Age Verification Architecture

A new update to the Internet Draft on age verification architecture, incorporating reviewer feedback alongside a broader literature review.

Age Verification Architecture
Photo by Andrew Lancaster / Unsplash

By Mallory Knodel

My co-authors and I have published an updated version of the Internet Draft on age verification architecture, incorporating reviewer feedback alongside a broader literature review.

The most significant change is structural: the "Analysis of age gating methods" section is now organized around two explicit analytical dimensions: efficacy and privacy, and every method subsection now has its own privacy analysis.

The methods are still grouped into four categories, but these are now organized by trust anchor (who or what stands behind the age claim) rather than by technique. The draft also treats accuracy as a trade-off between false accepts and false rejects instead of a single score, and adds availability (how many people can actually use a method) as its own factor.

Background

Our goal is to describe the technical difficulties in any age-gating mechanism such that it is effective and does not introduce security and privacy risks as well as contravene human rights. We also hope to show that age verification mechanisms are wholly technical solutions that are separate from, albeit often motivated by, the means of protecting young people online.

Prior focus on child safety has led to robust trust and safety measures taken by large user platforms whereby content and behavior moderation became industry standard. Its phases: Define, detect, evaluate, enforce, appeal, educate. This cycle ensures that criminal and unlawful content is taken down. Platforms and services with user generated content can also use this cycle to ensure content or behavior that violates platform terms of service.

In parallel, network operators have for many years implemented forms of age-based access control that rely on content categorization or DNS-level filtering rather than on the collection of personal data. In several jurisdictions, ISPs are required to offer or enforce filtering systems that restrict access to adult or otherwise unsuitable content for minors. These systems typically work by classifying destination domains or content types into broad categories—such as adult, gambling, or violence—and allowing or blocking them according to the subscriber’s or guardian’s chosen policy. Because they do not require identity documents or individual profiling, such network-assisted methods can provide a baseline of child protection with substantially lower privacy risk. These approaches cannot replace service-level moderation or legal accountability, nor should they be standalone solutions outside of parental controls or family management settings.

Relatively new are proposals to protect children via age gate. Age gating in the analog world is typically enforced at the point of action, sale or entry through hard document checks at liquor stores, as one example. Replicating age gating in the online world has encountered consistent tensions between accuracy and privacy, often reducing the problem to one of feasibility. Often, online age verification has taken the form of requiring websites to show a prompt to the user to self-declare their age or birthdate before they can gain access to content or services. Similar to the aims of this document, advocacy groups have since evaluated deployed age-assurance systems against accuracy, availability, and circumvention. Other existing frameworks cut this differently—for example, by categorizing methods as declaration, inference, estimation, or verification, or as identity-document verification, age estimation, and self-declaration—and arrive at a similar conclusion that no single method or category fits every context. Standards bodies and civil-society organizations have likewise proposed frameworks for reasoning about these systems, including a formal ISO framework for age assurance systems and a risk-tiered approach to when high-assurance methods are warranted at all.

Some services, websites, or apps require uploading hard documents to verify identity, just as some services, websites or apps require payment with a credit card. These often create an illusion for policy makers that users could be required by any service to require sharing of the same hard documents or credit card details in order to verify age at scale, both for all users and for a wide variety of platforms and services. However any such system is expensive, difficult to scale, and introduces data protection liability and privacy risks to users— including potential data breaches or the exclusion of users who do not possess traditional identity documents but who would otherwise be lawful users. Hard document identity review in the context of general-use platforms like social media unnecessarily scales the risk of privacy, access, and equity harms from requisite age gating for all users on all apps all the time. These are not hypothetical harms: journalists, LGBTQIA+ people, and others relying on anonymity have already had identifying documents linked back to their online activity through breaches of age-verification providers.

Many age verification methods conflict with data-protection frameworks and data minimization principles and pose serious safety, data security, and privacy risks. As such risks will be present in nearly all alternative methods of age verification, an overview of this category of risk will be of some benefit, while we leave method-specific commentary to the security, privacy and human rights considerations sections. Requiring all users on all platforms to submit verifiable credentials can create large, sensitive data troves in centralized intermediaries that are vulnerable to breaches, fraud, or misuse. Once compromised, this information is difficult—if not impossible—to secure again. Compounding these concerns, precise location—required to determine compliance with jurisdiction-specific laws—is implicitly inferred in all methods, adding another layer of sensitive data to the name and age information being collected, processed, and stored.

From an operational and architectural perspective, centralizing or repeatedly exchanging such verification data may also create systemic risks to resilience, security, and interoperability. Large-scale credential exchanges or cross-border look-ups introduce new attack surfaces and potential points of failure within authentication or content-delivery paths.

Analysis & Enforcement

Having set out why age gating online can be fraught, the draft analyses the options. Age credentials issued by the State provide "ground truth" but disclose more data about the user than is specific to the mandate to verify age. Age verification by guardians, governments, services, or third parties improves confidence but creates substantial security and privacy concerns and concentrates power in a few actors. Age assurance methods such as self-attestation cost almost nothing in exposure or retention but are correspondingly weak on accuracy. Age estimation from behavioral or biometric signals avoids documents entirely but is notoriously unreliable near threshold ages, and unlike a breached password or token, a breached biometric cannot be reissued. A final category covers market and content-based solutions, such as advertising prohibitions and network-assisted filtering, that address risk without compelling platforms to surveil or profile users.

