In
early
March,
438
security
and
privacy
researchers
from
32
countries signed
a
massive
open
letter warning
that
age
verification
mandates
for
the
internet
are
technically
impossible
to
get
right,
easy
to
circumvent,
a
serious
threat
to
privacy
and
security,
and
likely
to
cause
more
harm
than
good.
While
many
folks
(including
us
at
Techdirt)
have
been
calling
out
similar
problems
with
age
verification,
this
was
basically
a
ton
of
experts
all
teaming
up
to
call
out
how
dangerous
the
technology
is
—
by
any
reasonable
measure,
a
hugely
significant
collective
statement
from
the
scientific
community
on
an
active
area
of
internet
regulation.
It
got
about
a
day
of press
coverage,
and
then
legislators
everywhere
went
right
back
to
doing
the
thing
the
scientists
just
told
them
was
dangerous.
Since
the
letter
was
published,
Idaho signed
a
law
mandating
parental
consent
and
age
verification
for
social
media.
Missouri moved
forward
with
age
verification
measures
for
minors
using
social
media
and
AI
chatbots.
Greece announced
plans
to
ban
teens
from
social
media
entirely.
At
least half
of
US
states have
now
passed
some
form
of
age
verification
or
digital
ID
law
with
many
others
considering
similar
laws.
The
European
Union
continues
to
push
age
assurance
requirements
through
various
regulatory
channels.
Australia
is
trying
to
get
other
countries
on
board
with
its
own
social
media
ban
for
kids.
All
of
this,
proceeding
as
though
hundreds
of
the
world’s
foremost
experts
on
security
and
privacy
had
said
nothing
at
all.
We’ve
been
writing
about
the
serious
problems
with
age
verification
mandates for
years
now.
The
arguments
haven’t
changed,
because
the
underlying
technical
realities
haven’t
changed.
But
this
letter
deserves
far
more
attention
than
it
received
because
of
how
thoroughly
it
tears
apart
every
assumption
that
age
verification
proponents
rely
on.
The
letter
starts
by
acknowledging
what
should
be
obvious:
the
signatories
share
the
concerns
about
kids
encountering
harmful
content
online.
This
matters,
because
the
go-to
response
to
any
criticism
of
age
verification
is
to
accuse
critics
of
not
caring
about
children.
These
are
hundreds
of
scientists
saying:
we
care,
we’ve
studied
this,
and
what
you’re
proposing
will
make
things
worse.
We
share
the
concerns
about
the
negative
effects
that
exposure
to
harmful
content
online
has
on
children,
and
we
applaud
that
regulators
dedicate
time
and
effort
to
protect
them.
However,
we
fear
that,
if
implemented
without
careful
consideration
of
the
technological
hazards
and
societal
impact,
the
new
regulation
might
cause
more
harm
than
good.
Some
will
argue
that
this
is
meaningless
without
a
proposed
“fix”
to
the
problems
facing
children
online,
but
that’s
nonsense.
As
these
experts
argue,
the
focus
on
age
verification
and
age
gating
will
make
things worse.
It’s
the
classic
“we
must
do
something,
this
is
something,
therefore
we
must
do
this”
fallacy
dressed
up
as
child
protection.
The
fact
that
child
safety
problems
are
specific
and
complex
is
exactly
why
simplistic
bans
and
age-gating
cause
so
much
damage.
And
it’s
a
genuine
indictment
of
our
current
discourse
that
refusing
to
embrace
a
non-solution
somehow
gets
read
as
not
caring
about
the
problem
itself.
From
there,
the
letter
walks
through
the
actual
problems
with
these
commonly
proposed
solutions
in
a
level
of
detail
that
should
be
mandatory
reading
for
any
legislator
voting
on
these
laws.
(It
almost
certainly
won’t
be,
but
we
can
dream.)
First,
the
biggest
problem:
these
systems
are
ridiculously
easy
to
circumvent.
This
point
gets
hand-waved
away
constantly
by
politicians
who
seem
to
think
that
because
something
sounds
like
it
should
work,
it
must.
The
scientists
have
a
different
view,
grounded
in
actual
evidence
from
actual
deployments:
There
is
ample
evidence
from
existing
deployments
that
lying
about
age
is
not
hard.
It
can
be
as
easy
as
using
age-verified
accounts
borrowed
from
an
elder
sibling
or
friend.
In
fact,
there
are
reported
cases
of
parents
helping
their
children
with
age
circumvention.
There
is
evidence
that,
shortly
after
age-based
controls
appear,
markets
and
services
that
sell
valid
accounts
or
credentials
quickly
arise.
This
enables
the
use
of
online
services
deploying
age
assurance
at
an
affordable
price
or
even
for
free.
