not.bot

Problems: Age Verification Without Surveillance

This document is part of the not.bot™ Problems series, which presents public evidence for the problems not.bot exists to solve. This one covers age verification: the law now requires it across the major internet markets, and the systems used to comply collect identity data that the record of the past year shows gets retained, breached, and repurposed. Every figure below carries its source and date. The incidents are on the public record.

Proving your age now means handing over your identity

An age check asks a yes-or-no question. The accepted ways to answer it all collect identity. The GUARD Act, advanced 22-0 by the US Senate Judiciary Committee on April 30, 2026, defines "reasonable age verification" by excluding a self-entered date of birth and pointing platforms to government ID uploads, facial scans, and financial records tied to a legal name. The FTC's enforcement policy statement (February 25, 2026) sweeps in age estimation, age verification, and age inference tools, and quotes the research consensus on the checkbox it replaces: self-declaration is "insufficient in terms of accuracy…very easy to circumvent…[and] clearly inadequate and inappropriate for use in high-risk situations" (FTC, quoting Common Sense Media, September 2024).

So a user who wants to keep using an age-gated service now hands over a passport image, a face scan, or a credit card. The service, or its verification vendor, holds that data. The market for holding it is growing 74%, from US$15.2 billion in 2024 to a projected US$26 billion by 2029 (Juniper Research, December 2, 2024). What follows is the record of what happens to the data.

The mandate arrived in every major market at once

  • The US Supreme Court upheld Texas HB 1181's age-verification requirement for adult sites on June 27, 2025 (Free Speech Coalition v. Paxton, 6-3), removing the main constitutional obstacle. About two dozen states now require age verification for adult content (National Law Review, January 2026), and at least 19 states have enacted social-media minor-access laws, though courts have enjoined several (National Conference of State Legislatures, April 2026).
  • Florida is enforcing its under-14 social media ban after the 11th Circuit stayed a district-court injunction in November 2025. California's Digital Age Assurance Act (AB 1043, signed October 13, 2025, operative January 1, 2027) moves the duty into the operating system: OS providers must collect age at account setup and transmit an age-bracket signal to every app.
  • Congress has a queue behind the GUARD Act: the KIDS Act absorbed the Kids Online Safety Act provisions and advanced from committee 28-24 (March 2026), COPPA 2.0 passed the Senate on March 5, 2026, the App Store Accountability Act advanced 26-23, and the SCREEN Act is pending. The FTC, meanwhile, suspended COPPA's parental-consent requirement for data collected for age-verification purposes, on conditions, to encourage adoption (February 25, 2026).
  • The UK Online Safety Act's "highly effective age assurance" duty took effect July 25, 2025. Ofcom is enforcing: a £520,000 fine against 4chan, £450,000 of it for failing to deploy age assurance (March 19, 2026), and a £950,000 fine against a US suicide-discussion forum that had geoblocked the UK (May 13, 2026).
  • The European Commission piloted its age-verification app with Denmark, France, Greece, Italy, and Spain (July 2025), then recommended that every member state have privacy-preserving age verification deployed by December 31, 2026 (April 29, 2026). The European Parliament voted 483-92 (86 abstentions) on November 26, 2025 to recommend an EU-wide minimum social media age of 16.
  • Australia's Social Media Minimum Age Act took effect December 10, 2025: under-16s are barred from ten designated platforms, including Facebook, Instagram, TikTok, YouTube, and Reddit, with penalties to A$49.5 million. More than 4.7 million accounts were removed, deactivated, or restricted by mid-January 2026 (Reuters, January 2026).
  • Brazil's Law 15.211 became enforceable March 17, 2026. It bans self-declared age, requires auditable verification, and carries fines to R$50 million. France's National Assembly voted 130-21 for an under-15 ban (January 26, 2026); the Senate adopted a different version and the chambers had not reconciled as of June 2026.

Doc #34's use-case catalog lists the same drivers from the compliance side: KOSA, COPPA 2.0, the SCREEN Act, the GUARD Act, the state laws, the UK and EU mandates, and the standing alcohol, tobacco, and gambling regimes (Use Cases: Credentials (Doc #34)).

The systems built to comply keep failing

A regulator fined an age-verification provider for doing what the privacy critics predicted. Spain's data protection authority fined Yoti, a biometric identity and age-verification provider, €950,000 (resolution of March 10, 2026): €500,000 for processing biometric data as unique identification while calling it authentication, €250,000 for retention violations, including location data kept five years and identity documents from failed verifications kept up to two years and repurposed to train the company's fraud-detection software, and €200,000 for invalid consent. A document a user submitted to prove age became training data.

