Age verification and the new internet

Ofcom's January 2025 guidance defines "highly effective age assurance" through four criteria: technically accurate, robust, reliable, and fair. Methods judged to meet the standard include photo-ID matching, facial age estimation (with caveats), digital identity wallets, credit-card checks, mobile-network-operator age checks, and email-based age estimation. Self-declaration does not qualify. Parental confirmation does not qualify unless paired with a verification step. The guidance is the most operationally specific in any jurisdiction and is already being copied. It also illustrates the regulatory move from outcome-based to method-based regulation: a sign that the abstract approach (UK Act's "highly effective") did not produce sufficient action and the regulator has had to specify. Parents who want to understand what age verification will look like in their own jurisdiction five years from now should read Ofcom's guidance. It is the template.

Services that verify users via uploaded passports or licences must either store those documents (creating a breach target) or pass them through a third-party verifier that stores them (relocating the breach target). The Australian government's 2024 round of age-assurance trials specifically tested whether providers could "verify and forget" — perform the check, return the token, delete the underlying document. Most could. Whether they will, under cost pressure and law-enforcement requests, is a separate question. The MGM Resorts breach, the Optus breach, the AT&T breach, the National Public Data breach: identity-document repositories have been catastrophic targets for two decades. Concentrating more of them in age-verification providers without regulating data retention is a predictable error. The 1,000-page manual treats data-minimization mandates as inseparable from age-verification mandates. Most legislatures have not yet caught up.

Facial age estimation systems trained predominantly on lighter-skinned faces produce larger errors for darker-skinned faces and for women. The 2024 NIST FRVT Age Estimation report found mean absolute errors at the 13-year threshold ranging from 1.4 to 3.8 years across vendors, with systematic bias against several demographic groups. A 3-year error band at a 13-year threshold means a substantial fraction of 13-15-year-olds will be misclassified as adults and a substantial fraction of 16-18-year-olds will be misclassified as minors. The first error type fails protection; the second imposes friction on young adults trying to access lawful content. Both errors fall disproportionately on the same demographic groups. Equity audits of age-estimation deployment are not yet mandatory in any jurisdiction. They should be.

Apple's "Declared Age Range API" and Google's equivalent let apps request an age band from the operating system, which derives the band from the account-holder's stated birth date and parental-controls settings. The architectural appeal is significant: identity stays on-device, only a coarse signal crosses the boundary, no third-party verifier sees the document. The architectural cost is also significant: Apple and Google become the global age-truth oracles for an entire generation. Their accuracy depends on parents having configured Family Sharing or Google Family Link correctly when the device was first set up — a configuration most parents complete once and never revisit. Errors compound. And the duopoly's commercial interest in being the trusted age provider creates incentives to lock platforms into their attestation systems rather than competing federated alternatives.

The cryptographic primitive that would solve most of age verification's privacy problems is the zero-knowledge proof of age: a token that proves "this user is over 18" without revealing identity, document, or even the verifier. The technology is mature. The European Digital Identity Wallet (EUDI), rolling out across member states from 2026, supports it. Privacy advocates have spent a decade urging legislatures to specify ZKP architectures in statute. Legislatures have largely declined, partly because most legislators do not understand the cryptography and partly because the dominant verification vendors lobby against architectures that commoditize their services. The EUDI rollout is the most important policy experiment in this space. If it works at scale, it becomes the export model. If it fails, the document-honeypot architecture wins by default.

The Supreme Court's June 2025 decision in Free Speech Coalition v. Paxton upheld Texas's HB 1181 age-verification mandate for sites where one-third or more of content is sexual material harmful to minors. The majority opinion applied intermediate scrutiny rather than the strict scrutiny that Ashcroft v. ACLU (2004) had implied. The reasoning: the law regulates access by minors, who have no First Amendment right to obscene-as-to-them material, and incidental burdens on adults are tolerable if the law is sufficiently tailored. Three justices dissented, arguing the law's effect on adult access required strict scrutiny. The doctrinal lane this opens is wider than the case's specific facts. State legislatures have read it as a green light for broader age-verification mandates. Subsequent challenges to social-media age-verification laws will test how far Paxton extends.

Adult-content sites are the canary in the age-verification mine. They have the strongest legal mandates, the most motivated user base for bypass, and the most experience with verification systems. Pornhub has withdrawn from more than a dozen US states rather than implement verification, redirecting users to VPN-friendly alternatives. Independent studies (most notably the Australian eSafety Commissioner's 2024 report) found that minor exposure to pornography declined modestly in jurisdictions with enforced age verification but did not collapse, because of bypass routes and migration to non-compliant sites. The data is the closest thing we have to ground truth on what age verification does and does not accomplish. Generalizing from porn to social media is risky — the motivation curves differ — but it is the empirical base we have.

