Online chat service Discord has announced it will begin testing age verification for some users, joining a growing list of platforms trying to work out who is actually behind the screen.
The move comes as governments around the world push for stronger protections of young people online. The United Kingdom and France have imposed age verification for visitors of adult content pages. Australia now mandates that social media platforms ensure their account holders are older than 16.
Many people feel immediately uneasy about online age or ID checks. Will the log-in process become more time consuming? Will proving how old we are mean giving up anonymity and force us to hand over sensitive documents to private tech firms?
Will mandatory age verification impact our ability to browse, speak and participate online, making us “transparent citizens” tracked by corporations or the government?
These concerns are not unfounded. In fact, research points to even more risks. Sharing identity-related data makes breaches or identity theft more likely. Age verification systems could be abused for surveillance or lead to discrimination, especially for marginalised groups.
However, our research shows it is possible to provide truly anonymous, safe age checks online.
Not all age assurance works the same
Age assurance is the umbrella term for all kinds of methods that can help determine someone’s age online. This includes age verification – proving the user’s age, often with an official ID.
How age assurance is put into practice differs vastly across jurisdictions and platforms. The Australian government demands firms must take “reasonable steps” to prevent kids from making social media accounts, but the age assurance methods can vary.
The government of France provides more guidance, but still leaves implementation of age proofs to third parties. The European Union is actively preparing a reference implementation for an age verification solution, albeit it has not put age restriction policies in place yet.
To keep things simple, platforms are increasingly turning to facial age estimation. Users are asked to scan their face so an algorithm can guess how old they are.
At first, this may sound less intrusive than showing a government-issued ID. In practice, it often requires handing over highly sensitive biometric data to private companies. Unlike a password, your face can’t be changed if the data is stolen. Such age estimation is also prone to errors.
There is a plethora of alternative age assurance tech. These include user behaviour analysis, payment-based verification, document scans (such as government-issued IDs), video-based verification services involving these documents, and electronic attestations – such as the electronic passports familiar from border control at airports.
There’s no need to share sensitive data
One highly secure approach allows users to prove a single fact – such as being over 18 – not only with high certainty, but without revealing their name, address, or even date of birth. It’s based on cryptographic digital attestations.
For example, the German eID exchanges data directly between a microprocessor in a person’s plastic “eID card” and the platform. The microprocessor proves it belongs to a government-issued eID via a cryptographic key, which is shared with 9,999 other eIDs. This means the only thing a platform learns is that one of 10,000 potential people signed up.
When the service sends the current date and minimum age required to the eID, the microprocessor uses the date of birth, computes the current age and simply responds whether the user is old enough.
The EU digital identity and Google wallets are working on a slightly different approach. It doesn’t rely on special microprocessors built into physical cards, but on hardware components common in mobile phones.
This makes the approach more broadly applicable. These solutions involve highly advanced cryptography that communicates to the platform that a person possesses a digital document proving they’re older than 18, but without revealing any further details.
As you can see, age verification systems can be designed with unlinkability at their core. That means neither the government nor the platform can track a user’s activities despite being able to accurately verify their age.
The real issue isn’t age verification – it’s who runs it
If any government is serious about age assurance, the technical design will matter more than the policy itself.
Privacy-friendly age verification is complex and expensive. It will require governments to invest in the technical details, ensuring the age verification is robust while meeting privacy expectations.
And the software code will need to be open-access to allow for peer review. Transparency is the strongest safeguard against false promises made by the government or hidden attacks by cyber criminals trying to steal the data.
Government involvement must also convincingly resist looming threats of “function creep”, where the scope of data capture through an age verification infrastructure can quickly be changed through political decisions. There is no technical safeguard against such abuse – and governments need to earn their citizens’ trust in future legislation.
Indeed, the stakes are high: a single data breach can easily destroy public trust. If citizens don’t trust the age verification tool, they may just circumvent age controls altogether, as has happened in France.
The bigger picture
The internet is entering a new phase. For years, platforms avoided knowing the age of their users. That appears no longer politically or socially sustainable.
The real choice is not between safety and privacy. It is between two very different technical paths. One path normalises biometric (face, fingerprint and similar) checks, expanding the amount of sensitive data handed to private companies.
The alternative uses advanced cryptographic solutions that confirm age while protecting anonymity.
Age verification does not have to end anonymous participation online. Done properly, it could be the technology that protects it.
