Mandatory age verification could backfire, warn 400+ privacy researchers
Mandatory online age verification has become a hot topic in recent years. Several legislative initiatives in the UK, Australia, and other countries aim to require online platforms to verify users’ ages before granting access to certain content or services.
Unsurprisingly, these proposals have sparked strong criticism from the public, privacy advocates, and digital rights organizations. But recently, the debate gained a new voice: more than 400 security and privacy scientists from around the world signed an open letter outlining the risks of mandatory age-verification systems. In the letter, the researchers summarize many of the concerns that technologists, civil society groups, and privacy-focused companies — including AdGuard — have been raising for years.
The number of signatories alone would be enough to draw attention to the letter. But then you take into account that these are the same experts in cybersecurity, privacy engineering, cryptography, and online safety who helped design the technologies now being proposed for age verification — and their statement gains even more weight.
What the open letter warns about
The signatories address their letter to regulators and policymakers — those who are directly responsible for new legislation around age verification. And at the core of these laws often lies the concern about the negative effects that exposure to harmful content online has on children. To better understand the point of this letter, it is important to note that the privacy experts are not opposed to age verification in principle. Age checks have existed for decades in the offline world — for example, when showing an ID at a store or venue. In those cases, verification typically happens locally and temporarily, without leaving permanent digital records.
Online age verification, however, is fundamentally different. Implementing it at scale requires building a complex digital infrastructure capable of verifying millions of users across countless online services. According to the researchers, this infrastructure introduces serious privacy, security, and effectiveness risks that lawmakers often overlook.
Easy to bypass
One of the central points of the letter is that digital age verification is surprisingly easy to circumvent. Children already use a variety of methods to bypass online restrictions, and age verification systems would likely face the same problem. It can be as trivial as purchasing verified accounts or credentials from online marketplaces, or using a VPN service and connecting to a server located in a jurisdiction without age-verification requirements. But there are also other, more inventive ways, such as using AI tools or deepfake technology to trick biometric verification systems — something that has already been demonstrated in practice.
In other words, determined users will likely find ways around these controls — especially once bypass tools become widely available. And there is little doubt they will, because where there is demand, there will always be people willing to capitalize on it. Meanwhile, ordinary users who simply want to access legitimate online services may be forced to repeatedly verify their identity.
More data collection, less privacy
The researchers also warn that age verification systems inevitably require users to share more personal information online. Depending on how these systems are implemented, users may have to provide government identification documents, biometric data (such as facial scans), phone numbers, or payment credentials. Even when systems claim to verify age without storing personal data, they still rely on processing highly sensitive information.
At scale, this creates new risks: databases containing identity documents or biometric data become attractive targets for hackers, data brokers, or government surveillance. Even if you rule out ill intent, data leaks happen, due to human error or system flaws. And the more platforms require you to confirm your identity, the more sensitive data you upload, the higher are the chances it will end up in the wrong hands one way or another. You don’t need to go far to find examples of users’ data being mishandled: in October 2025, Discord suffered an attack that resulted in the leak of age verification IDs of estimated 70,000 users. And this is not some isolated case. In another example of major data breach, drivers’ licenses, selfies, and other sensitive information which may at one point had been used for verification purposes, were leaked by The Tea app. It is unclear how many records have been leaked exactly, but the app boasts over 6.2 million users.
Security risks and unintended consequences
The researchers argue that mandatory age verification could reduce overall online safety, too. If large platforms begin enforcing strict verification requirements, some users may turn to alternative or unregulated services that do not require identity checks. These platforms may offer fewer safety protections and may be more likely to host scams, malware, or illegal content. When 18 US states adopted laws requiring websites that display sexually oriented content to essentially check IDs of all visitors, the affected users simply switched to other adult platforms that were non-compliant with these laws.
Age verification can also create new opportunities for fraud. For example, scammers may impersonate verification providers and trick users into submitting identification documents or biometric data. In this way, a system intended to make the internet safer could unintentionally create new attack surfaces for cybercrime.
Barriers for legitimate users
Another issue highlighted in the letter is that age verification systems often assume that users have access to certain technologies or documents. In reality, this is not always the case. There are entire groups of people who, despite being over the required age threshold, will not be able to prove it to the system. Some adults may not possess government-issued IDs suitable for digital verification — immigrants, asylum seekers, visitors from countries whose identification systems are not integrated with the verification infrastructure. Others — particularly older users — may struggle with complex verification processes or lack the necessary digital skills. And many people simply do not own smartphones capable of running verification apps. Introducing age verification systems will inevitably exclude some legitimate users from online services.
