Hidden loopholes and privacy risks loom over online age check laws

A girl during online school while her parents work from home and take care of a toddler amid surging COVID-19 cases caused by the coronavirus Omicron variant, in Hamilton, Ontario, Canada January 7, 2022. REUTERS/Carlos Osorio

A girl during online school while her parents work from home and take care of a toddler amid surging COVID-19 cases caused by the coronavirus Omicron variant, in Hamilton, Ontario, Canada January 7, 2022. REUTERS/Carlos Osorio

What’s the context?

Louisiana joins Europe and the UK in passing age verification laws to boost minors' online safety, but experts warn of the dangers

  • From Louisiana to UK, lawmakers back age verification
  • Governments say measures needed to protect children
  • Rights groups sound alarm over privacy, security risks

LONDON - As the New Year dawned in Louisiana, the U.S. state's 4.5 million residents woke to a new rule that restricts their access to the internet - a measure aimed at stopping children from viewing pornography online.

Act 440, which requires residents to submit a digital driver's licence for third-party age verification before they can access adult websites, is among a clutch of new laws in the United States, Europe and Britain seeking to protect children on the internet.

"Young people are very, very vulnerable online, and we really don't think the online platforms do enough," said Lisa Hallgarten, head of policy and public affairs at Britain's Brook Health Centre, which advocates for children's online safety.

Campaigners hope the advent of laws requiring age verification to access certain online content or particular websites could mark a turning point.

The EU's Digital Services Act and Britain's Online Safety Bill require age verification - a way of changing a user's internet experience according to their age - in order to stop targeted advertising for young people and block their access to adult and other content deemed harmful to minors.

Former Facebook employee Frances Haugen gives evidence to the Joint Committee on the Draft Online Safety Bill of UK Parliament that is examining plans to regulate social media companies, in London, Britain October 25, 2021. UK Parliament 2021/Annabel Moeller/Handout via REUTERS
Go DeeperUK's Online Safety Bill is nearly ready and not everyone is happy
A child using a laptop sits on a camp bed
Go DeeperCan an EU law save children from harmful content online?
Go DeeperCan social media go from deadly by design to safe by design?

At the same time, some large tech companies have introduced age verification measures, partly to ensure young children cannot open social media accounts.

While children's safety campaigners broadly welcome such laws and safeguards, data experts warn that age verification and other forms of identity checking threaten the privacy of internet users of all ages through data gathering, storage or possible leaks.

"As this becomes standard - social compliance essentially - with more sites requesting ID validation, it normalises the behaviour and consequently increases the risk of this information getting into the wrong hands," said James Walker, chief executive of UK-based consumer data action service Rightly.

Friends, face scans and phishing

Age verification methods are not new. In the 1990s, the U.S. Communications Decency Act restricted online pornography and gambling websites by requiring users to submit credit card information as a way to stop under-18s from accessing them.

As internet use increased and concern grew about phishing attacks targeting credit card users, companies tried to find less risky ways of detecting users' ages.

Some adopted trust-based systems, such as a button confirming that a user is over 18 - a mainstay of pornography websites, but such controls have been criticised for being too easy to evade.

Last year, Meta's Instagram platform rolled out social vouching, whereby three mutual followers confirm how old another user is.

The company also uses artificial intelligence (AI) to estimate a user's age from their posts, interactions with other accounts, and certain types of content.

Digital rights experts say that method highlights just how much data tech firms can access.

"Social media sites already collect vast troves of deeply personal data. They should not be encouraged or compelled to collect even more through digital identity checks," Mark Johnson, advocacy manager at the Big Brother Watch rights group, told Context.

Meta also uses Yoti, a tool that scans video selfies to estimate a user's age. It says the data is deleted as soon as the verification check is completed.

But accessing users' cameras is inherently invasive, according to the French National Commission on Informatics and Liberty (CNIL).

The CNIL noted last year that face scans, especially if required for pornographic websites, may be used for blackmail, and has condemned all current forms of age verification.

Measuring reliability, data privacy, and whether the systems worked across all ages, the group found that there is "currently no solution that satisfactorily meets these three requirements (and) all the solutions proposed can easily be circumvented".

Data breaches

The success of online age verification is heavily constrained by the way the internet has been built, primarily through closed digital worlds of numerous, private-user accounts which pose a significant risk to user rights, experts say.

"Consumers hand over their email addresses to companies they don't know, click on emails from organisations they aren't familiar with, or sign up to competition sites without thinking of the consequences of sharing data," said Walker at Rightly.

"Gathering personal information for age verification does run an inherent risk because the only person who can take back control of your data is you," he added.

Young people's data has already fallen into the wrong hands in an attempt to provide age verification measures.

In November, a database of 28 million children's learning records was used by gambling websites to help develop age verification checks. The British government was later criticised by the regulator for its handling of the data in question.

The database included a child's full name, date of birth, and gender, with optional fields for email address and nationality.

"No one needs persuading that a database of pupils' learning records being used to help gambling companies is unacceptable," John Edwards, the head of Britain's Information Commissioner's Office, a data protection watchdog, said at the time.

In Louisiana, critics say Act 440 is unlikely to achieve its goal of keeping children from seeing adult content, not least because the age checks can be easily bypassed by using mobile data or a Virtual Private Network that can route internet traffic from elsewhere.

"I imagine that there are going to be some other states that say this isn't a bad idea, though I don't think it's going to be very effective," said Ken Levy, a professor of Law at Louisiana State University.

Without a coordinated, global approach to keeping the internet safe, experts say there is only so much that lawmakers can do at a local or national level.

"They're legislators, using the only tools they have in their toolkit," Levy said.

This article was updated on Wednesday, 18 January 2022 16:09 GMT to correct the description of Yoti in paragraph 17.

(Reporting by Adam Smith; Editing by Helen Popper)

Context is powered by the Thomson Reuters Foundation Newsroom.

Our Standards: Thomson Reuters Trust Principles


  • Facial recognition
  • Digital IDs
  • Content moderation
  • Tech regulation
  • Social media
  • Data rights

Get our data & surveillance newsletter. Free. Every week.

By providing your email, you agree to our Privacy Policy.

Latest on Context