How Offline ID Checks Could Help Solve the Age Verification Head-Scratcher

Legislators around the world are grappling with how to craft effective age verification laws to prevent minors from accessing harmful digital content.

Existing proposals have raised significant concerns relating to privacy, security and efficacy.

But California’s recent legislation offers a new path that — with one key adaptation — could better balance these critical priorities. It contemplates a system in which individuals input their age when setting up new phones, laptops and tablets. Each user’s age is transmitted to the websites and apps they access on that device, enabling these platforms to restrict content accordingly without conducting age verification themselves. However, since users’ ages are self-reported, minors are only one fibbed date-of-birth away from access to adult content.

The solution may be simpler than anyone expected: old-fashioned, in-person ID checks at the point of device purchase. These offline verifications augment California’s privacy-preserving approach by imposing a much stronger barrier for minors while avoiding the trails of sensitive, exploitable data generated when platforms are required to conduct age verification.

The platform-level problem

The majority of age verification proposals operate at the platform level, requiring websites and apps that host age-restricted content to verify each user’s age when they visit the platform.

Canada is currently considering a federal platform-level bill. In the United States, 24 states have already implemented platform-level age verification for websites that host adult content, including Texas, Utah and Florida, with many contemplating the idea of users uploading government ID each time they visit a qualifying site. Overseas, the United Kingdom introduced the Online Safety Act, which requires platforms to verify users’ ages using methods such as facial scans, photo ID and credit card checks. Australia and Brazil have also recently enacted platform-level age verification mandates.

However, this platform-level approach has triggered backlash from human rights advocacy groups for potentially trampling on citizens’ privacy and security rights. Some of the most common methods to verify users’ age can often require sensitive personal data, including government IDs and facial scans. Due to the sheer number of age checks required to implement these laws, platform-level methods would likely necessitate collecting and retaining an enormous amount of the personal data.

If compromised, this data could be weaponized to catastrophic effect. An alarming illustration of this came in October, when Discord confirmed a breach that exposed sensitive user data submitted during age verification. The company said the attack compromised approximately 70,000 users’ ID photos, along with their contact details, billing information and IP addresses.

The data collected under platform-level plans is arguably a bigger target for hackers. By tying verified identities to the consumption of stigmatized content, such as pornography, this approach concentrates highly sensitive information into a single place. That sensitivity increases the value of the data to bad actors, particularly for purposes such as extortion, harassment or reputational harm.

In addition to the risks for citizens’ private data, platform-level frameworks offer dubious benefits. The National Institute of Standards and Technology conducted a study which found that age estimation technology, one of the most highly contemplated AV methods, is less accurate when dealing with teens and young adults — the target demographics for these laws — and has particular difficulty assessing the age of racial minorities.

Platform-level age verification can also be easily circumvented through the use of virtual private networks (VPNs). These tools mask geographic location, allowing minors to access restricted content on websites by appearing to connect from a location that does not have AV laws. Jurisdictions have repeatedly seen massive spikes in searches and downloads of VPNs after age verification laws took effect. One popular provider, Proton VPN, saw a 1,400% surge in sign-ups within minutes of the UK’s Online Safety Actcoming into effect.

Increased reliance on VPNs opens a new can of worms for minors’ digital privacy.

Many free VPNs disguise themselves as privacy tools but, in reality, operate as data-harvesting traps. An investigation into FreeVPN, a service with over 100,000 downloads on the Chrome Web Store, found that it captured unauthorized screenshots to track users’ online activity, exposing their personal data. By pushing minors into less scrutinized and more exploitative corners of the internet, poorly designed age-verification laws can ultimately increase their exposure to online harm — the very outcome they were meant to prevent.

California’s device-level approach

California has taken a different approach, implementing age verification at the device level through the Digital Age Assurance Act. The measure requires operating system providers (OSPs) like Apple and Google to ask users for their date-of-birth when setting up a laptop, phone or tablet. OSPs must attach to the device a cryptographic age signal that communicates the user’s age to apps and websites, which will restrict content access accordingly.

The Digital Age Assurance Act addressesthe privacy and security concerns plaguing platform-side models. By collecting and transmitting only users’ age, it employs the least invasive means necessary to achieve the desired objective. Additionally, the age verification process is centralized among a handful of OSPs already trusted to hold massive amounts of sensitive user information. In comparison to the vast number of unestablished parties collecting any given user’s sensitive data under platform-level proposals, this process significantly mitigates the likelihood and severity of potential data breaches.

Despite the advantages of this device-level model, it has one critical weakness – it relies on the honor system. Users are merely required to type in their date of birth at setup. Inputting a false birthday is an obvious and easy way for motivated minors to circumvent the protections created under the legislation, rendering the model highly ineffective.

A hybrid solution: device signals meet offline verification

Neither a platform-level nor an honor-system, device-level approach can deliver sufficient privacy, security and efficacy simultaneously.

Platform-level models make data breaches practically a certainty in their pursuit of a high-accuracy age verification process, while VPNs further diminish effectiveness and exacerbate privacy concerns. California’s plan overcorrects on privacy and security in a manner that entirely undermines efficacy.

Luckily for lawmakers, the solution is simple: take the best of both worlds.

Governments should enact age verification legislation that does not rely on unsecured digital technology or the honor system, but instead on a trusted, known commodity: manual ID checks. Such a model will require OSPs to have an authorized clerk check each customer’s ID at retail stores and carrier shops when they purchase a new device. The clerk will then attach a signal to the device representing the customer’s age. As in California’s proposal, app stores and websites will restrict content based on each device’s age signal.

This model delivers on the key metrics by avoiding the pitfalls of the previously discussed approaches. It is far more effective at keeping minors out – manual ID checks pose a strong barrier that cannot be circumvented with a VPN or a fake birthday. Crucially, it achieves this without sacrificing the privacy protections of California’s plan. While the model still requires ID review, there is no collection or retention of information beyond the individual’s age, unlike in platform-level set-ups.

Lawmakers will need to fine-tune a few practical details. For example, shared household devices risk either over-restricting adults or under-protecting children, but existing multiple-user profile-technology can solve this challenge: OSPs can enable password-protected profiles for verified adults alongside a default, child-safe profile. In the resale market, devices verified for adult-use could inadvertently be passed to minors. Lawmakers can deter this outcome by imposing penalties for knowingly selling adult-verified devices to minors. Finally, an ideal model should address accessibility for individuals in remote regions or without reliable transportation.

Perfect age verification is likely unattainable. Minors are resourceful and technology evolves. But in taking action toward the worthy goal of protecting children online, lawmakers must balance effectiveness with the inherently intertwined privacy and security considerations – which existing proposals fail to do.

A device-level model with in-store ID checks delivers that balance: real safeguards for kids, without sacrificing the privacy of everyone else.