Online Age Verification Is a Privacy Disaster — and Every Proposed Fix Makes It Worse
The UK's Online Safety Act is now in force. Several US states — Texas, Louisiana, Utah, Virginia — have passed their own age verification laws requiring pornography sites and, in some cases, social media platforms to verify that users are adults before granting access. The EU's Digital Services Act gives regulators new tools to enforce age-appropriate design requirements. Globally, the political momentum behind requiring websites to know who they're serving is stronger than it has been at any point in the internet's history.
The case for age verification is intuitive: children should not have unrestricted access to pornography, violent content, gambling, and social media platforms designed for adults. This is a reasonable position. The problem is that implementing it at any meaningful scale requires either building a national identity verification infrastructure, outsourcing verification to third parties whose incentives and security practices vary enormously, or accepting technical workarounds that provide the appearance of compliance without meaningful protection.
What Age Verification Actually Requires
To verify that someone is over 18, you need to know who they are. That's the core problem. The methods that exist today include: credit card verification (problematic — teens have cards, and this creates transaction records linking identities to content consumption), government ID upload (accurate but generates the most obvious privacy risks — someone now has a copy of your passport or driver's license and knows you visited that site), mobile network operator signals (your carrier already knows your age in many jurisdictions — this is less invasive but requires carrier cooperation and excludes WiFi-only users), and certified third-party age verification services (outsourced to companies like Yoti, AgeID, and Veriff who accumulate verification records across many sites).
The third-party aggregation problem is particularly acute. If every adult content site outsources age verification to the same provider, that provider builds a comprehensive map of which users visited which sites. This is exactly the kind of surveillance infrastructure that GDPR and similar regulations were designed to prevent — now being mandated by different laws in the name of child safety.
The UK Online Safety Act in Practice
Ofcom, the UK's communications regulator, published guidance on age assurance requirements in late 2024. The guidance acknowledges that no single method is perfect and calls for "highly effective" age assurance — without defining that precisely enough to settle which methods qualify. In practice, major pornography platforms have responded by geo-blocking UK IP addresses rather than implementing age verification, which both defeats the purpose (VPNs are trivial to use) and demonstrates the industry's read on compliance cost vs. risk of serving UK users.
Social media is a harder case. The Online Safety Act requires platforms to be safer for children, which has been interpreted to mean age assurance for certain features, algorithmic controls on what children see, and content moderation requirements. But social media platforms don't want to hold verified identity records for their users any more than privacy advocates want them to — the liability exposure from a breach of a database containing verified ages and real identities is enormous. The practical result has been platforms implementing self-declaration systems (you say you're 18, you're 18), which satisfy the letter of compliance requirements and nothing else.
Zero-Knowledge Proofs: The Technical Promise
Computer scientists have known for decades that it's possible to prove a property about yourself — "I am over 18" — without revealing the underlying information that proves it. Zero-knowledge proofs (ZKPs) allow exactly this: a mathematical proof that you hold a credential meeting certain conditions, without disclosing the credential itself. Applied to age verification, you could in principle prove to a website that a government has certified you as an adult without the website learning your name, date of birth, or any identifying information.
Several systems are working toward this in practice. The EU Digital Identity Wallet — part of eIDAS 2.0 — is designed to enable selective disclosure of attributes, meaning you could share "over 18: yes" without sharing your full identity. The UK government's digital identity framework is working toward similar capabilities. Privacy-preserving age verification using ZKPs is technically feasible. The problem is that it requires infrastructure that doesn't yet exist at scale: governments need to issue digital credentials, wallets need to be widely adopted, and relying parties (websites) need to accept the verification.
The Civil Liberties Problem
Even the most privacy-respecting age verification systems share a structural problem: they require the internet to know who is accessing what. The value of anonymous internet access — for whistleblowers, abuse survivors, LGBTQ+ youth in hostile environments, political dissidents, and ordinary people who value privacy as a principle — is not incidental. It's been one of the founding conditions of the open internet.
Age verification requirements don't just affect pornography sites. Once the infrastructure exists — the ID wallets, the verification APIs, the carrier-level authentication — the temptation to extend it to other content categories follows political pressure. Today it's adult content. The laws being written in Texas, the UK, and the EU don't limit themselves to pornography. Louisiana's law covers social media. Utah's social media restrictions were partially struck down on First Amendment grounds in the US, but the legislative trend is toward broader, not narrower, verification requirements.
What Actually Protects Children
The evidence on what actually protects children online is more nuanced than the legislative conversation suggests. Research consistently shows that parental involvement, media literacy education, and platform design choices have more measurable impact on child outcomes than access restriction alone. Parental control software — Circle, Bark, Qustodio — gives families granular tools without requiring national identity infrastructure. Age-appropriate design requirements (requiring platforms to default to safer settings for accounts flagged as under-18) are less invasive and more behaviorally impactful than hard access gates.
None of this means age verification is wrong in principle. There are real harms from children accessing certain content, and platforms have too often abdicated responsibility for their part in enabling it. But the current legislative trajectory — blanket verification requirements with implementation details left to industry or inadequate technical guidance — is building a surveillance infrastructure in the name of child safety that will outlast any particular government's intentions for it. The technology for privacy-preserving age assurance exists. Building the institutional infrastructure to deploy it at scale, and writing laws that require privacy-respecting methods rather than just verification as a checkbox, is the harder and more important work.