Papers, please: Age verification laws threaten everyone's online security and privacy

Picture this. You open your favorite app or website, but you're suddenly blocked. On your screen, it says that before you're allowed in, you must verify your age by taking a photo of your face or uploading a copy of your government-issued ID. If you don't — or can't, you will be locked out of your account until you prove that you are of your country's legal age.

This would be a nightmare for, well, anyone, and a prohibitive quid pro quo for many, in some cases long after opening an account and trusting an online provider with your information.

But thanks to a wave of age verification laws passed by governments around the world, this is now an increasingly common and inescapable scenario for hundreds of millions of people.

Under these new laws, adults are required to show that they are of legal age by uploading copies of their driver's license or passport before they can access certain apps, websites, and online communities, as determined by law. This information is often collected by privately held companies, which store and cross-check large amounts of people's personal information to determine their ability to access the wider web.

In rolling out these laws, governments are effectively walling off large swathes of the open and decentralized internet, while sleepwalking the rest of us into a security and privacy disaster. 

Now, hundreds of security and privacy academics are sounding the alarm in response to these invasive online checks, saying age verification laws carry significant risks that threaten the internet as we know it.

How we got here

Age verification laws have spread around the world over the past year or so under the ostensible aim of trying to keep children safe online, such as from social media and adult content. 

The United Kingdom and Australia began requiring age checks for certain social media sites, messaging apps, and other online communities last year. Today, there are dozens of countries moving to enact some form of age verification laws. At least half of all U.S. states have some form of age checks in place, and Europe is also gearing up for its own age verification legislation.

Age verification laws are a lazy way for politicians and governments to appear as if they are tackling online child safety, but without any forethought to the future consequences of amassing vast banks of personal information for verifying people's identities. Rather than holding the ultra-wealthy tech and social media giants accountable for their actions, cowardly and toothless governments are instead requiring ordinary people to shoulder the legal burden. These are the same tech companies that don't pay any tax, all the while governments let them get away with it.

While we can all agree that we want kids to be safer online, this is not a zero-sum game where an entire population has to suffer as a tradeoff. As journalist Taylor Lorenz writes in The Guardian, age verification laws "could transform the internet from a space of free expression to a fully surveilled digital panopticon where every action you take online is tied to your government ID."

A slippery slope for security and surveillance

In their open letter [PDF], the coalition of academics say age verification laws can do more harm than good if implemented without "careful consideration of the technological hazards and societal impact."

The academics argue, among other things, that age verification checks can diminish a person's privacy by storing their personal information and what content they access in potentially insecure ways, exposing the data to breaches and government snooping. They add that age checks increase the risks of inequality and discrimination against people who don't have identity documents to show, such as the elderly and undocumented migrants. And, age checks allow authoritarian governments to abuse and exploit these systems to censor access to the internet.

According to the academics, many age verification systems as designed today create a "single point of failure" by storing huge amounts of personal and identifiable information in central databases. These data stores become rich targets for hackers, malicious insiders, and law enforcement agencies demanding access at a moment's notice. 

The academics add that without strict data protection, or security and privacy regulations, many companies will default to the easier and centralized ways of storing data in order to comply with age verification laws, rather than investing in technologies that fully decouples a person's identity from a list of apps or websites that they access.

"If that central authority is breached, subpoenaed, or acts maliciously, the supposedly 'private' system is completely exposed, transforming a vague technical requirement into a systemic privacy disaster," the academics warn.

These are not hypotheticals. In October 2025, Discord reported a data breach that allowed hackers to steal around 70,000 identity documents of users, who had contacted its customer support to appeal their age check determination. There are inherent risks in collecting this kind of sensitive data to begin with. 

Gated community apps like Tea and TeaOnHer, which only allowed access to users who uploaded their identity documents, both experienced security spills involving thousands of people's papers. And, according to 404 Media, AU10TIX, an online age verification service used by TikTok, Uber, and X, exposed a set of internal administrative credentials online for a year, potentially allowing hackers to access users' sensitive documents.

The academics also warn of the dangers of granting companies and governments enormous power over what information is accessible to people on the internet. Governments change, as do laws. What may be the norm one day can be ripped up by the next. In the wrong hands, the academics say, age verification systems could allow authoritarian governments to "censor information and prevent users from accessing services."

Age verification laws are also a slippery slope of subjective harms that are unlikely to stop at adult-appropriate websites and apps. Some U.S. states have defined their laws broadly enough that they risk ringfencing LGBTQ+ communities and content about reproductive health. 

Once age verification laws are enacted, it's easier for lawmakers and governments to justify further changes to these laws.

After the U.K. age verification laws took effect in 2025, the use of VPNs among British users skyrocketed. VPNs allow users to skirt age checks by appearing as if they're in another country whose laws do not require this information. This prompted the U.K. government to double down on its legislation by exploring whether to expand age checks to cover VPNs, a move that would have untold consequences and disruption for regular businesses.

What can you do about it? 

There is some good news amid all this. Public disgust and revulsion to age checks, and the mass collection of people's private papers, are having an effect.

Discord said it would postpone its age verification rollout after facing considerable backlash from its users, which — fair — since it's a reputational matter for these companies, too. None of these companies probably want to be tarnished as creepy or gross, and yet major popular consumer services have now found themselves on the front-lines of collecting people's sensitive documents from angry and aggrieved users. 

Age checks are ultimately a legislative problem. Make your voice heard. Call and email your lawmakers. Tell them (or rather, their staff answering the phones and juggling inboxes) that you don't want this. Tweet, skeet, and post at them online. Send them this story (or anything I've linked to in here) and make it clear that this is a voting issue for you.

Meanwhile, critics of age verification laws like Amnesty International say governments should instead pass legislation that aims to protect all users of the internet. This means working on passing stronger data protection laws and safeguards that hold tech giants accountable for the harms they've created through their "relentless pursuit of user engagement and exploitation of people’s personal data."

The Electronic Frontier Foundation has a guide on what to expect when you face an age check. 

Anecdotally, some people on social media sites like Reddit say if you are presented with an age verification prompt, you can try taking a photo of your government-issued ID and using your phone's editing tools to scrub your sensitive information, such as your driver's license or passport numbers and your home address, while leaving your date-of-birth visible, and then submitting it. Some of these age verification systems will accept partially redacted documents.

And, if you're a security researcher, consider looking into the architectures of these age verification platforms to understand how and where they store people's data. As these age-checking platforms become more mainstream, finding security flaws or weaknesses, reporting them so they can be fixed, and publicly disclosing them will help to raise awareness to the risks and harms that come from badly implemented age verification systems. The greater the visibility into these gargantuan data hoarders, the better for the public's understanding at large.

Thank you so much for reading ~this week in security~. Please consider a paying subscription. Feel free to reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com.