Age Verification Systems Will Be a Personal Identifiable Information Nightmare

During the last few months, lawsuits have challenged new laws in Arkansas, Texas, California, Louisiana, and Utah that require showing government-issued photo ID to verify age when accessing social media websites.^a More than 10 states have passed strict online age verification requirements on certain websites—and while some of the laws are narrowly targeted to pornographic websites, others cast a wider net and include categories such as social media under their umbrella.^b

These new laws attempt to improve online child safety by strictly verifying the age of website visitors. Instead of the old approach—checking a box to indicate you are at least 18 years of age—the laws require that websites use a much more drastic method to verify your age: showing a government-issued photo ID. Some ID-verification services additionally require a “liveness check”: a fresh “selfie” image to confirm a person looks like their ID photo. Although some of the new laws do not specifically mandate ID checking, they all mandate a commercial age verification method “at least as good” as an ID check. The main commercial alternative is to use AI to estimate age based on a selfie image alone,^c but IDs are still required to verify the age for anyone the AI guesses is too young.

While I share these policymakers’ desire to make the Internet a safer place for children, this isn’t the way to do it. This goes way beyond checking age. These laws effectively mandate the collection of an ID—the epitome of Personally Identifiable Information (PII)—from all visitors to these websites. These laws are a disaster for privacy, and create incentives that will only worsen the problem over time. They will be a security disaster, since all that ID information is a gold mine for identity theft. And they will not actually create the online environment we want for children.

Privacy and Security Difficulties

These age-verification proposals create an immediate problem for privacy. In principle, age verification should only communicate a single yes/no bit of information: Do you meet the age requirement, or not? But the new laws go much further than simply verifying age. To meet the new requirements, an individual would have to show their entire ID, which contains a lot more information about a person’s identity than just date of birth.

Proponents of ID-based age verification compare this process to checking an ID at a bar to buy alcohol. But the situation online is quite different from that. When a bartender manually inspects an ID, we forgive this minor privacy violation partly because we deem it unlikely that the bartender is going to write down our name and address, record our activities, and sell the information to others for profit. Even though some bars use digital scanners to verify IDs, many states have laws regulating the purpose, data retention, and consent requirements of that procedure.^d But this attention to privacy is rare online, where data brokering is the norm rather than the exception.

Beyond the privacy issues, these systems also pose a cybersecurity risk. In a world where data breaches and cyberattacks are commonplace, we generally encourage the collection of less, not more, sensitive information. A stored collection of government-issued photo IDs and face biometrics is a glaring target for hackers and identity thieves.

A few factors make the new age-verification laws stand out against the broader landscape of online security and privacy challenges. First, a government-issued photo ID has a sensitivity about it that even usernames and passwords do not. This is a significant expansion in the collection of PII even by today’s privacy-unfriendly standards. Anyone—child or adult—who does not want to show their full identity to access a website would simply be denied access. Second, the new laws are a significant expansion in the information that websites (or a third-party service) are required to collect. Any websites that wish to provide additional privacy and implement their own verification tool will risk opening themselves up to liability, unless they use an established ID-checking tool from the nascent ID verification service industry. And third, that new industry is driven by a profit incentive to deploy ID verification on more websites and collect more data, which will only exacerbate the privacy and cybersecurity issues over time. These laws result in both profit and legal incentives to track the ID information of visitors to any website sensitive enough to warrant age verification—and from social media to pornography, many of these are the exact websites where visitors want extra privacy.

All of these concerns would apply to any online ID collection, even if the goal was full identity verification. But these new laws force us to grapple with the same huge privacy and security issues, when the target goal is much narrower: verifying only age, not identity.

If the new age verification mechanisms catch on, we should require—not merely allow—these systems to be privacy preserving. If something is going to be tracked, we should insist that it is only age, not identity.

Implementation Issues

These age-verification systems will also face practical challenges far beyond simple ID checking. The difficulties with parental consent serve to illustrate why online ID-based age verification is not the solution to helping children its proponents want it to be.

Since today’s “Are you over 18?” checkboxes work perfectly fine to block accidental underage access, it would seem one of the goals of strict ID-based age verification is to block intentional access. But tools already exist that limit intentional access—and in a much more flexible and privacy-respecting way than ID verification. Parental controls on devices, operating systems, networks, and routers already limit access to these websites, and they do so without collecting any IDs at all.

Those tools also provide parents with the freedom to choose their own limits for their children. Some of the laws—especially those age-gating social media—make an exception for minors who have obtained parental consent to access age-restricted websites. But as pointed out in the recent age-verification lawsuits^e parental consent is even more difficult to rigorously verify than age. It involves not only knowing the identity of the child and parent/guardian but also the relationship between them. That problem is not solved by IDs alone, and it has many edge cases due to the many arrangements between parents, guardians, and children.