About 70,000 government IDs, collected for age appeals, leaked. In October 2025, attackers compromised a third-party customer-service vendor for Discord and took government-ID photos that users had submitted to appeal age determinations (Discord statement, October 3, 2025; NBC News, October 2025). Discord's support pages had told users that ID images were deleted after the age group was confirmed. The attackers claimed far larger numbers, which Discord disputed; the confirmed exposure is about 70,000 IDs.

An app's verification archive surfaced after it was supposed to be gone. The Tea app, which required selfies and photo IDs to verify that new members were women, exposed about 72,000 images in July 2025, including about 13,000 verification selfies and IDs from a batch the company had said was deleted (404 Media, July 25, 2025; Associated Press, July 2025).

The EU's own app stored ID images unencrypted. Days after the European Commission declared its age-verification app "technically ready" (April 2026), security researcher Paul Moore showed it stored facial images read from passport chips as unencrypted files on the device, wrote selfies to external storage without deleting them, and kept its rate limit in an editable counter (Cybernews, April 2026).

The FTC's own safe-harbor conditions read as a catalog of these failure modes: it shields age-verification data collection only where the operator avoids secondary use, deletes the data once its purpose is served, does not over-retain, and secures what it holds (February 25, 2026). The conditions describe the practices the record shows failing.

What demanding identity costs

Roblox rolled out mandatory age checks for chat worldwide in January 2026 and reported the result in its Q1 2026 shareholder letter (April 30, 2026): daily active users fell from 144 million to 132 million in one quarter, which the company attributed to "greater-than-expected headwinds from the age-check rollout," and it cut full-year bookings guidance by almost US$1 billion. By quarter's end, 51% of users had completed the check.

Users route around checks rather than submit to them. Proton VPN reported UK sign-ups surged more than 1,400% within minutes of the July 25, 2025 duty taking effect (Proton, July 2025), and VPN downloads surged in Australia within days of its ban (TechRadar, December 2025). The World Economic Forum, studying identity fraud, reached the same finding from the attacker side: "The introduction of new regulations, such as the UK's online safety rules enacted in July 2025, has already correlated with increased searches for bypass tools" (Cybercrime Atlas, January 2026). A UK parliamentary petition to repeal the Online Safety Act closed at 550,138 signatures; the government declined (petition record, October 2025). And the children the laws protect keep arriving anyway: the European Commission's preliminary finding against Meta states that around 10-12% of under-13s use Instagram or Facebook (April 29, 2026).

Some businesses exit instead of collecting IDs. Aylo, Pornhub's operator, blocked all Australian IP addresses rather than comply with Australia's age-check codes, stating that Australia was "following a similar approach to the UK, which all our evidence shows does not effectively protect minors, and instead creates harms relating to data privacy and exposure to illegal content on non-compliant platforms" (company statement, March 2026). Imgur blocked UK users (July 2025). Rockstar Games withdrew digital sales from its own Brazilian storefront rather than comply with Law 15.211 (March 2026).

The burden also lands on people with nothing to prove. When Apple shipped age verification to UK iPhones in iOS 26.4 (March 25, 2026), the accepted proofs were a credit card or a photo ID, and users without either, many of them older people in a country with no national ID card, were moved into a restricted mode (9to5Mac, AppleInsider, March 25, 2026).

The current methods cannot do the job they were given

Face-based age estimation guesses, and it guesses worst at the ages that matter. NIST's rolling evaluation of age-estimation software (NIST IR 8525, updated May 2026) puts the best mean absolute error at 3.1 years and states that accuracy "is strongly influenced by algorithm, sex, image quality, region-of-birth, age itself, and interactions between those factors. There is no uniformly superior algorithm." Near the thresholds the laws care about, the errors compound: "Challenge-25 false positive rates increase by an order-of-magnitude as subjects age from 14 through 20," with one algorithm's false-positive rate at age 20 (0.295) almost fifteen times its rate at age 14. Australia's government-commissioned Age Assurance Technology Trial reached a parallel verdict from deployment testing: age assurance can work, but "no age verification method was found to be foolproof" (preliminary findings, June 2025).

Document upload works by creating the database everyone fears. It answers the age question by storing the identity document, and the incidents above show what becomes of stored documents. Deletion promises failed at Discord and at Tea; retention limits failed at Yoti.