This
is
the
case
even
if
the
verification
is
based
on
government-issued
certificates,
as
shown
by
the
ease
with
which
fake
vaccination
certificates
could
be
acquired
during
the
COVID
pandemic
We
just
recently
talked
about
the
evidence
in
Australia
showing
that
a
huge
percentage
of
kids
have simply
learned
how
to
get
around age
gates.
Australia’s
biggest
accomplishment:
teaching
kids
how
to
cheat
the
system.
The
letter
makes
a
point
that
almost
never
appears
in
the
legislative
debates:
The
threat
model
for
age
verification
is
fundamentally
broken
because
the
people
building
these
systems
assume
the
only
adversary
is
a
teenager.
But
since
every
adult
internet
user
will
also
be
subjected
to
these
checks,
and
many
adults
will
not
want
to
submit
to
this
kind
of
surveillance,
we’re
going
to
be
creating
huge
incentives
for
adults
to
get
around
these
age
checks
as
well,
meaning
that
new
industries
(some
likely
to
be
pretty
sketchy)
will
arise
to
help
people
of
all
ages
avoid
this
kind
of
surveillance.
And
that,
alone,
will
make
it
easier
for
everyone
(kids
and
adults)
to
bypass
age
gates
(though
in
a
way
that
will
likely
make
many
people
less
safe
overall):
As
its
main
goal
is
to
restrict
the
activities
of
children,
it
is
common
to
believe
that
the
only
adversary
is
minors
trying
to
bypass
age
verification.
Yet,
age
verification
mechanisms
also
apply
to
adults
that
will
have
to
prove
their
age
in
many
of
their
routine
online
interactions,
to
access
services
or
to
keep
them
away
from
children-specific
web
spaces.
As
these
checks
will
jeopardize
their
online
experience,
adults
will
have
incentives
to
create
means
to
bypass
them
both
for
their
own
use
or
to
monetize
the
bypass.
Thus,
it
is
foreseeable
that
an
increase
in
the
deployment
of
age
assurance
will
result
in
growing
availability
of
circumvention
mechanisms,
reducing
its
effectiveness.
The
circumvention
problem
alone
should
be
enough
to
give
legislators
pause.
But
the
letter
goes
further,
addressing
what
happens
to
people
who can’t circumvent
the
systems,
or
who
try
to
and
end
up
worse
off.
One
of
the
strongest
sections
addresses
the
perverse
safety
consequences.
Deplatforming
minors
from
mainstream
services
doesn’t
make
them
stop
using
the
internet.
It
pushes
them
toward
less
regulated,
less
secure
alternatives
where
the
risks
are
dramatically
higher,
and
where
these
services
care
less
about
actually
taking
steps
to
protect
kids:
If
minors
or
adults
are
deplatformed
via
age-related
bans,
they
are
likely
to
migrate
to
find
similar
services.
Since
the
main
platforms
would
all
be
regulated,
it
is
likely
that
they
would
migrate
to
fringe
sites
that
escape
regulation.
This
would
not
only
negate
any
benefit
of
the
age-based
controls
but
also
expose
users
to
other
dangers,
such
as
scams
or
malware
that
are
monitored
in
mainstream
platforms
but
exist
on
smaller
providers.
Even
if
users
do
not
move
platforms,
attempting
circumvention
to
access
mainstream
services
from
a
jurisdiction
that
does
not
mandate
age
assurance
might
also
increase
their
risk.
For
example,
free
VPN
providers
might
not
follow
secure
practices
or
might
monetize
users’
data
(especially
non-EU
providers
that
are
not
subject
to
data
protection
obligations),
and
websites
accessed
in
other
jurisdictions
through
VPNs
would
not
provide
the
user
with
the
data
protection
standards
and
rights
which
are
guaranteed
in
the
EU.
And
as
we
keep
explaining:
age
verification
makes
adults think they’ve
“made
the
internet
safe,”
which
creates
all
sorts
of
downstream
problems
—
including
failing
to
teach
young
people
how
to
navigate
the
internet
safely,
while
doing
nothing
to
address
the
actual
threats.
As
the
letter
notes,
it
creates
a
false
sense
of
security:
The
promise
of
children-specific
services
that
serve
as
safe
spaces
is
unrealizable
with
current
technology.
This
means
that
children
might
become
exposed
to
predators
who
infiltrate
these
spaces,
either
via
circumvention
or
acquisition
of
false
credentials
that
allow
them
to
pose
as
minors
in
a
verifiable
way.
So
the
system
designed
to
“protect
the
children”
could
end
up
creating
verified
hunting
grounds
for
predators,
while
simultaneously
pushing
kids
who
get
locked
out
of
mainstream
platforms
toward
sketchy
fringe
sites.