The draft then turns to enforcement: once age has been determined to a satisfactory degree, content or a service must be made accessible or not, whether at the service, device, or network layer. Enforcement is not a one-time determination: long-standing users predate any age check, users "aging up" need to retake full control of their accounts, and the very definition of adult content is not universal across jurisdictions. A summary table maps platform types to proportionate assurance levels and enforcement layers, showing that age-assurance mechanisms cannot be applied uniformly across the Internet.

The thread running through all of it: there is no one solution and never will be, and all solutions are imperfect. The concluding recommendations pick up exactly there, arguing for a layered, proportionate approach across service, device, and network that reduces dependence on any single trust anchor.

Concluding recommendations

  • Reducing harm to children on the internet requires an incremental, all-hands approach and cannot be solved by age verification alone. A holistic approach would embrace privacy by design and data minimization principles that protect children as well as adults from platform overreach.
  • If lawmakers are in a position to outlaw internet services for users of ages under 18 years old, they are in a position to define new credentialing systems that are fit for purpose rather than rely on hard documentation meant for operating automobiles, crossing national borders or social services entitlements.
  • Introducing additional age-based signup requirements would risk harm to user privacy and free expression for all users of the web, not just to children, but especially to children.
  • To date, jurisdictions around the world are considering various potential age-gating alternatives to mitigate potential safety risks to children without negatively impacting all social media users and without unduly compromising user privacy have reported evidence that advanced technical approaches to verify and assure age are currently infeasible or have significant downsides as compared to status quo approaches of self-reporting.
  • Any mandate of age verification effectively regulates all users, rather than companies, to clear a compliance bar in which they must verify their age to the service to use an app. This approach does not address the central thrust of the problem statement, which seems to be that social media companies build platforms that are inclusive to children. Age assurance also regulates all users but has a lower bar and reduced friction for compliance making it a more inclusive choice overall.
  • Content moderation of user generated content by platforms and services continues to be an established and effective way to ensure unlawful and disallowed content and behavior is detected or reported and actioned with proper recourse and remedy mechanisms in the case of overreach.
  • A more resilient approach may rely on a plurality of mechanisms operating at different layers of the Internet architecture—service, device, and network—each limited in scope and aligned with privacy-by-design principles. In this model, no single actor holds or processes all user information; rather, complementary methods (for example, self-attestation, trusted-service assurance, or privacy-preserving network-assisted filtering) can contribute to age-appropriate access control according to local regulation and user choice. Such diversity of methods can improve overall robustness and inclusiveness while reducing dependence on any single trust anchor. Contradicting data-protection principles like minimization means that if widely implemented without such safeguards, age-verification systems could still result in mass data collection on both adults and children, with far-reaching implications for user privacy and safety. Any deployment should be proportional and narrowly tailored to the specific harm it targets, rather than a blanket requirement applied uniformly regardless of risk.
  • Age gating naturally puts a barrier to entry on a given site, and publishers who have spent significant effort optimising their sites for ease of use are now being asked to pay a third party to turn away a share of their customers—both legitimate and otherwise. The economic argument for a publisher to simply ignore the law is strong, particularly where a law is enacted in a jurisdiction where that publisher has no legal entity. In the often-cited example of pornography, this dynamic is likely to produce many more non-compliant sites than compliant ones, and non-compliant sites are likely to be non-compliant in other ways too—for example, failing to age-gate their own content creators.

Read the full draft and tell us what you think. The document is at datatracker.ietf.org/doc/draft-knodel-age-arch, and issues, comments, and PRs are all welcome on GitHub.


IETF 126 is coming to Vienna, Austria

The 126th meeting of the Internet Engineering Task Force, IETF 126, starts Saturday July 18 and runs through Friday afternoon, July 24 at the Hilton Vienna Park, with the hackathon and code sprint on the weekend and working group sessions running Monday through Friday. If it's your first time attending in person, newcomer events start Sunday afternoon.

Not to be missed sessions:

  • Human Rights Protocol Considerations, co-chaired by IX's Mallory Knodel, Monday 11:30
  • Authenticated Transfer (atp), standardizing AT Protocol, Thursday 16:30
  • Privacy Enhancements and Assessments Research Group (pearg), Tuesday 16:30
  • AI Preferences (aipref), a new working group on machine-readable AI training preferences, Friday 14:00

Want to appear here? Sponsor a newsletter.

Support the Internet Exchange

If you find our emails useful, consider becoming a paid subscriber! You'll get access to our members-only Signal community where we share ideas, discuss upcoming topics, and exchange links. Paid subscribers can also leave comments on posts and enjoy a warm, fuzzy feeling.

Not ready for a long-term commitment? You can always leave us a tip.

Become A Paid Subscriber

Age Assurance & Social Media Bans 

🚨
Stop press! Do you enjoy our links? The rest of this week's links available to paid subscribers only. Become a paid subscriber today.