Online threats to children are real, but the headlong pursuit of age verification that we’re seeing around the world is unacceptable in its approach and far too broad in scope — and we simply can’t afford to get this wrong.
To be clear, parents’ concerns are valid and sincere. Few people would argue that kids should have unfettered access to adult material, to self-harm how-tos, to social media platforms that manipulate them and expose them to abuse.
But it’s the very depth of those worries that is being cynically exploited. Age verification as is currently being proposed in country after country would mean the death of anonymity online.
And we know exactly who stands to gain: The same tech giants who built the privacy nightmare that the internet is today.
When data gets collected, it will get out
The business of age-gating the internet has come a long way since the days of “Check this box if you’re over 18.” Now people are sending in passports and videos and even fingerprints. And what’s happened? The same thing that’s always happened: That data gets leaked.
Look at Discord. Last October, the chat platform beloved by gamers acknowledged that hackers had accessed the records, including photos of government IDs, of more than 70,000 users being held by a third-party vendor it had hired to enforce age verification.
And this will keep happening. The more sensitive data you stockpile in privately held databases, the bigger a target it becomes for criminals. If a social platform or dating app without expertise is ordered to collect it, they’re easy prey. Thousands of companies may manage to do it right, but some of them will surely fail. (Remember Ashley Madison(new window)?)
Even if you outsource age verification to a “specialist” third party, that’s no silver bullet, as Discord discovered. When age checks are a company’s sole business, the company may develop greater skill in shielding the data from hackers, but it also becomes an even more appealing target. And because it lacks other income streams, it needs to offset its costs somehow — and the temptation to monetize that data, to sell it, becomes hard to resist.
There are no heroes here
Governments cannot be trusted to come to the rescue. The European Union just unveiled a mobile app to check people’s ages, and it took hackers a matter of hours — one claimed only two minutes — to discover fatal flaws.
Calls are also growing for Big Tech to step in. Make Apple and Google and Microsoft do it, people say. With their control over operating systems, they can require IDs and block access to kids at the device level, right? And just a few weeks ago, Apple announced a plan in the UK to do exactly that.
But these companies have built their empires on collecting data and on preferencing their own products to disadvantage competitors. They’ve paid billions in fines for doing it. If they’re given even more power to decide who can download what, and track who is doing what, does anyone seriously believe they won’t abuse that power?
Leads to ID verification for adults
Online privacy has always been tenuous. But with age verification, we’re on the cusp of, once and for all, requiring ID for every single person going online, for any reason, legal or not, adult or not. And that should terrify us all.
While no business can simply disregard the laws in its jurisdiction, Big Tech companies have demonstrated that they will collude with governments on an industrial scale. They cooperate with hundreds of thousands of data requests from governments every year, many never seen by a judge, and that number is only growing.
What’s more, they are known to cave to state pressure and ban apps(new window). If every Apple account in the UK is tied to a government-issued ID, how long will it be before every other country expects the same? Once you’re using these collected IDs to block access based on age, it’s a short leap to blocking access based on nationality or other factors as well.
How long before China demands the names of every person who downloaded a certain app? How long before lists of “undesirables” are sent to the tech giants, with orders to be blocked from the internet entirely? Is this really a road we’re prepared to go down?
When online anonymity is stripped away, whistle-blowers keep their mouths shut. People in desperate need of help don’t ask for it. And democracy itself suffers, as those would seek to hold their government accountable don’t always want to do so with their real name attached.
Power needs to shift, but not to Big Tech
Technology companies should never become gatekeepers for every adult on the internet, but they must still do their part. They must direct their design firepower toward improving parental-control features at both the app and device levels. These should be obvious and easy to use, not an afterthought scattered across hidden menus. This puts the power and authority to protect children firmly where it belongs: with parents.
We cannot accept a world where every adult is expected to hand over ID as the price of going online. The scope of places where age verification is required must be strictly confined to areas like pornography and social media, where the potential for harm is greatest.
And if as a society we conclude that a narrowly drawn age-verification system is both necessary and inevitable, it must be done right. Checks must be conducted entirely client-side, on the user’s device. They should rely on facial scans, not uploaded IDs, that are instantly discarded once processed. The answer to the binary question of whether the user is “of age” must be fully anonymized, divorced from any identifying information, and transmitted entirely under end-to-end encryption. And the code that underpins the system must be open-source, allowing the public to be certain that these expectations are being met.
Never forget what the real threats are
These requirements are non-negotiable, because the only way to guarantee that age-verification data will not be stolen, shared, or abused is to not collect it at all. We certainly cannot entrust it to the same giants that have a proven track record of exploiting our private information. Or to faceless new companies with incentives to misbehave. Or to governments that, let’s face it, have their own history of failing to protect user information(new window) or abusing it themselves(new window).
And bit by bit, we need to tackle the real root cause of so much of the harm we see online: The advertising- and attention-based business model that gives almost every company an incentive to spy, to track, and to keep everyone, and especially kids, hooked on their products(new window).
Meta, the parent of Facebook, has been strongly lobbying(new window) in favor of age verification for years, but not out of concern for children. They want to lift any responsibility from their shoulders, so they can keep targeting adults with their toxic products. Age verification should not distract us from the real danger to children and adults alike.
Given all the online threats out there, the desire to “do something” to protect kids is understandable, even laudable. But with age verification, we’re at risk of locking in and reinforcing all the worst aspects of the internet. And the end of the road for all these good intentions is a hellish place indeed.