Some
child
safety
measure.
The
privacy
concerns
are
equally
serious.
Age
verification
mandates
give
online
services
a
justification
—
indeed,
a legal
requirement —
to
collect
far
more
personal
data
than
they
currently
do.
The
letter
notes
that
age
estimation
and
age
inference
technologies
are
“highly
privacy-invasive”
and
“rely
on
the
collection
and
processing
of
sensitive,
private
data
such
as
biometrics,
or
behavioural
or
contextual
information.”
And
this
data
will
leak.
It
always
does.
The
letter
points to
a
concrete
example:
70,000
users
had
their
government
ID
photos
exposed
after
appealing
age
assessment
errors
on
Discord.
That’s
what
happens
when
you
force
the
creation
of
massive
centralized
databases
of
sensitive
identity
information.
You
create
targets.
The
most
alarming
part
of
the
letter
is
the
one
that
gets
the
least
discussion:
centralization
of
power.
The
scientists
warn,
bluntly,
that
age
verification
infrastructure
doubles
as
censorship
infrastructure:
Those
deciding
which
age-based
controls
need
to
exist,
and
those
enforcing
them
gain
a
tremendous
influence
on
what
content
is
accessible
to
whom
on
the
internet.
Recall
that
age
assurance
checks
might
go
well
beyond
what
is
regulated
in
the
offline
world
and
set
up
an
infrastructure
to
enforce
arbitrary
attribute-based
policies
online.
In
the
wrong
hands,
such
as
an
authoritarian
government,
this
influence
could
be
used
to
censor
information
and
prevent
users
from
accessing
services,
for
example,
preventing
access
to
LGBTQ+
content.
Centralizing
access
to
the
internet
easily
leads
to
internet
shutdowns,
as
seen
recently
in
Iran.
If
enforcement
happens
at
the
browser
or
operating
system
level,
the
manufacturers
of
this
software
would
gain
even
more
control
to
make
decisions
on
what
content
is
accessible
on
the
Internet.
This
would
enable
primarily
big
American
companies
to
control
European
citizens’
access
to
the
internet.
This
should
be
the
part
that
makes
everyone
uncomfortable,
regardless
of
their
political
orientation.
This
brings
us
to
what
is
already
happening
to
real
people
right
now.
A
recent
article
in
The
Verge
details
how
age
verification
systems
are
creating
serious, specific
harms
for
trans
internet
users.
Kansas
passed
a
law
invalidating
trans
people’s
driver’s
licenses
and
IDs
overnight,
requiring
them
to
obtain
new
IDs
with
incorrect
gender
markers.
Combine
that
with
age
verification
laws
requiring
digital
identity
checks,
and
you
get
exactly
the
kind
of
discriminatory
exclusion
the
scientists
warned
about:
“These
systems
are
specifically
designed
to
look
for
discrepancies,
and
they’re
going
to
find
them,”
said
Kayyali.
“If
you
are
a
woman
and
anyone
on
the
street
would
say
‘that’s
a
woman,’
but
that’s
not
what
your
ID
says,
that’s
a
discrepancy.”
The
danger
of
these
discrepancies
extends
not
just
to
trans
people,
but
to anyone
else whose appearance
doesn’t
match normative
gendered
expectations.
“A
lot
of
age
estimation
systems
are
built
on
a
combination
of
anthropological
sex
markers
and
skin
texture.
This
means
they
fall
over
and
provide
inaccurate
results
when
faced
with
people
whose
markers
and
skin
texture,
well,
don’t
match,”
explains
Keyes.
For
example,
one
of
the
most
prominent
markers
algorithms
measure
to
determine
sex
is
the
brow
ridge.
“Suppose
you
have
a
trans
man
on
HRT
and
a
trans
woman
on
HRT,
the
former
with
low
brow
ridges
and
rougher
skin,
the
latter
with
high
ridges
and
softer
skin,”
Keyes
explains.
“The
former
is
likely
to
have
their
age
overestimated;
the
latter,
underestimated.”
So
you
have
biometric
systems
that
are
specifically
designed
to
flag
discrepancies
between
someone’s
appearance
and
their
identity
documents.
And
you
have
a
government
that
is
deliberately
creating
discrepancies
in
trans
people’s
identity
documents.
The
result
is
predictable
and
ugly:
trans
people
get
locked
out,
flagged,
forced
to
out
themselves,
or
simply
blocked
from
accessing
services
that
everyone
else
uses
freely.
Most
of
these
verification
systems
are
black
boxes
with
no
meaningful
appeal
process.
The
laws
themselves
are
written
with
deliberately
vague
language
requiring
platforms
to
verify
age
through
“a
commercially
available
database”
or
“any
other
commercially
reasonable
method,”
with
nothing
about
transparency,
accuracy,
or
redress
for
people
who
get
wrongly
flagged
or
excluded.
