Age Assurance on the Internet: Identity, Privacy, and the Limits of Verification
Pangram verdict · v3.3
We believe that this document is a mix of AI-generated, AI-assisted, and human-written content
AI likelihood · overall
MixedArticle text · 1,495 words · 4 segments analyzed
“In the field of digital identity, we tend to talk about technology through the lens of specific use cases. Payments. Authentication.”Fraud prevention. Account recovery. Which makes sense; you can’t solve a problem if you can’t map to something real.Which takes me to one use case that keeps appearing in policy discussions around the world: age assurance.How can someone prove they are old enough to access something—whether that means buying alcohol in person, signing up for social media, or accessing restricted content online—without exposing more personal information than necessary?This is a really challenging use case because it has some significant trade-offs. Age restrictions exist across a wide range of activities: purchasing tobacco or alcohol, accessing online pornography, participating in social media platforms, gambling, and many others. The specifics vary widely by jurisdiction, but the concept itself is familiar. Protecting children from harm is a compelling argument everywhere.At the same time, privacy advocates and civil liberties organizations have raised serious concerns about the infrastructure being built to enforce these restrictions. Age verification systems often require collecting identity data at scale, creating databases that may include precisely the people we are trying to protect. Critics warn that poorly designed systems can create new privacy risks while doing little to address the underlying harms. In an effort to protect the children, we might be making matters worse.Regardless of where you personally land in that debate, organizations may soon be required to implement some form of age assurance.So, let’s take a look at where things stand today, noting that age assurance is a moving target both politically and technically. A Digital Identity Digest Age Assurance on the Internet: Identity, Privacy, and the Limits of Verification 00:00 /00:15:10 RSS FeedYou can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.And be sure to leave me a Rating and Review!Age Assurance, Age Verification, and Age EstimationThe first challenge is terminology. In policy discussions, several related concepts are often used interchangeably, even though they describe very different approaches. Age verification typically means confirming a person’s age using an authoritative credential such as a government ID.
Age estimation uses probabilistic techniques to guess a person’s age, often through biometric analysis like facial recognition.
Age assurance is the broader umbrella term that includes both of these approaches. This distinction matters because each method has different privacy and technical implications.Most age estimation technologies rely on biometric analysis, typically facial features, to infer an approximate age range. But advances in synthetic media and deepfake generation are already challenging those assumptions. If the image being analyzed is artificially generated, manipulated, or replayed, the system may be estimating the age of something that is not a real person at all.Standards work around presentation attack detection and liveness verification attempt to mitigate these risks, but the dynamic between synthetic media and detection technologies is likely to remain an ongoing arms race.Verification tends to be highly accurate, but it often requires linking the user to a real-world identity document. Estimation can be less intrusive, but it may introduce accuracy issues and potential bias. Age assurance systems frequently combine multiple techniques in an attempt to balance these tradeoffs.In other words, there is no single solution. Instead, organizations must navigate a spectrum of approaches with different risk profiles.The Regulatory LandscapeAge verification requirements are appearing in legislation around the world.Several U.S. states have passed (or are planning to pass) laws requiring age verification for access to certain online content. The United Kingdom’s Online Safety Act introduces new responsibilities for platforms to protect minors from harmful content. Similar laws exist across Europe, Australia, and parts of Asia.The details vary widely, but generally speaking, platforms are increasingly expected to determine whether users meet age thresholds before granting access to certain services.This raises an obvious, but poorly answered, question. How exactly are they supposed to do that?Where Does the Age Check Actually Happen?From a technical perspective, there are several possible places where age checks can occur.One option is platform-level verification, where the service itself asks users to upload identification documents or submit biometric data. Many online services already experiment with this approach.Another option is third-party verification providers. Companies specializing in identity proofing perform the age check and return a confirmation to the platform.A third approach involves digital identity wallets or credentials. In this model, a trusted issuer provides a credential that includes age attributes, and users present that credential when required.Finally, some policymakers have proposed placing age assurance closer to the browser or device layer, allowing software intermediaries to mediate these checks.Each of these architectures comes with different tradeoffs around privacy, interoperability, and deployment complexity.