Not a guaranteed solution
There are many more arguments that support the researchers’ claim — the open letter is six pages long. But perhaps the most important point raised in it, which emerges from the individual concerns, is that age verification does not guarantee the protection policymakers hope for. Children may still bypass restrictions, while adults may find themselves repeatedly verifying their identity across multiple platforms — or failing verification altogether for various reasons. At the same time, the technologies used for age estimation — such as facial analysis — can be unreliable, invasive, harmful to privacy, and can be exploited by bad actors. They may facilitate collecting significant amounts of personal data about users, including minors.
Without extensive and thorough prior research, the letter’s signatories warn, there is no guarantee that the benefits will outweigh the harms. Poorly designed age-verification systems could create a situation where users lose privacy and security without actually improving child protection.
However, the authors of the letter are not calling for abandoning efforts to protect minors online. Instead, they urge policymakers to carefully study the technical risks and limitations of large-scale age verification before mandating it through legislation. Without this work, they warn, governments may end up deploying systems that are ineffective, easy to bypass, and harmful to both privacy and online safety.
Will this letter actually change anything?
Open letters from experts are a common tool in tech policy debates. They act as signals of expert consensus, making it harder for policymakers to ignore concerns from the technical community. That said, they rarely stop legislation outright. The UK’s Online Safety Act, for example, faced extensive criticism from experts, but ultimately still passed. The same can be said for many other initiatives where technical communities raised serious concerns, only to see policymakers move forward regardless. But that doesn’t mean these efforts are pointless — they can influence how policies are implemented and shape future debates.
In the case of mandatory age verification, we’re likely to see the same pattern. Laws in places like the UK and Australia are already in full swing, and it’s unlikely that the arguments in this open letter will lead to their repeal or completely prevent similar ones from being adopted in other countries. Where it can make a difference is in how these systems are implemented. The researchers have clearly outlined the risks, from privacy violations to security vulnerabilities and ease of circumvention, which lawmakers and companies who bring these policies to life will have to justify now. The letter also strengthens the position of those pushing for less intrusive approaches. If age verification becomes inevitable, the conversation may shift toward how to minimize harm, rather than whether to introduce it at all.
There are also more longer-term effects to consider. If the age-verification systems fail to deliver on their promises or create new risks, this letter will likely be one of the first places critics point to. Its true impact may become apparent only well into the future, when it will be used to question or challenge the new laws after they begin to show their real-world consequences.
Our stance on age verification: Privacy first
At AdGuard, we fully support the privacy experts and researchers who raised concerns in the open letter. While it may not lead to the revision of age verification laws in the UK and Australia or directly stop them from going into effect in other countries, it’s still important that the privacy community’s voice is heard. Even if lawmakers don’t always listen, getting these risks into the public conversation is crucial.
For us, the privacy of our users is always the top priority. We want our readers to understand the privacy risks they’re facing and, where possible, give them the tools to stay safe. If mandatory age verification becomes the new reality, we want you to be prepared. While we can’t add much to the arguments already presented in the open letter, we want to reiterate what we see as the biggest concern: the risk of your private data falling into the wrong hands.
The more personal data you’re asked to share — IDs, face scans, payment info — the higher the chance that something could go wrong. Data breaches happen all the time, and the more you upload, the more vulnerable you become. Whether it’s a company getting hacked, a scammer getting ahold of your details, or just poor handling of your information, the risks grow with each new piece of sensitive data you give out.
So, what can you do? Always think twice before you give out any data. Ask yourself: do you really need to go through this age verification? Are there alternatives to this website or service that don’t require it? Or maybe you can access the service you need without handing over so much personal information? But if you decide to look for alternatives, be cautious. Scammers love exploiting people looking for ways around these systems. Only use trusted tools and make sure they’re from reputable developers and well-reviewed by the community. In short, always do your research.
One solution to avoid age verification laws — if they’re local — is to use a VPN. By connecting to a server in a region where age verification isn’t required, you can bypass these checks. And of course, VPNs don’t just help with age verification, they also protect your privacy in general. Whether it’s hiding your location, protecting your data from tracking, or encrypting your traffic, VPNs are an essential tool for online privacy in today’s increasingly crazy world. As age verification becomes more and more common, VPNs remain one of the easier and more reliable ways to keep your data safe and ensure you maintain control over your online experience.