And
in
many
of
these
laws,
the
definitions
of
content
“harmful
to
children”
are
flexible
enough
to
encompass
LGBTQ+
communities,
information
about
birth
control,
and
whatever
else
a
given
administration
decides
it
doesn’t
like.
As
one
of
Techdirt’s
favorite
technology
and
speech
lawyers,
Kendra
Albert,
noted
to
The
Verge:
“I
think
it’s
fair
to
say
that
if
you
look
at
the
history
of
obscenity
in
the
US
and
what’s
considered
explicit
material,
stuff
with
queer
and
trans
material
is
much
more
likely
to
be
considered
sexually
explicit
even
though
it’s
not.
You
may
be
in
a
circumstance
where
sites
with
more
content
about
queer
and
trans
people
are
more
likely
to
face
repercussions
for
not
implementing
appropriate
age-gating
or
being
tagged
as
explicit.”
So
to
summarize:
the
age
verification
infrastructure
being
built
across
the
world
(1)
doesn’t
actually
work
to
keep
kids
from
accessing
content,
(2)
pushes
kids
toward
less
safe
alternatives,
(3)
creates
verified
“safe
spaces”
that
predators
can
infiltrate,
(4)
forces
massive
collection
of
sensitive
personal
data
that
will
inevitably
leak,
(5)
creates
infrastructure
purpose-built
for
censorship
and
authoritarian
control,
(6)
systematically
discriminates
against
trans
people,
people
of
color,
the
elderly,
immigrants,
and
anyone
whose
appearance
doesn’t
match
neat
bureaucratic
categories,
(7)
concentrates
enormous
power
over
internet
access
in
the
hands
of
governments
and
a
handful
of
tech
companies,
and
(8)
lacks
any
scientific
evidence
that
it
will
actually
improve
children’s
mental
health
or
safety.
Seems
like
a
problem.
And
438
scientists
from
32
countries
put
their
names
on
a
letter
saying
so.
The
letter
closes
with
this:
We
believe
that it
is
dangerous
and
socially
unacceptable to
introduce
a
large-scale
access
control
mechanism
without
a
clear
understanding
of
the
implications
that
different
design
decisions
can
have
on
security,
privacy,
equality,
and
ultimately
on
the
freedom
of
decision
and
autonomy
of
individuals
and
nations.
“Dangerous
and
socially
unacceptable.”
That
isn’t
just
me
being
dramatic.
That’s
the
considered,
collective
judgment
of
hundreds
of
researchers
whose
professional
expertise
is
specifically
in
the
systems
being
deployed.
Meanwhile,
the
laws
keep
passing.
Nobody
seems
to
have
bothered
asking
the
scientists.
Or,
more
accurately,
the
scientists
volunteered
their
expertise
in
the
most
public
way
possible,
and
everyone
in
a
position
to
act
on
it
decided
that
the
political
appeal
of
“protecting
the
children”
was
more
important
than
whether
the
proposed
method
of
protection
actually
protects
children,
or
whether
it
creates
a
sprawling
new
infrastructure
for
surveillance,
discrimination,
and
censorship
that
will
be
almost
impossible
to
dismantle
once
it’s
built.
The
scientists’
letter
called
for
studying
the
benefits
and
harms
of
age
verification
before
mandating
it
at
internet
scale.
That
seems
like
a
comically
low
bar.
“Maybe
understand
whether
this
works
before
requiring
it
everywhere”
shouldn’t
be
a
controversial
position.
And
yet
here
we
are,
with
legislators
around
the
world
charging
ahead,
building
systems
that
security
experts
have
told
them
are
broken,
in
pursuit
of
goals
that
the
evidence
says
these
systems
can’t
achieve,
at
a
cost
to
privacy,
security,
equality,
and
freedom
that
nobody
in
a
position
of
power
seems
interested
in
calculating.
438
Experts
Said
Age
Verification
Is
Dangerous.
Legislators
Are
Moving
Forward
With
It
Anyway.
More
Law-Related
Stories
From
Techdirt:
The
Right
Wing
Origins
Age
Verification
Laws
Don’t
Disappear
Just
Because
They’re
Going
Bipartisan.
All
But
3
Of
The
4,499
Refugees
Admitted
To
The
US
Under
Trump
Are
White
South
Africans
Oh
Look,
The
MAGA
FTC
Built
The
Censorship
Industrial
Complex
It
Was
Screaming
About
ACAB:
Cops
Are
Bringing
‘Delinquency
Of
A
Minor’
Charges
Against
Adults
Who
Assist
Students
During
Anti-ICE
Protests