The effort to ensure online child safety is pushing platforms to use a limited range of intrusive age verification methods. Over a few years, age verification has become standard practice online. To keep children away from pornographic, inappropriate content, or social media, age-gating laws have rapidly spread globally, including in the UK, US, Australia, France, and Brazil. The challenge lies in accurately verifying a user’s age, as current solutions have major flaws, with experts proposing but not yet implementing improvements.
Popular methods include age inference through AI based on user activity, third-party services promising privacy priority, and age checks by app stores before downloads. However, each comes with significant drawbacks as platforms scale these methods across the web. Age inference systems aim to avoid asking for IDs or face scans by using existing data. For instance, Meta uses AI on Instagram to put teens in stricter settings. Google and YouTube scan accounts for suspected minors, while Discord plans to deploy its system soon.
Inference assesses signals such as account age and user engagement patterns. Discord will use device and activity data, while Instagram might flag an account with a post wishing a “Happy 14th birthday.” Ideally, this allows platforms to avoid collecting extra data. Discord claims its impending age verification won’t impact most users due to its age-guessing AI. However, age inference alone can’t reliably predict age and might not satisfy government standards, necessitating users to provide personal data for verification.
Age-gating systems often require revealing user information, which raises privacy concerns. Using government-issued IDs, although accurate, poses severe risks if leaked in data breaches. Third-party vendors like k-ID, Persona, and Yoti offer alternative solutions, but still grapple with fundamental security issues. Face scanning for age estimation is popular but often inaccurate and raises privacy risks if leaks happen.
On-device verification, while more private, has vulnerabilities. Rick Song, Persona CEO, argues server-side verification is preferred due to on-device system weaknesses. Many older devices can’t run the AI models for facial analysis, leading to privacy disparities. Users with older devices might need to provide an ID for verification.
Some propose app stores handle age verification to streamline the process. Backed by companies like Meta, Spotify, and Match, this approach faces challenges across different operating systems. Open-source systems like Linux are struggling with new requirements. GrapheneOS, a privacy-focused Android version, refuses to mandate age verification, risking sales in regions with such regulations.
The varied global legal landscape complicates age verification further. Some states legislate app store-level checks, while others target platforms directly. These laws face constitutional scrutiny, with courts blocking some of them.
The confusion has prompted platforms like Discord and Roblox to introduce voluntary verification systems, bringing their own compromises. Amidst this complexity, experts are exploring methods to limit data collection. Zero-knowledge proof (ZKP) offers a way to verify age without revealing personal information, supported by demonstrations from France’s data privacy agency. Users would present a proof of age obtained from their government ID for access, reducing direct data disclosure.
Google and other companies are backing ZKP development, though it has potential pitfalls. Misconfigured systems may compromise privacy, and frequent age verifications could inadvertently narrow down a user’s birthdate. Despite EU efforts on age verification apps with ZKP as an experimental feature, broader implementation challenges persist.
The Future of Privacy Forum suggests alternatives like using cryptographic keys linked to initial age verifications to reduce repeated checks. This method could align with reusable credentials on devices, minimizing age verification repetitions and associated risks. But these solutions remain undeveloped concepts, leaving companies and lawmakers navigating the delicate balance of privacy and safety. No definitive policy or age verification provider has succeeded yet, leaving users vulnerable.