This need for flexibility is a requirement, not an afterthought. Some of the age verification proposals go well beyond pornography and include social media; some apply to the ambiguous term of “adult content”—a term that to some encompasses sexual education, religious content, violent content, or portrayal of gender non-conformance. Many parents will feel strongly that their children should be able to access some of these sites. So the flexibility of parental consent must be a core consideration—it cannot be an afterthought that renders the whole ID checking system moot.

Where Do We Go from Here?

In many ways, today’s wave of age verification laws is a reminder of the 26-year-old U.S. Supreme Court case Reno v. ACLU, (1997), which found the Communication Decency Act’s methods for “protect[ing] minors from indecent and patently offensive communications on the Internet” to be too broad under the free speech guarantees of the First Amendment. Many of the difficulties discussed in this column were litigated in that case as well, including parental consent, accidental rather than intentional access, and the fuzzy lines around “adult content.” In Reno, the Court concluded that the well-intentioned goals of the law would ultimately restrict and overburden adults’ access to information, imposing upon their free speech.

The new laws pose all the same free speech difficulties—and also bring a new privacy nightmare of widespread ID collection. If we are serious about protecting privacy, then I see three potential paths for age verification.

Path 1: Legal protections. If the current strict ID-based age verification laws are here to stay, we should accompany them with strong legal privacy protections. Moreover, we should ensure this privacy protection applies to any ID usage in general. Every time a website or third-party service collects an ID for any purpose, it should use and share only the single bit representing whether the visitor is over the age limit—using, selling, or sharing any other info from the ID should be prohibited. Age verification, or any ID verification, should not be used as an excuse to collect and broker massive datasets of legal names, addresses, ID numbers, or biometrics. At minimum, policymakers should ensure that digital ID verification adheres to at least the same privacy protections granted to physical ID scanning—and should revisit those policies in light of the modern data-sharing age.

Path 2: Cryptography. Second, we could use cryptography to verify only age from IDs, rather than revealing all identity information to the age verifier. Anonymous credentials allow someone to prove some fact about themselves (such as being at least 18 years old) without revealing their entire identity. The core idea dates back to a 1985 post in Communications by David Chaum.

Since then, many developments have been made to the technical functionality, but these have struggled to reach widespread adoption due to practical key management barriers. Recent research by Rosenberg et al. builds anonymous age verification by storing cryptographic proofs from ID providers on a shared public ledger via the Etherium blockchain.¹ However, significant practical barriers remain, including dealing with the messy details of location and jurisdiction, the interface between traditional IDs and the necessary cryptographic proofs, and the need to utilize a single public ledger that stores many large cryptographic objects. This cryptographic approach would be a definite improvement for privacy and security over raw ID verification, but it will struggle to deal with the flexibility and implementation issues of parental consent I described earlier.

Path 3: Use existing tools. Or, we could leave the question of blocking intentional access to adult content to existing parental controls that are better suited to the job. Websites should continue using existing age-gates to warn users about the contents of the site, preventing accidental access without impacting free speech and privacy. Parental controls and safe searches already provide mechanisms to prevent viewing age-inappropriate content, and do so in a much more flexible and privacy-respecting way than heavy-handed ID verification.

Online ID checking is a privacy and security disaster waiting to happen, and is not a practical approach to age verification. While I continue to look for ways to make the Web a safer place for children, widespread ID collection puts us all at risk—including the very minors these new laws are supposed to protect.

Footnotes

a See lawsuits in Arkansas (https://bit.ly/3US7W9a), Texas (https://bit.ly/3K1El74), California (https://bit.ly/4dCuq5w), Louisiana (https://bit.ly/3wAdiww), and Utah (https://bit.ly/3WYh3H5).
b A list of pending and active state age verification laws is available at https://action.freespeechcoalition.com/age-verification-resources/state-avs-laws/
c For example, Yoti is a provider of this AI-driven service (https://bit.ly/44KgmTA).
d California, Oregon, Arizona, Hawaii, Illinois, Virginia, and Rhode Island all have laws restricting purposes for which businesses may scan ID cards; Texas has the same for electronically-readable information; New Hampshire prohibits most non-governmental scanning with only limited exceptions based upon data display, retention, and sharing; Georgia requires consent for businesses to scan ID cards, and Florida requires businesses to allow customers to request manual scanning. Some general privacy laws may also apply restrictions on ID information, either specifically or in general.
e See https://bit.ly/3JSZrV5
f See https://bit.ly/3y3GGvp