their routine online interactions, to access services or to keep them away from children-specific web spaces. As these checks will jeopardize their online experience, adults will have incentives to create means to bypass them both for their own use or to monetize the bypass. Thus, it is foreseeable that an increase in the deployment of age assurance will result in growing availability of circumvention mechanisms, reducing its effectiveness.
The circumvention problem alone should be enough to give legislators pause. But the letter goes further, addressing what happens to people who can't circumvent the systems, or who try to and end up worse off.
One of the strongest sections addresses the perverse safety consequences. Deplatforming minors from mainstream services doesn't make them stop using the internet. It pushes them toward less regulated, less secure alternatives where the risks are dramatically higher, and where these services care less about actually taking steps to protect kids:
If minors or adults are deplatformed via age-related bans, they are likely to migrate to find similar services. Since the main platforms would all be regulated, it is likely that they would migrate to fringe sites that escape regulation. This would not only negate any benefit of the age-based controls but also expose users to other dangers, such as scams or malware that are monitored in mainstream platforms but exist on smaller providers. Even if users do not move platforms, attempting circumvention to access mainstream services from a jurisdiction that does not mandate age assurance might also increase their risk. For example, free VPN providers might not follow secure practices or might monetize users' data (especially non-EU providers that are not subject to data protection obligations), and websites accessed in other jurisdictions through VPNs would not provide the user with the data protection standards and rights which are guaranteed in the EU.
And as we keep explaining: age verification makes adults think they've made the internet safe," which creates all sorts of downstream problems - including failing to teach young people how to navigate the internet safely, while doing nothing to address the actual threats. As the letter notes, it creates a false sense of security:
The promise of children-specific services that serve as safe spaces is unrealizable with current technology. This means that children might become exposed to predators who infiltrate these spaces, either via circumvention or acquisition of false credentials that allow them to pose as minors in a verifiable way.
So the system designed to protect the children" could end up creating verified hunting grounds for predators, while simultaneously pushing kids who get locked out of mainstream platforms toward sketchy fringe sites.
Some child safety measure.
The privacy concerns are equally serious. Age verification mandates give online services a justification - indeed, a legal requirement - to collect far more personal data than they currently do. The letter notes that age estimation and age inference technologies are highly privacy-invasive" and rely on the collection and processing of sensitive, private data such as biometrics, or behavioural or contextual information."
And this data will leak. It always does. The letter points to a concrete example: 70,000 users had their government ID photos exposed after appealing age assessment errors on Discord. That's what happens when you force the creation of massive centralized databases of sensitive identity information. You create targets.
The most alarming part of the letter is the one that gets the least discussion: centralization of power. The scientists warn, bluntly, that age verification infrastructure doubles as censorship infrastructure:
Those deciding which age-based controls need to exist, and those enforcing them gain a tremendous influence on what content is accessible to whom on the internet. Recall that age assurance checks might go well beyond what is regulated in the offline world and set up an infrastructure to enforce arbitrary attribute-based policies online. In the wrong hands, such as an authoritarian government, this influence could be used to censor information and prevent users from accessing services, for example, preventing access to LGBTQ+ content. Centralizing access to the internet easily leads to internet shutdowns, as seen recently in Iran. If enforcement happens at the browser or operating system level, the manufacturers of this software would gain even more control to make decisions on what content is accessible on the Internet. This would enable primarily big American companies to control European citizens' access to the internet.
This should be the part that makes everyone uncomfortable, regardless of their political orientation.
This brings us to what is already happening to real people right now.
A recent article in The Verge details how age verification systems are creating serious, specific harms for trans internet users. Kansas passed a law invalidating trans people's driver's licenses and IDs overnight, requiring them to obtain new IDs with incorrect gender markers. Combine that with age verification laws requiring digital identity checks, and you get exactly the kind of discriminatory exclusion the scientists warned about:
These systems are specifically designed to look for discrepancies, and they're going to find them," said Kayyali. If you are a woman and anyone on the street would say that's a woman,' but that's not what your ID says, that's a discrepancy." The danger of these discrepancies extends not just to trans people, but to anyone else whose appearance doesn't match normative gendered expectations.
A lot of age estimation systems are built on a combination of anthropological sex markers and skin texture. This means they fall over and provide inaccurate results when faced with people whose markers and skin texture, well, don't match," explains Keyes. For example, one of the most prominent markers algorithms measure to determine sex is the brow ridge. Suppose you have a trans man on HRT and a trans woman on HRT, the former with low brow ridges and rougher skin, the latter with high ridges and softer skin," Keyes explains. The former is likely to have their age overestimated; the latter, underestimated."
So you have biometric systems that are specifically designed to flag discrepancies between someone's appearance and their identity documents. And you have a government that is deliberately creating discrepancies in trans people's identity documents. The result is predictable and ugly: trans people get locked out, flagged, forced to out themselves, or simply blocked from accessing services that everyone else uses freely.
Most of these verification systems are black boxes with no meaningful appeal process. The laws themselves are written with deliberately vague language requiring platforms to verify age through a commercially available database" or any other commercially reasonable method," with nothing about transparency, accuracy, or redress for people who get wrongly flagged or excluded.
And in many of these laws, the definitions of content harmful to children" are flexible enough to encompass LGBTQ+ communities, information about birth control, and whatever else a given administration decides it doesn't like. As one of Techdirt's favorite technology and speech lawyers, Kendra Albert, noted to The Verge:
I think it's fair to say that if you look at the history of obscenity in the US and what's considered explicit material, stuff with queer and trans material is much more likely to be considered sexually explicit even though it's not. You may be in a circumstance where sites with more content about queer and trans people are more likely to face repercussions for not implementing appropriate age-gating or being tagged as explicit."
So to summarize: the age verification infrastructure being built across the world (1) doesn't actually work to keep kids from accessing content, (2) pushes kids toward less safe alternatives, (3) creates verified safe spaces" that predators can infiltrate, (4) forces massive collection of sensitive personal data that will inevitably leak, (5) creates infrastructure purpose-built for censorship and authoritarian control, (6) systematically discriminates against trans people, people of color, the elderly, immigrants, and anyone whose appearance doesn't match neat bureaucratic categories, (7) concentrates enormous power over internet access in the hands of governments and a handful of tech companies, and (8) lacks any scientific evidence that it will actually improve children's mental health or safety.
Seems like a problem.
And 438 scientists from 32 countries put their names on a letter saying so. The letter closes with this:
We believe that it is dangerous and socially unacceptable to introduce a large-scale access control mechanism without a clear understanding of the implications that different design decisions can have on security, privacy, equality, and ultimately on the freedom of decision and autonomy of individuals and nations.
Dangerous and socially unacceptable." That isn't just me being dramatic. That's the considered, collective judgment of hundreds of researchers whose professional expertise is specifically in the systems being deployed.
Meanwhile, the laws keep passing. Nobody seems to have bothered asking the scientists. Or, more accurately, the scientists volunteered their expertise in the most public way possible, and everyone in a position to act on it decided that the political appeal of protecting the children" was more important than whether the proposed method of protection actually protects children, or whether it creates a sprawling new infrastructure for surveillance, discrimination, and censorship that will be almost impossible to dismantle once it's built.
The scientists' letter called for studying the benefits and harms of age verification before mandating it at internet scale. That seems like a comically low bar. Maybe understand whether this works before requiring it everywhere" shouldn't be a controversial position. And yet here we are, with legislators around the world charging ahead, building systems that security experts have told them are broken, in pursuit of goals that the evidence says these systems can't achieve, at a cost to privacy, security, equality, and freedom that nobody in a position of power seems interested in calculating.