Want to Google your symptoms, join an ICE watch group on Facebook or scroll Reddit? You might need to show ID. Age verification is coming to platforms near you. Worse, it’ll come at the expense of your rights.
More than 25 states, and multiple countries, have enacted laws requiring mixed-audience websites to verify users’ ages to prevent access by children. Some of these laws target adult content providers explicitly while others apply these requirements to a wide array of websites, from Google search to Coursera to the New York Times.
Simultaneously, social media bans for kids proposed around the world, ranging from Canada to India, and enacted in other countries like Australia, require platforms to verify all users’ ages so they can restrict access to minors.
As has been written on this in the Guardian before, age verification fundamentally expands data collected on all users. And although pitched as a common-sense policy to protect children online, it erodes safety for all users. Age verification will require users to hand over data before being granted access to online spaces.
Some platforms may require government ID to prove age while others may collect and process other sensitive data believed to be a proxy for age, such as face scans or search queries. Either way, users will have to provide more information about themselves to access the web, jeopardizing their anonymity online.
Though age verification providers and platforms they work with promise that this information is collected with the sole intent of assigning age and nothing more, recent data breaches have already shown how easily this data can be inappropriately accessed and used. Numerous age verification providers have faced data breaches because of how lucrative this data is.
Due to a data breach, one journalist was able to link a user’s post on an anonymous discussion board to their driver’s license in 10 minutes. And it is only a matter of time before governments begin requesting users’ identifying age-related data from platforms as it is already doing with other forms of data in an attempt to target critics.
Anonymity is critical online. Global movements to topple authoritarian regimes, journalists communicating with corporate and government whistleblowers, and people seeking reproductive care all depend on the anonymous access and exchange of information.
Requirements to hand over more data to access the web will no doubt have a chilling effect on many users. Sometimes anonymity is to reduce stigma, to shield a user’s search related to their sexual preferences or healthcare conditions from the watchful gaze of a platform and the data brokers who gain access to private data. But more often, anonymity is critical to guard users from retaliation for their views or online affiliations.
People seeking information about abortion in regions where that right is constrained or scrutinized will think twice before sharing their own experience should they have to do so after providing ID at the expense of countless others who could benefit from it. LGBTQIA+ individuals seeking community, as many do online out of fear of persecution offline, will go further underground and have fewer spaces to congregate online should they have to show their faces or identify themselves before logging on.
Satirists and artists will choose between documenting political realities and focusing on less controversial subjects out of fear of retaliation. Immigrant communities, and those trying to protect them, need anonymous online spaces to exchange immigration-related information. This is especially critical as communities fear going outside in the US in the aftermath of widespread ICE operations that have led to indiscriminate arrests, detentions and killings. And all of us in between will second-guess posting our thoughts about powerful actors online.
This is not the time to hand over more data about ourselves to tech actors. The largest tech companies, ones with enormous coffers to thwart fines and legal action, have already shown their tendency to comply with overbroad and opaque government requests.
Google reportedly shared data on a user who sent an email advocating for an asylum seeker when DHS asked, leading to a knock on the user’s door. And, despite Meta being a leading proponent of encryption, the platform announced that it would stop end-to-end encryption for Instagram DMs now potentially enabling the platform to scan and share users’ messages with law enforcement if asked. Users say they’ve lost trust in the largest tech companies.
Without comprehensive privacy protections in the US binding mostly US-based tech companies to strong data minimization requirements, platforms can and will continue to enrich already robust user profiles with more data on who we are and what we do online. Once identity checks to access websites become normalized, any site can request that personal data and sell it, with little to no ability for users to meaningfully opt out or rectify the situation.
What’s more, platforms have been unreliable brokers of our personal data, especially minors’ data, often selling it to the highest bidder for profit. If platforms must conduct age verification under the guise of protecting children, they must do so with the highest protections in place lest we say goodbye to our anonymity online.
Some of these protections include guarding against the potential linking of a user’s identity with their online activity, limiting the collection and storage of sensitive data, and relying solely on independently audited and certified providers. Without these protections, we risk creating the “paper’s, please!” web that requires government documents to merely browze online. And that would be unsafe for everyone, including our children.