Why Isn’t Online Age Verification Just Like Showing Your ID In Person?
from the bad-analogies dept
One of the most common refrains we hear from age verification proponents is that online ID checks are nothing new. After all, you show your ID at bars and liquor stores all the time, right? And it’s true that many places age-restrict access in-person to various goods and services, such as tobacco, alcohol, firearms, lottery tickets, and even tattoos and body piercings.
But this comparison falls apart under scrutiny. There are fundamental differences between flashing your ID to a bartender and uploading government documents or biometric data to websites and third-party verification companies. Online age-gating is more invasive, affects far more people, and poses serious risks to privacy, security, and free speech that simply don’t exist when you buy a six-pack at the corner store.
Online age verification burdens many more people.
Online age restrictions are imposed on many, many more users than in-person ID checks. Because of the sheer scale of the internet, regulations affecting online content sweep in an enormous number of adults and youth alike, forcing them to disclose sensitive personal data just to access lawful speech, information, and services.
Additionally, age restrictions in the physical world affect only a limited number of transactions: those involving a narrow set of age-restricted products or services. Typically this entails a bounded interaction about one specific purchase.
Online age verification laws, on the other hand, target a broad range of internet activities and general purpose platforms and services, including social media sites and app stores. And these laws don’t just wall off specific content deemed harmful to minors (like a bookstore would); they age-gate access to websites wholesale. This is akin to requiring ID every time a customer walks into a convenience store, regardless of whether they want to buy candy or alcohol.
There are significant privacy and security risks that don’t exist offline.
In offline, in-person scenarios, a customer typically provides their physical ID to a cashier or clerk directly. Oftentimes, customers need only flash their ID for a quick visual check, and no personal information is uploaded to the internet, transferred to a third-party vendor, or stored. Online age-gating, on the other hand, forces users to upload—not just momentarily display—sensitive personal information to a website in order to gain access to age-restricted content.
This creates a cascade of privacy and security problems that don’t exist in the physical world. Once sensitive information like a government-issued ID is uploaded to a website or third-party service, there is no guarantee it will be handled securely. You have no direct control over who receives and stores your personal data, where it is sent, or how it may be accessed, used, or leaked outside the immediate verification process.
Data submitted online rarely just stays between you and one other party. All online data is transmitted through a host of third-party intermediaries, and almost all websites and services also host a network of dozens of private, third-party trackers managed by data brokers, advertisers, and other companies that are constantly collecting data about your browsing activity. The data is shared with or sold to additional third parties and used to target behavioral advertisements. Age verification tools also often rely on third parties just to complete a transaction: a single instance of ID verification might involve two or three different third-party partners, and age estimation services often work directly with data brokers to offer a complete product. Users’ personal identifying data then circulates among these partners.
All of this increases the likelihood that your data will leak or be misused. Unfortunately, data breaches are an endemic part of modern life, and the sensitive, often immutable, personal data required for age verification is just as susceptible to being breached as any other online data. Age verification companies can be—and already have been—hacked. Once that personal data gets into the wrong hands, victims are vulnerable to targeted attacks both online and off, including fraud and identity theft.
Troublingly, many age verification laws don’t even protect user security by providing a private right of action to sue a company if personal data is breached or misused. This leaves you without a direct remedy should something bad happen.
Some proponents claim that age estimation is a privacy-preserving alternative to ID-based verification. But age estimation tools still require biometric data collection, often demanding users submit a photo or video of their face to access a site. And again, once submitted, there’s no way for you to verify how that data is processed or stored. Requiring face scans also normalizes pervasive biometric surveillance and creates infrastructure that could easily be repurposed for more invasive tracking. Once we’ve accepted that accessing lawful speech requires submitting our faces for scanning, we’ve crossed a threshold that’s difficult to walk back.
Online age verification creates even bigger barriers to access.
Online age gates create more substantial access barriers than in-person ID checks do. For those concerned about privacy and security, there is no online analog to a quick visual check of your physical ID. Users may be justifiably discouraged from accessing age-gated websites if doing so means uploading personal data and creating a potentially lasting record of their visit to that site.
Given these risks, age verification also imposes barriers to remaining anonymous that don’t typically exist in-person. Anonymity can be essential for those wishing to access sensitive, personal, or stigmatized content online. And users have a right to anonymity, which is “an aspect of the freedom of speech protected by the First Amendment.” Even if a law requires data deletion, users must still be confident that every website and online service with access to their data will, in fact, delete it—something that is in no way guaranteed.