Credit cards and borrowed credentials prove possession, not age. The scientists' joint statement on age assurance, signed by 438 security and privacy researchers from 32 countries, lists the bypass routes: checks are circumvented "using VPNs, bought or borrowed credentials, or props or AI-based tools" (March 2, 2026). The same statement names the structural cost of pressing ahead anyway: age assurance "has great potential to increase inequality and discrimination in the digital sphere," and the signatories call for a moratorium until feasibility is established.

Regulators have started writing the missing requirement into their own texts. The Global Online Safety Regulators Network, convened by Ofcom with Australia's eSafety Commissioner and peers, calls for a "privacy-preserving international approach to age assurance" (January 22, 2026). Brazil's Law 15.211 demands auditable verification in one article and forbids mass or indiscriminate surveillance in another. The EU built its blueprint on selective disclosure so that a user proves an age band without revealing a birthdate. The regulatory demand is now explicit: verification and privacy at the same time. The deployed technology delivers one by sacrificing the other.

Who bears the cost

Platforms and sites under mandate. Build verification and shed users (Roblox: 12 million daily users and a US$1 billion guidance cut in one quarter), pay fines (£520,000 and £950,000 in the UK; up to A$49.5 million in Australia and R$50 million in Brazil), or leave the market (Aylo, Imgur, Rockstar). Every option is a line item, and the obligation now reaches app stores, operating systems, and AI chatbots.

Whoever holds the verification data. The age-check database is a breach target and a regulatory liability at the same time: GDPR enforcement on one side (the €950,000 fine), breach disclosure on the other (Discord, Tea), and the FTC's deletion conditions in between.

Adults asked to verify. Each age-gated service is another copy of their passport or face in someone's vendor chain, and the people without credit cards or photo ID lose access to lawful services without any finding against them.

Parents and children. The laws' intended beneficiaries get partial protection at best: around 10-12% of under-13s remain on the largest platforms (European Commission, April 2026), and the blocked ones migrate to VPNs and to non-compliant services with no protections at all, the harm Aylo's statement names.

Regulators. They enforce against geoblocks, VPNs, and offshore sites in sequence, and each round of circumvention invites a wider mandate: the UK's 2026 national consultation contemplates measures against children's VPN use (gov.uk, March 2026).

The deepest cost: lawful browsing becomes identity-linked

A person who proves age by document or face scan creates a record that links their legal identity to that service at that moment. Multiply by every age-gated service in every mandating jurisdiction and the result is an identity-linked browsing log, assembled as a side effect of child protection, held by whichever vendors won the verification contracts. The chilling lands hardest on lawful, sensitive use: the UK fine against a mental-health forum means that the adults who need such a forum must now identify themselves to reach one. The 438 scientists state the endpoint: mandates risk "establishing an infrastructure that could be exploited to ban access to Internet services for reasons unrelated to safety" (March 2, 2026). The question regulators keep asking, in the GOSRN principles, in Brazil's anti-surveillance article, in the EU's selective-disclosure design, is whether a yes-or-no question can be answered without an identity changing hands.

What an adequate solution requires

The evidence defines the requirement set:

  1. A one-bit answer. The service learns over-or-under for the threshold it names, and nothing else: no birthdate, no name, no document image. Selective disclosure is already the EU blueprint's design goal; the requirement is meeting it in deployed systems.
  2. No identity data at the service or its vendors. Stored verification data was retained past its purpose, breached, and repurposed as training data within a single year of the mandates arriving. The data must never arrive, because the record shows deletion promises do not hold.
  3. Accuracy anchored to an authoritative document. Face estimation carries multi-year error that concentrates at the threshold ages (NIST IR 8525). A government-issued document, validated once, answers the question the statutes ask without a per-visit guess.
  4. Proof bound to one person. Borrowed accounts, bought credentials, and shared credit cards defeat checks (scientists' joint statement, March 2026). The proof must require its holder to be present.
  5. No record of who verified where. No party, including the verification provider, should be able to assemble the identity-linked browsing log. This is the surveillance cost, and it must be removed by architecture rather than by policy promise.
  6. Auditable compliance without user surveillance. The deployer needs evidence that satisfies an auditor, the duty Brazil's law makes explicit, and the evidence must not be a database of visitors.
  7. Friction low enough that users finish. A quarter of measurable user loss is the current price of demanding documents (Roblox, April 2026). A check that users abandon protects no one.

Human Verification and not.bot Verify (Doc #3) describes how not.bot meets these requirements: age claims derived from the user's passport at enrollment, presented to a website as a signed yes-or-no answer, gated by biometric authentication on the user's phone, with no identity data reaching the site, no central record of the check, and verification software the business runs inside its own infrastructure.

View this page as Markdown