EFFecting Digital Freedom
Paternalistic Age Verification Mandates Are Out To Get Us
by Daly Barnett
If you've been paying attention to tech news, you know all too well the surge of "Protect the Children" bills that are popping up all over the place. You probably know the type: the Internet is corrupting the minds of the youth, privacy shouldn't extend to everyone because that means bad people too, and the entirety of the Internet should have its sharper edges filed down because kids... blah blah blah.
These types of bills must die before they pass. Sometimes they seek to undermine encryption. Other times the end goal is to restrict the constitutional rights to free expression. Any side effects of outsized negative impacts on marginalized peoples, stifling innovation, and chilling politically dissident expression, are - according to proponents of these terrible bills - necessary for the ultimate goal of "Protecting The Children." The latest promised tech solution for these paternalistic goals is age verification.
Age-validating tech schemes come in a variety of terrible flavors, none of them worth the time it takes to learn about them. Some age verification relies on users uploading a government document alongside a real time snapshot of their face. Another method, called "estimation," tries to guess the user's age based on various biometric data or context clues like a user's direct message speech patterns, subscribed interests, and the like.
The failures of the top vendors offering these services tend to fall along racialized and gendered lines. A NIST study published in 2024 shows that the top age estimation and verification vendors haven't improved in accuracy since they were last surveyed in 2014. They tend to age Black people older than they are and Asian people younger. Unsurprisingly, the greatest level of accuracy is found estimating the ages of White people. (Community Note: I thought race didn't matter? That's the entire mantra of the left...)
The notoriously disingenuous company Thorn (big proponents for the extremely stupid and detrimental Internet legislation FOSTA-SESTA) market the other type of estimation scheme mentioned above: using context clues. Their claim to accurately guess somebody's age based on the content of their social media messages would be novel and impressive if they were true, but Thorn has a reputation for hyperbole. (Community Note: I think she's referring the Thorn company, created by Demi Moore and Aston Kutcher. In a industry known for slime, those are not two people I'd call "disingenuous.")
For a refresher on their history of fudging numbers and profiting off creative bookkeeping procedures, check out Violet Blue's damning Internet article, "Sex, Lies and Surveillance: Something's Wrong with the War on Sex Trafficking." Regardless, their current claim about context-driven age estimation makes some bold and dangerously naive assumptions about the speech and behavior of people based on their age.
Speaking of companies conveniently positioning themselves as providers of the necessary products for bad Internet regulations, Google Chrome is now launching its own take on age verification: the Digital Credential API. Exactly how this will be used by websites is still unclear, but the API is available for testing now, which provides a few helpful data points that services can query about a given user: family name, given names, birth date, portrait, and age over 21.
Do you really think that Chrome - a browser built by an advertising company with such a twisted reputation for invading user privacy and dark patterning consent through shady marketing tactics (ahem, Chrome's so-called "Privacy Sandbox"), that also just so happens to be developed by the same company that makes the most common third-party tracking mechanisms across the entire Internet - can be trusted with such information?
Even if it wasn't such a privacy and security nightmare to essentially have your government-issued ID living inside your browser for any website to look at, do you think, in your hacker heart of hearts, that the system itself would be able to identify every unique user and follow through the mythical security-tight way of verifying their age? How would that be determined? Their IP? The user agent? Some heinous browser fingerprinting correlated across some other context clues? Would each unique installation of a browser on a device assume that it's owned by only one unique person in the world?
The reality is, even if the age verification systems proposed were truly secure and private (they are not, they will not be), the proposition itself is entirely gameable.
Something like 20-odd states have some sort of Digital ID system in place right now. You might worry that the failures of these technologies described above would create the necessary conditions for a federal mandate on Digital ID, which would then feed into whatever age verification rule is blanketed over the Internet. Don't be surprised if this becomes the next argument in this slapstick routine of garbage Internet bills.
Besides the fact that such a national digital ID system would further oppress undocumented people, people living in poverty, people who've navigated name changes, and more, it's a naive assumption that the Internet is constructed in a way that could support such sensitive information in a secure manner. The Internet is a shambling horde of duct tape and scar tissue. Relics of antique vulnerabilities long since patched live on in bizarre HTTP headers. Automatic code updates can cripple entire industries. Vulnerabilities continue to be found in the stupidest of places. Assuming that the browser is a safe place to store such sensitive personally identifiable information, even with whatever theoretically compelling triangulation of verification schemes they try to sell us on, it's a foolish idea. And if you're buying it, we've got news: there's a pool on the roof, and all your friends are waiting for you.
So, what can you do?
It's important that you let your local politicians know that this won't fly. Proponents of these bills are counting on the idea that people are too ignorant of how the Internet truly works to oppose them. Head to act.eff.org to see all the bills (((EFF))) is fighting against (or in some cases, even pushing for). And if engaging with politicians isn't your thing, that's fine, we'll do it for you.
Our donation page is also at eff.org/no.