Several jurisdictions have moved from age-appropriate-design regimes (which assume minors are present and protected) to age-prohibition regimes (which forbid minors entirely). Australia's Online Safety Amendment (Social Media Minimum Age) Act 2024 sets sixteen as the minimum age for accounts on covered services and imposes the verification duty on platforms, not parents. France, Norway, and several US states have proposed similar laws. The prohibition model is politically attractive because it is simple and assigns enforcement to platforms. It is empirically contested because it cuts off access to social networks that minors also use for support, education, and identity exploration. The 1,000-page manual takes no fixed position on the right age threshold but observes that the prohibition model depends on verification working, and verification does not yet work as reliably as the model assumes.

Character.AI, Replika, and similar AI-companion services occupy a legal gray zone. They are not user-to-user services (the counterparty is a model, not a person). They are not pornography (most do not produce explicit content by default). They are not search engines or recommender systems. Yet they create the most intense parasocial relationships ever observed among adolescents and have been implicated in at least one teen suicide lawsuit (Garcia v. Character Technologies, 2024). Age verification for AI companions is barely deployed; the services use self-declaration. State legislatures are now drafting specific AI-companion bills. The architectural question — should AI-companion access require stricter age verification than social-media access, given the intensity of the bond? — is unresolved. Parents who want to influence the answer should do so now, before the precedent is set by default.

Every age-verification regime has a VPN ceiling: the rate of bypass via VPNs sets the practical maximum effectiveness of the law. In jurisdictions that have aggressively enforced age verification on adult content, VPN usage among teenagers has risen sharply — in Louisiana, by an estimated 250% in the months following Act 440's implementation. This does not invalidate the law. It does mean that the law's effect is concentrated on the marginal user (curious, unmotivated, unsophisticated) rather than the determined user. Honest debate about age verification should foreground this. The argument "this law will protect children" is more defensible as "this law will reduce casual access for the median curious child while not affecting the determined seeker." The first is rhetoric. The second is policy.

Pseudonymous internet access has been the default since the medium's origin. Pseudonymity enables whistleblowing, abuse-survivor support communities, LGBTQ identity exploration in hostile environments, political dissent in authoritarian regimes, and ordinary participation by people who cannot afford reputational exposure of their interests. Universal age verification erodes pseudonymity even when the verification is privacy-preserving, because the social norm becomes "your identity is checkable." The chilling effect on speech and association is real but diffuse. Civil-liberties organizations have struggled to make it legible to legislators and parents who weigh it against concrete child-harm cases. The trade is genuine and difficult. The 1,000-page manual asks parents to hold both sides of it without flinching.

A defensible age-verification regime, at the collective scale, has six features. (1) Outcome standards (effectiveness benchmarks) rather than mandated specific technologies. (2) Architectural floors: no honeypots, no biometric storage, no linking of age tokens to identity unless legally required. (3) Demographic-equity audits, published quarterly, with regulator enforcement when bias exceeds thresholds. (4) Adult-access protection: explicit statutory language preserving adult pseudonymity and prohibiting use of verification data for marketing, profiling, or law-enforcement fishing. (5) Transparent error reporting: platforms publish false-positive and false-negative rates by demographic. (6) Sunset and review clauses: every age-verification statute expires after five years unless reauthorized after independent effectiveness review. None of the laws passed in the last three years contain all six features. Parents who organize around these six demands will produce better legislation than parents who organize around "do something."

1. Livingstone, Sonia, and Kruakae Pothong. "Beyond Age Assurance: Rights-Based Design for Children's Digital Lives." Journal of Children and Media 18, no. 2 (2024): 187-204. 2. Collier, Anne. "Age Verification: Promises and Perils." NetFamilyNews policy brief, March 2025. 3. Thierer, Adam. "Age Verification Mandates and the Future of Digital Free Speech." Federalist Society Review 25, no. 3 (2024): 412-438. 4. boyd, danah. "Why Youth (Heart) Social Network Sites." In Youth, Identity, and Digital Media, edited by David Buckingham, 119-142. Cambridge, MA: MIT Press, 2008. 5. Aiken, Mary. The Cyber Effect. New York: Spiegel & Grau, 2016. 6. Solove, Daniel J. "Murky Consent: An Approach to the Fictions of Consent in Privacy Law." Boston University Law Review 104, no. 2 (2024): 593-657. 7. Allen, Anita L. "Privacy and Pseudonymity in the Age of Surveillance." Georgetown Law Journal 110, no. 6 (2022): 1287-1340. 8. Goldman, Eric. "The Age Verification Mistake." Santa Clara High Technology Law Journal 41, no. 1 (2024): 1-58. 9. Khan, Lina M. "Remarks on FTC Workshop on the Commercial Surveillance Trade." Federal Trade Commission, September 2023. 10. Khan, Salman. Brave New Words. New York: Viking, 2024. 11. Luckin, Rose. Machine Learning and Human Intelligence. London: UCL IOE Press, 2018. 12. Reich, Justin. Failure to Disrupt. Cambridge, MA: Harvard University Press, 2020.