In-person ID checks are additionally less likely to wrongfully exclude people due to errors. Online systems that rely on facial scans are often incorrect, especially when applied to users near the legal age of adulthood. These tools are also less accurate for people with Black, Asian, Indigenous, and Southeast Asian backgrounds, for users with disabilities, and for transgender individuals. This leads to discriminatory outcomes and exacerbates harm to already marginalized communities. And while in-person shoppers can speak with a store clerk if issues arise, these online systems often rely on AI models, leaving users who are incorrectly flagged as minors with little recourse to challenge the decision.
In-person interactions may also be less burdensome for adults who don’t have up-to-date ID. An older adult who forgets their ID at home or lacks current identification is not likely to face the same difficulty accessing material in a physical store, since there are usually distinguishing physical differences between young adults and those older than 35. A visual check is often enough. This matters, as a significant portion of the U.S. population does not have access to up-to-date government-issued IDs. This disproportionately affects Black Americans, Hispanic Americans, immigrants, and individuals with disabilities, who are less likely to possess the necessary identification.
We’re talking about First Amendment-protected speech.
It’s important not to lose sight of what’s at stake here. The good or service age gated by these laws isn’t alcohol or cigarettes—it’s First Amendment-protected speech. Whether the target is social media platforms or any other online forum for expression, age verification blocks access to constitutionally-protected content.
Access to many of these online services is also necessary to participate in the modern economy. While those without ID may function just fine without being able to purchase luxury products like alcohol or tobacco, requiring ID to participate in basic communication technology significantly hinders people’s ability to engage in economic and social life.
This is why it’s wrong to claim online age verification is equivalent to showing ID at a bar or store. This argument handwaves away genuine harms to privacy and security, dismisses barriers to access that will lock millions out of online spaces, and ignores how these systems threaten free expression. Ignoring these threats won’t protect children, but it will compromise our rights and safety.
Republished from the EFF’s Deeplinks blog.
Filed Under: age verification, id check, privacy, security
Comments on “Why Isn’t Online Age Verification Just Like Showing Your ID In Person?”
“Why Isn’t Online Age Verification Just Like Showing Your ID In Person?”
Because porn. 🙂
These laws also exist for explicit sexual content, which is First Amendment protected speech. (Firearms is also probably best left off that list, given it’s constitutional protection.)
That gives up anonymity/privacy, though. Especially if say, you live in a small town, or for marginalized groups like transgender folks.
They’re not completely equivalent, but the comparison is inevitable if EFF is going to cite aspects that do overlap. In-person ID is a compromise of rights, a risk to anonymity, etc. Despite not being equivalent, in-person IDs still don’t seem to meet the bar EFF is advocating for.
Re:
Which is largely a non-problem because people in marginalized groups tend to avoid outing themselves in such situations.
They do not overlap because with in-person id-checks people can chose what place to visit based on personal criteria, no such choice will even exist with online verification since it’ll be centralized to a few providers of such services.
Re: Re:
If someone has to not access 1A speech to avoid outing themselves, that is a compromise of their 1A rights. That’s literally the quintessential concern around anonymity/privacy.
I think it’s pretty clear EFF’s issue with online ID checks is not “not enough choice”, or that their concerns would be resolved if there were more choices. The issues they’re citing would still exist even if there were many providers of such services.
Re: Re: Re:
Which isn’t what I said, was it now?
Did I say “not enough choice”? No, I didn’t! How about you actually respond to what I said instead of making up something I didn’t say.
Re: Re: Re:2
You said “Which is largely a non-problem because people in marginalized groups tend to avoid outing themselves in such situations.” I don’t see how this is largely a non problem. Either the marginalized person doesn’t access the 1A material to not risk being outed (a problem), or they do get identified, and risk being outed (also a problem). I don’t see how this is “largely a non-problem”. Are you suggesting a marginalized person can magically not out themselves while still being verified in person? Because that is obviously not the case, and I assumed that is not what you were saying.
You said They do not overlap because with in-person id-checks people can chose what place to visit based on personal criteria. But you still have the issues of compromising rights or a risk to anonymity/privacy, regardless of people being able to choose places based on personal criteria. I don’t see what that choice has to do with compromise of rights or a risk to anonymity, they still both exist for both online and in-person age verification regardless of choice being different in person. So I’m not sure what point you’re trying to make about choice here, it seems like a complete non sequitur.