The identity industry is still actively exploring which approaches will prove viable at scale.The Standards EcosystemAge assurance is not emerging in a vacuum. A number of standards and frameworks attempt to define how these systems should work.Some focus on policy frameworks and governance, such as the IEEE 2089 family of standards, which address age-appropriate digital services and the design of age verification systems.Others focus on identity proofing, including ETSI TS 119 461, which defines requirements for remote identity verification aligned with European regulatory frameworks such as eIDAS.Biometric approaches often rely on standards like ISO/IEC 30107-3, which addresses presentation attack detection; essentially determining whether a biometric sample is coming from a real person rather than a photograph or deepfake.Additional standards address privacy and data protection, including ISO/IEC 27018 and ISO/IEC 27701, which focus on safeguarding personal data during identity verification processes.Taken together, these frameworks illustrate that age assurance is not a single technology problem. It touches identity proofing, biometrics, privacy engineering, and regulatory compliance all at once.The Reality: Age Checks are Easy to BypassOne reason policymakers are turning toward stronger verification systems is that existing safeguards are often ineffective.Research examining children’s use of social media has shown that age restrictions embedded in platforms are routinely bypassed. In one study, 78% of children aged 10–15 were reported to have social media accounts despite minimum age limits, largely because existing verification systems rely on self-reported birth dates.Parents in the same study also reported difficulty supervising their children’s online activity, highlighting the gap between regulatory expectations and everyday digital behavior.In other words, current age-restriction mechanisms often function more as guidelines than enforceable barriers.The Privacy ParadoxEfforts to strengthen age verification create their own set of risks.Many proposed systems require users to upload identity documents, submit biometric scans, or otherwise provide personal data. These mechanisms can create large databases of identity information linked to sensitive activities.The Electronic Freedom Foundation warns that such systems can easily become honeypots of sensitive personal data.Even when the intention is to protect minors, poorly designed verification systems may introduce surveillance risks or create new attack surfaces for identity theft and data breaches.
The challenge goes beyond verifying age and straight into doing so without building a permanent record of who accessed what online.Where Digital Identity Comes Into PlayThis is where digital identity technologies enter the conversation.One promising idea is the use of cryptographic credentials that allow selective disclosure of attributes and/or zero-knowledge proof of a fact like “over 18”. (I wrote about the differences between the two a few weeks ago.)Instead of revealing a full identity document, a user might present a cryptographic proof that simply confirms “Age ≥ 18” without revealing name, address, or ID number.Mobile driver’s licenses and verifiable credential systems are exploring exactly this kind of functionality. In theory, these approaches could enable age assurance while preserving a high degree of privacy.Questions around issuer trust, credential revocation, device security, and interoperability, however, still need to be addressed before these systems can be widely deployed. Even when the technology works well enough, deploying it successfully and appropriately is still a challenge.Another important insight from policy research is that age restrictions alone rarely solve the underlying problem.Studies examining digital risk among minors have found that regulatory approaches often struggle because they rely on a single mechanism — such as platform enforcement — without addressing broader social factors. Weak coordination between families, schools, platforms, and regulators can limit the effectiveness of age-restriction policies.More broadly, policies aimed at protecting vulnerable populations frequently involve complex tradeoffs between social protection and other societal goals. Social protection frameworks can mitigate risks, but they may also introduce unintended economic or social effects depending on how they are implemented.Age assurance sits squarely in this category. It is not purely a technical system. It is part of a broader governance problem.The Deeper QuestionFor identity professionals, there is a question that goes beyond how to verify age and into the cost, both financial and architectural, of building the infrastructure required.Age verification systems have the potential to reshape authentication, credential presentation, and identity mediation across the web. The same infrastructure that proves someone is over eighteen could, in theory, support many other forms of attribute verification.Once that infrastructure exists, the temptation to use it for additional purposes may be difficult to resist. I refer the kind reader over to Andrew Hindle’s post on Proofing Creep. (