The moment a user is redirected to an age verification service, a specific technical event occurs. A third-party company receives the user’s IP address, device fingerprint, and some form of identity credential: a government ID photo, a facial scan, or a credit card number. It validates that credential against a database or processes it through a model. It returns a verification token to the requesting site. It logs the event. That log entry, connecting a verified real identity to a specific site at a specific timestamp, is the data structure that several years of bipartisan child safety legislation have quietly mandated into existence across the United States.
A recent CNBC report frames these age-verification tools as surveillance infrastructure for adults, and the description is technically precise. The concern is not philosophical but architectural: verified real-identity linkages between persons and the categories of content they sought to access. Aggregate enough of these events and you have a registry of which adults consume adult content, which adults visit which political platforms, which adults seek out specific health information. This data did not exist before age verification mandates; the mandates create it.
What Gets Built
The legislative landscape has moved quickly. The Senate passed the Kids Online Safety Act 91-3 in July 2024, an extraordinary margin that reflects how politically untouchable child safety framing has become. COPPA 2.0 would raise the protected age from 13 to 16. Florida’s HB 3 bans children under 14 from social media and requires parental consent for users under 16. More than 30 states have enacted or introduced some form of age verification or social media restriction law. Louisiana’s Act 440 requires age verification for pornography sites, modeled partly on the United Kingdom’s Online Safety Act.
Each of these laws shares a technical requirement: platforms must know which users are minors. There is no way to satisfy that requirement without either failing to verify, which describes the current situation where 13-year-old age gates are meaningless click-throughs, or building identity verification infrastructure. The industry has responded with a small ecosystem of third-party companies: Yoti (facial age estimation), AgeID (document upload for adult sites), Veriff (ID and selfie verification), and ID.me, which is already embedded in IRS, VA, and more than 30 state government systems.
These companies are not data brokers under current US law, but they create data broker-equivalent assets. They know which verified real identity attempted to access which platform on which date. Federal law does not specify how long they must retain this information. There is no mandatory technical audit of their retention practices. If any of these companies is acquired, enters bankruptcy, or is breached, the verification logs become exposed. Logs for an adult content site are extraordinarily sensitive data; logs for a platform hosting political content or medical information are similarly sensitive, if less obviously so.
The Accuracy Trap
The United Kingdom’s Online Safety Act offers a preview of where this trajectory leads. Ofcom defines “highly effective age assurance” as achieving greater than 99.9% accuracy in preventing under-18 access. That threshold reveals a mathematical reality: at 99.9% accuracy, nearly every adult user must be positively verified. No facial age estimation system achieves this without collecting biometric-quality data. No behavioral inference system gets close. The only methods that approach this threshold are government ID document upload and biometric verification, so the accuracy standard essentially mandates identity-linked verification regardless of whatever privacy preferences the law states elsewhere.
The EFF has argued consistently that no privacy-preserving age verification system can satisfy these accuracy requirements at scale. Either you verify identity and create the surveillance database, or you do not verify reliably. The political system has chosen the former while frequently including provisions that nominally prohibit retaining verification data, provisions with no enforcement mechanism and no technical audit requirement, which makes them close to unenforceable in practice.
The Documented Precedent
The scope creep concern is not speculative; it is historical. The Children’s Internet Protection Act of 2000 required schools and libraries to install content filters as a condition of federal funding, and the filtering industry that emerged grew considerably beyond its original mandate. GoGuardian and similar products now conduct keystroke logging, screenshot capture, and behavioral monitoring that extends to out-of-school browsing on school devices. They flag students researching LGBTQ+ topics, mental health resources, and political content, routing those flags to school administrators. This pattern is comprehensively documented and thoroughly normalized, the product of content filtering mandated originally by child protection legislation.
SESTA-FOSTA in 2018 followed a similar arc. Targeted at sex trafficking facilitation, it stripped Section 230 protections in ways that caused platforms to implement broad monitoring of all user content to avoid liability. Craigslist shut its personal ads section. Backpage was seized. The practical outcome was not targeted enforcement against traffickers but comprehensive platform surveillance of legal speech, with documented harm to the people the legislation nominally aimed to protect. The EFF’s analysis of EARN IT draws the same line: mandating content scanning infrastructure for one category of illegal content creates infrastructure that law enforcement will subsequently seek access to for other content categories.
The Behavioral AI Alternative Is Worse
Some platforms are attempting to avoid the document verification route by using behavioral AI to detect likely minors. Instagram analyzes account behavior, content interactions, and profile signals. This approach avoids the third-party verification log problem, but it substitutes a more serious one. To classify users as likely minors, the model must analyze content engagement patterns, accounts followed, time-of-day usage, device type, language patterns, and topics of interest, producing a comprehensive behavioral profile built for demographic inference.
The same model trained to detect “user is probably a minor” can be retrained or extended to infer political affiliation, religious practice, sexual orientation, and health conditions. The demographic profiling infrastructure built for child safety compliance is identical in kind to the infrastructure used for targeted advertising profiling. The child safety mandate provides political justification for building this at scale, and once it exists, the technical capability is not limited to its stated purpose.
The Legal Landscape
Free Speech Coalition v. Paxton (No. 23-1122) placed these questions before the Supreme Court during the 2024 term. The case concerns Texas’s HB 1181, which requires age verification for pornography sites. The Fifth Circuit had upheld the law under rational basis review, and the central First Amendment question was whether heightened scrutiny should apply. Courts have long recognized that anonymous speech is constitutionally protected; McIntyre v. Ohio Elections Commission (1995) established this foundation, and age verification requirements for accessing legal content burden that right for every adult who seeks to access content without identifying themselves to a third party.
The ACLU’s brief in NetChoice v. Griffin, the Arkansas social media case blocked at the district court level, made this point precisely: adults have a First Amendment right to access legal content without disclosing their identity to a third party. That right sits in direct tension with any verification system robust enough to function as intended.
The Gap Between Possible and Mandated
Zero-knowledge proof systems could allow a government-issued credential to verify age without revealing identity to the verifying party. A user could prove they are over 18 without the site learning their name, date of birth, or which government issued their credential. Mobile driver’s license standards (ISO/IEC 18013-5) include provisions for selective disclosure, and Apple Wallet and Google Wallet already support mDL in some US states. Platforms could in principle accept ZK age attestations from government-issued credentials and learn only a single bit: over 18, or not.
None of the state age verification laws mandate or prefer zero-knowledge approaches. They specify “commercially reasonable” methods, which in practice means the established ecosystem of ID upload and facial scan verification. If the legislative goal were age verification with minimal surveillance, the mandates would require privacy-preserving cryptographic approaches. They do not, and the industry that has emerged around compliance reflects that choice directly.
What This Means Going Forward
The infrastructure being built is not an accidental byproduct of child safety legislation. It is the primary technical artifact these laws require. The verification database, connecting real identities to sites accessed at specific times, is what every effective age verification system produces. The third-party companies holding this data operate outside the regulatory frameworks that govern data brokers. The precedents from CIPA, SESTA-FOSTA, and the UK Online Safety Act show how surveillance infrastructure built for child protection expands beyond its stated mandate once the political and technical groundwork is in place.
The underlying concern about children online is legitimate. Social media platforms have avoided accountability for documented harms to minors through decades of self-regulation that has not worked. KOSA passed 91-3 because the political pressure is real and the self-regulatory track record is poor. But the specific technical mechanisms these laws mandate are producing a surveillance database of adult internet behavior, assembled by companies with weak regulatory oversight and held under no consistent retention limits. The history of similar infrastructure is consistent about what tends to follow.