I am trying to respond to what you actually said. It’s apparently not at all clear you’re actually trying to say. Feel free to clarify.
Re: Re: Re:3
It is a non-problem for the context that was discussed, ie age restriction on certain things that minors shouldn’t have access to, like tobacco, guns, porn etc. What kind of scenarios do you think exists were in-person id-check outs someone as belonging to a marginalized group? Buying liquor and porn-mags?
With in-person id-checks someone has the choice where they will do business knowing that the transaction is ephemeral, no information is stored anywhere whereas doing the same on the internet means they have no choice than to accept that the information will be stored and processed and perhaps later sold to a 3rd party or even vacuumed up by the government.
Re: Re: Re:4
But but but small towns! Everyone will judge you for buying teh pr0nz. Especially the shop owner who sees your ID. The shop owner who is selling … uh.
Re: Re: Re:4
Yes. (Although not just an id-check, it can also be visual inspection, as mentioned by the article. Both coming with risks of being outed.)
That doesn’t make things like compromising rights/anonymity not overlapping. That’s just reiterating what I said earlier- some aspects (whether it’s ephemeral) are indeed different. That doesn’t prevent other aspects from overlapping. It’s still compromising of rights and removal of anonymity while also being ephemeral.
You might be ok with compromising rights/removing anonymity if it’s ephemeral, because that changes the overall risk profile, but they’re still happening. And that matters if the core argument is that they should never be compromised, as EFF is arguing, rather than one risk is acceptable and one isn’t.
Re: Re: Re:5
If someone just look the part of being in a marginalized group and gets harassed for it the whole point with showing an id becomes moot.
There’s a difference between an ephemeral interaction and a permanently stored interaction which can be distributed to 3rd parties either through databrokers or leakage/hacked information.
No, the core argument is that online verification compromises our security, privacy and 1A amendment rights without actually protecting children in a meaningful way which is why you can’t compare in-person checks with online checks.
Re: Re: Re:
What, even? Arglebargle. Bafflegab.
Re:
It’s still a shit comparison and not equivalent at all, irrespective of your usual fake-ass “nuance” and “thoughtful consideration”.
Which is too bad, as you can be pretty good 1/10 when not doing the most ridiculous devil’s advocate impression.
Re: Re:
It’s a shit comparison on some aspects, and it’s a fine comparison on others. For some reason EFF mentions both. It actively undermines the former when you include the latter. Just do the former, it’s better.
Yes, which is why I specifically said it wasn’t equivalent.
I’m not playing devil’s advocate, I’m saying stick to the parts of the comparison where it’s a shit comparison instead of shooting yourself in the foot. When you mention aspects that both do that don’t fit EFF’s criteria, you’re actively going to make people conflate them more and weaken other parts. That’s not helpful.
Why do you think this is a good way to do it?
One takes seconds. One creates a long-term record. They are not the same
You have to provide your ID in person:
The employee checks your ID, sees it looks valid, and promptly forgets you, leaving no record that you used the ID or where you used it at.
You have to provide your ID online:
The website checks your ID against a database of personal data that you had to provide that is certainly just as secure as it is accurate, creating a log on the ID archive and the website that you used your ID, where you used it and when you used it. Given the website might have to prove that they’ve been checking ID’s down the line they will almost certainly keep that log for an extended period of time, resulting in an extremely tempting target for hackers to break in and acquire.
Online ID checks becoming normalized is also any scammer or phisher’s wet dream. Imagine how much easier it’s going to be for them to convince the gullible/tired/lazy/inattentive people to give personal info away.
What happens if a minor shows their ID, as a minor, just to see what happens. I bet a surprising amount of websites would still work.
The real question is, if a minor actually tried and it worked, technically that minor is breaking the law, right?
Would the minor get tried as an adult?
Could the site owners get arrested too, since once they scan the ID, they become a porn site in possession of pictures of a minor.
If the anti-abortion people believe that life begins at conception, wouldn’t that mean everyone is about 9 months older anyways?
These are the questions that run through my mind when I have nothing better to do, which is often lately, because I can’t get into my Chaturbate account. I keep failing the ID check. I’m 43.
Re:
Too old for Chaturbate, i guess.