Scientists warn against crappy age verification: 'if implemented without careful consideration… the new regulation might cause more harm than good'

As age verification becomes more commonplace across the web, there are some trying to oppose its rollout on security and privacy grounds. An open letter signed by over 400 researchers and scientists arguing the many reasons why age verification (and most especially the current age assurance technology) isn't all it's cracked up to be is now available to read in full.

Here's a precis on the whole thing: Governments across the world are adopting legislation to ensure usage or compliance with age assurance methods, in the name of keeping kids off the bad parts of the web. That sounds like a good idea until you look into the details. Those details suggest these are often haphazardly applied and with little regard for privacy and data protection.

The open letter outlines a few key arguments:

How easily age verification can be bypassed. This being evident by Discord's age verification, provided by K-id, which could be bypassed by using Sam's face in Death Stranding. As the open letter points out, it's possible to lie about one's age, trick a system, or buy age-verified credentials online. VPNs are also widely available and prove an easy way to bypass any and all age assurance methods, even if access to said VPNs is age-restricted.

How unreliable age estimation can be. All while potentially necessitating large-scale and invasive data collection or widespread use of government IDs at every online interaction for any semblance of effectiveness. As the letter notes, "We conclude that age assessment presents an inherent disproportionate risk of serious privacy violations and discrimination, without guarantees of effectiveness."

How it necessitates a global trust infrastructure. This being one of the main goals of the EU's digital identity wallet, though only pan-EU, being used as a common foundation for all member states to meet one another for age assurance. Though as the letter suggests, "even if such a trust infrastructure would exist, checks can be circumvented by acquiring valid certificates or using VPNs, as long as age assurance regulations are not universally enforced by all affected services."

How it can push users to lesser-known, potentially dangerous websites. By enforcing age assurance, and with the larger, more responsible websites complying, there is a chance of pushing users to lesser-known, potentially dangerous or scam websites. Following the rollout of the UK's Online Safety Act, one of the first investigations it launched was into porn websites that did not immediately comply with the new rules for age verification checks. Other websites chose to turn off services to the UK altogether.

"Since the main platforms would all be regulated, it is likely that they would migrate to fringe sites that escape regulation. This would not only negate any benefit of the age-based controls but also expose users to other dangers, such as scams or malware that are monitored in mainstream platforms but exist on smaller providers," the letter says.

An interesting point in the open letter is how, by assuming safe spaces on the web are locked down with insufficient means, we may be lulling ourselves into a false sense of security.

Though, most clear of all arguments against age assurance are the privacy concerns. This being the thing I see most often cited against any form of age verification, wherein private companies based who-knows-where are collecting information including government-issued documents or facial scans to provide age assurance, and how that data is handled is not sufficient. We've already seen the worst fears of this in reality, as a third-party working for Discord was breached and approximately 70,000 user accounts had government-issued ID photos exposed—IDs which were handed over for age-related appeals.

I spoke to a few age verification experts last year on similar grounds, exploring what alternative methods could be used to patch up some of the glaring holes in the current system, including zero-knowledge proofs. Though, since that time, we've seen wider adoption of age assurance outside of the UK (which introduced mandatory checks with the Online Safety Act), including Discord, which later rolled back its global age checks, Xbox, and more in the gaming space.

We also saw Reddit hit with a £14.47m fine, which included a complaint that the company did not have a sufficient age verification method. A new bill in California also seeks to enforce operating systems to carry out age verification methods, which is a lofty goal that may prove unfeasible in reality.

Meanwhile, a YouGov poll last year suggested that most brits feel age verification methods are ineffective, despite generally supporting the cause.

The open letter continues to point out discrimination concerns—namely for adults that don't have government ID or online literacy to use age verification—which could also lead to higher risk of falling foul to scammers. As we've seen already, Reddit was blocking access to addiction subreddits due to the UK's OSA (despite falling foul of the regulation), which would be important literature for anyone to access, regardless of whether they are able to prove their age or not.

The letter also notes the dangers of centralisation of power.

"In the wrong hands, such as an authoritarian government, this influence could be used to censor information and prevent users from accessing services, for example, preventing access to LGBTQ+ content."

I could go on, as there's a lot more to this letter, but altogether, if you've been reticent to give up a photo of your face for age verification, at least a good few academics are on your side. Over 400 of them, and from respected institutions such as KU Leuven, University of Copenhagen, Fraunhofer AISEC, Trinity College Dublin, University of Luxembourg, Karlstad University, ETH Zurich, King's College London, University of Cambridge, University of Oxford, UCL, Brown University, University of Maryland, UC Berkeley, World Wide Web Consortium… yeah, you get the idea.