Age Verification Won’t Save Kids—But It Will Kill Privacy

Around the world, governments are quietly rebuilding the internet around a single idea: you should have to prove who you are to use it. In the United States, Joshua S. Gottheimer has proposed requiring operating systems to verify the age of every user. In Malaysia, social media platforms are no longer allowed to accept users without identity verification.

Different justifications. Same direction. The anonymous internet is being dismantled one policy at a time.

The Illusion of Protection

Age verification is presented as a moral necessity, as if the internet, left unregulated, is inherently dangerous and must be corrected. But this assumes something that has never been demonstrated: that large-scale identity enforcement meaningfully produces safety. It is, at best, an attempt to impose order on a system that resists it. At worst, it is security theater—an intervention that signals control without achieving it.

For age verification to work, it would need to reliably prevent minors from accessing restricted content. That requires two things:

In practice, age verification doesn’t eliminate access. It filters out the most convenient path—and nothing more. The remaining paths are not rare or sophisticated. They are ordinary.

VPNs bypass enforcement entirely.

Many systems rely on location-based enforcement—restricting content based on jurisdiction. This assumes users remain within those boundaries. They don’t. A VPN allows anyone to appear as if they are connecting from a different region, bypassing restrictions in seconds. No identity check is meaningfully enforced if the system cannot even establish where the user is.

Identity breaks down in practice.

Age verification assumes a one-to-one link between a person and their credentials. In reality, credentials are routinely shared. A verified account can be used by multiple people, and an ID can be lent, copied, or reused. Once verification is completed, the system has no reliable way to ensure that the person using the account is the person who was verified.

Enforcement doesn't fail technically, but socially. A minor does not need to defeat the system technically—they only need access to someone older who already has. This turns verification into a gate that can be opened once and passed through repeatedly, with no additional friction.

The network does not comply as a whole.

The internet is not a single platform but a network of loosely connected systems. Even if major services enforce strict verification, others will not—whether due to jurisdiction, cost, or intent. Content does not disappear under restriction. It migrates. Users follow it to platforms where enforcement is weaker or nonexistent, fragmenting the ecosystem rather than securing it.

The internet does not behave like a closed system that can be fully regulated. It behaves like a distributed network where enforcement is always partial and workarounds are always available somewhere in the system. The more restrictive the system becomes, the more it incentivizes users to route around it.

This is not a failure of implementation. It is a structural property of open networks.

The Cost of Identification

If age verification were merely ineffective, it would be easy to dismiss. However, that is far from the truth. It introduces a new condition: Users are required to prove who they are before they can access information. This is not a small shift in policy, but a fundamental change in the relationship between individuals and the internet.

The internet was not built around identity.

Access was the default. Identification was optional. Age verification reverses that. Access becomes conditional. Identification becomes a prerequisite.

To verify age, systems must rely on some form of identification: government IDs, biometric scans, or persistent third-party credentials. Even when framed as “privacy-preserving,” these systems still require sensitive data to be processed, transmitted, or stored. While firms and governments holding this data claim that the use is controlled, that does not eliminate the risk of data breaches and misuse.

Even when your identity is not directly stored after verification, platforms rely on unique tokens and credentials to consistently recognize verified users. Identity is not required for tracking. Consistency is. Anonymity is not just the absence of a name. It is the ability to act without being continuously recognized.

Age verification concentrates sensitive information into a small number of systems: platforms, identity providers, and intermediaries. These systems become high-value targets. Breaches are not hypothetical events, but a recurring feature of large-scale data systems.

The question is not whether data will be exposed, but when.

Centralization does not just create a technical risk. It creates institutional access. Centralized systems that store data do not exist in isolation. They are subject to legal access, regulatory pressure, and institutional demand. Surveillance does not need to be total to be effective. The existence of its infrastructure is enough.

The system does not need to fail to be dangerous. It only needs to become normal.

Once identification becomes the default, it stops being questioned.

Journalism relies on confidential sourcing, and whistleblowing requires protection from attribution. Anonymity is infrastructure for information disclosure. Identifiable systems reduce individuals' willingness to speak and risk awareness alters participation quality and quantity.

Less information being disclosed means less information being available for the public, and public knowledge becomes filtered.

Anonymity is not just personal protection—it is epistemic infrastructure.

False Compromises

Age verification policies are presented as necessary to protect minors online, with privacy being a sacrifice for safety that is unavoidable—or even responsible. This framing is false. It implicitly assumes:

But as explained, age verification does not reliably prevent access to platforms since bypass is trivial and widespread, and enforcement is fundamentally partial and unstable.

The safety benefit is limited, inconsistent, and easily undermined. On the other hand, the privacy cost is immediate, structural, and permanent.

The cost is guaranteed. The benefits are speculative.

A trade-off only exists if both sides hold. Here, only one side does. Age verification, then, is not a privacy-versus-safety trade-off. It marginally affects safety, while expanding institutional control and eroding individual privacy.

These policies become security theatre. Authorities signal action without solving the underlying problem, creating an illusion of control over the situation. Politically useful. Practically weak.

The current situation is not just about age verification. It represents a broader shift being imposed on the internet's users, from anonymous access to information to identity-gated access.

The policies are not a privacy-versus-safety or protection-versus-risk debate, but it's about the default structure of the internet and how information can be controlled. It doesn't work as intended, the costs are structural and permanent, and the trade-off is false, or, at best, heavily asymmetrical.

This is not a safeguard. It is a shift in the baseline of access. The language of child safety is not incidental. It is the most politically insulated justification available — one that forecloses opposition by design. Whoever controls identity infrastructure controls access. That is not a side effect of these policies. It is their logic.