DIGITAL LIFE

Online age checks create a pointless privacy risk

New cybersecurity research indicates that one of the world's leading age verification providers collects and shares highly sensitive personal data—including facial photos and device fingerprints—with third parties. The research also reveals that most websites that require age verification don't enforce the policy.

Age verification is now required by many digital platforms worldwide, but most systems create new risks for user data and privacy. This article explores why document-based age verification exposes everyone to greater risk—and how privacy-prioritizing technology, like World ID, offers a safer path for consumers and platforms.

Earlier this month, a teenage girl tried to log into a popular social platform. The site asked for her driver's license, a selfie, and patience while they verified her age. Three days later, hackers stole her data along with 69,999 others.

Welcome to the age verification paradox: systems designed to protect minors end up exposing everyone.

Age barriers started simple—just click a box confirming you're 18. Common methods now require submitting actual identification documents, which is privacy-invasive. Why would you need to provide your driver's license to an online platform to watch a movie trailer?

Today, mainstream gaming platforms, social media networks, and adult websites have, or are considering, methods that result in the creation of databases of government identity documents and other personal data.

The challenging regulatory landscape...Regulators around the world are implementing rules aimed at keeping minors safe, but most of the available techniques that can scale have notable drawbacks. The current landscape includes:

Self-reported age: Easy to lie about, offers no real protection

Document upload: Presents enormous risks of data breach and exposure to identity theft

Age inference from selfies: Requires central storage of biometric data, often with human reviewers verifying the photos

Credit card authorization: Excludes young adults with no credit history and creates trails of financial data

CPF verification: Links online activity to government records, creating surveillance concerns and may not be available to those under 18

Each method trades one problem for another. Protecting minors should not mean jeopardizing everyone's data security.

The findings come from a new study, "Papers Please: A First Look at Age Verification on the Web," that researchers from the Georgia Institute of Technology and the University of California, Irvine (UC Irvine) presented on May 20 at the IEEE Symposium on Security and Privacy (SP 2026) conference in San Francisco.

The research team examined Yoti, a London-based company that provides age-verification services for an estimated 60% of websites that require it. Its client list includes Meta, OnlyFans, Sony PlayStation, and TikTok.

The research team determined that the process Yoti uses to verify a person's age broadcasts the person's personal information to third- and fourth-party companies.

When a bartender checks an ID, they quickly verify a customer's date of birth and identity before serving them. Companies like Yoti that employ digital age verification claim their products function the same way, but in a completely private manner.

That analogy has justified laws passed in 25 U.S. states—comprising more than 40% of Americans—mandating the use of digital age verification to gate access to social media and adult online content.

However, by measuring online age verification, researchers reveal that the reality of these systems is far from ideal. The study found that most sites covered by these laws do not appear to enforce age verification.

When sites comply, they force users to use third-party age-verification services like Yoti, which collect and share highly sensitive data with other third parties.

"There have been laws passed and court cases settled on the promise that these companies are incentivized to keep users' data private," said Assistant Professor Michael A. Specter at the School of Cybersecurity and Privacy. "We found that reality is starkly different."

Digital age verification laws are being considered by other legislative bodies to bar minors from social media sites. The problem, Specter and his colleagues argue, is that current methods of age verification are ineffective and create new privacy risks.

"In legal arguments, there have been comparisons to these services acting like a bartender checking IDs," said Specter. "However, what is really happening is the bartender is making photocopies of the patron's license and sending them to their food vendors."

According to the researchers, the data is then sent to credit card companies, IP geolocation services, and data brokers. The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user's facial image, IP address, and device fingerprint to credit card companies.

Aside from privacy concerns, researchers note that differing state policies could lead to what they call the Balkanization of the U.S. web. In other words, users may have access to different parts of the internet depending on the state they are in. This will potentially limit the free exchange of ideas and information.

According to Assistant Professor Harry Oppenheimer of the Jimmy and Rosalynn Carter School of Public Policy, users are already accustomed to experiencing the internet differently across countries. However, this may signal the beginning of similar fragmentation within the United States.

"We are going to start seeing comparable differences between U.S. states," said Oppenheimer. "Users in some states will now have to go through additional steps to access information. Close your laptop in New York before a flight to Dallas and try to load the same web page—now you see two different results."

"We also observed age verification deployed on websites accessed from New York, which has no law requiring verification," said Associate Professor Paul Pearce of UC Irvine's Department of Computer Science.

"We don't know why these sites are deploying such verification—it could be a move to limit liability or simplify operations. Regardless, it points to an emerging threat for the open internet where restrictive laws from some states could impact the entire country and beyond."

"This is why we can't have nice things," Specter added.

Provided by Georgia Institute of Technology