Cory Doctorow argues that “age verification” on the internet is technically impossible and politically dangerous. He traces the pattern of half‑baked technopolicies, shows how they create massive surveillance infrastructure, and presents the counter‑argument that better privacy tools and education—not blanket bans—are the real solution.
The observation: a new consensus hallucination
Policymakers in Utah, the UK and elsewhere are racing to pass laws that would require every online service to prove a user’s age before allowing access to certain content. The rhetoric is familiar: something must be done to protect children. In practice, the proposal amounts to building a nationwide system that can attach a real‑world identity to every byte that crosses a border.
Evidence of the problem
- Technical impossibility – Age is not a property that can be verified without first knowing who the user is. As Doctorow notes, the only way to “verify age” is to attribute each request to an identified person, which means a massive identity‑linking database. The effort mirrors the failed attempts to create a universal "privacy‑preserving" age check that cryptographers themselves have dismissed as a design flaw (see the Bellovin critique).
- Surveillance side‑effects – Implementing such a system would give dictators, identity thieves and corporate data brokers a treasure‑trove of personal data. Even if the system were technically sound, the security of the database would be a constant target, as history shows with every large‑scale data breach.
- Unintended incentives – When the law forces services to block VPNs or other privacy tools, it pushes young users toward exactly those tools the law hopes to eliminate. Utah’s new VPN‑restriction law (EFF coverage) is a case in point: the measure makes circumvention more attractive, not less.
- Policy precedent – The pattern repeats from earlier “something must be done” moments: bans on “working cryptography” required outlawing open‑source software, inspecting every imported device, and crippling updates for critical infrastructure. Those policies never succeeded in stopping the underlying threat, but they did create massive collateral damage (see Doctorow’s 2018 post on cryptography bans).
Counter‑perspectives
- Privacy‑first design – Critics argue that a well‑designed system could use zero‑knowledge proofs to confirm a user is over a threshold without revealing identity. While theoretically possible, the engineering complexity and the need for universal adoption make it impractical today. The risk of a single point of failure outweighs the marginal benefit.
- Targeted education – Some advocates suggest that instead of blanket bans, governments should fund digital‑literacy programs that teach minors how to navigate risky content and how to use privacy tools responsibly. This approach tackles the root problem—lack of awareness—without creating a surveillance apparatus.
- Industry self‑regulation – Platforms could adopt voluntary age‑gating mechanisms that rely on user‑provided information and community moderation, rather than state‑mandated identity checks. While not foolproof, such systems avoid the heavy‑handed state intrusion and can be iterated upon.
Why the pattern matters
Doctorow’s broader point is that technopolicy often follows Bruce Schneier’s “security syllogism”: Something must be done. There, I’ve done something. The act of legislating satisfies the political need for a win, even if the solution does nothing to solve the problem and creates new ones. The “age verification” push is the latest incarnation of this pattern, following earlier “streaming‑only” laws and bans on strong cryptography.
What comes next?
If lawmakers continue to treat policy as a series of symbolic gestures, we can expect a cascade of ever‑more invasive measures: more bans on VPNs, tighter control over open‑source code, and perhaps even mandatory hardware backdoors for consumer devices. The alternative is a shift toward policies that respect the impossibility of perfect age verification, invest in privacy‑preserving technologies, and empower users through education rather than coercion.
For a deeper dive into the history of these half‑baked policies, see Doctorow’s earlier essays on “foreseeable outcomes” (link) and the “security syllogism” (link).
Comments
Please log in or register to join the discussion