RBGTK DevOps
Back to blog
privacyidentityself-sovereign-identityage-verificationsurveillancedigital-rights

Show Your ID to the Internet

Robby Goetinck·

Governments want to check your age before you go online. Here's why that's a privacy disaster — and what a better future looks like

Half the United States now requires you to prove how old you are before letting you onto certain websites. And it's not just an idea, there are laws already on the books. Australia has banned social media accounts for anyone under 16. France and Denmark are moving toward similar bans. The UK's Online Safety Act is already forcing platforms to implement age checks. Brazil's law kicks in this year. And in 2026 alone, several more US states join the pile.

The stated goal is reasonable enough: keep children away from content that harms them. Nobody serious argues that protecting kids online is a bad idea. But the way governments are going about it — mass collection of government IDs funnelled into centralized databases run by private third-party companies — is creating a privacy catastrophe that outweighs any benefit it delivers.

The Honeypot We're Being Forced to Fill

Here's what age verification actually looks like in practice. You want to access a platform covered by your state's new law. The platform hands you off to a third-party "identity verification provider." You upload a photo of your driver's license, your passport, and/or your face. The provider checks it, tells the platform you're old enough, and promises to delete your data.

You trust that promise. You have no choice but to trust it.

And then the inevitable happens:

  • In October 2025, hackers breached Discord's third-party customer service provider and walked out with roughly 70,000 photos of government-issued IDs — passports, driver's licenses — that users had submitted for age verification. Discord's own policy had stated those documents were "deleted directly after your age group is confirmed." Seventy thousand IDs leaked anyway.
  • That same summer, a dating app called Tea was compromised, exposing over 13,000 photos of government IDs and 59,000 verification selfies.
  • Also in 2024, a major identity verification company called AU10TIX left its login credentials exposed online for more than a year, leaving a researcher able to access names, dates of birth, nationalities, ID numbers, and images of identity documents belonging to users who had verified on behalf of platforms including Uber and TikTok.

These are not edge cases. They are the predictable, unavoidable result of a system designed to aggregate exactly the kind of data that attackers want to steal. As one analysis put it, centralized age verification creates "massive honeypots of sensitive data that will inevitably be breached." The Electronic Frontier Foundation has been saying the same thing for years: these systems are irresistible targets for hackers.

The truly maddening part? You cannot change your face after a breach. You get one passport number. When that data leaks, the damage is permanent.

And yet, in March 2026, a coalition of 419 cybersecurity professors, researchers, and analysts from 30 countries published an open letter to policymakers warning that current age verification systems are not only difficult to secure at scale, but may be fundamentally ineffective and prone to catastrophic data breaches. Policymakers, by and large, have not paused to reconsider.

It Doesn't Even Work

If the privacy risk came with a guarantee of actually keeping kids safer, that might at least be a tragic trade-off worth debating. But age verification as currently implemented fails on its own terms.

When Florida enacted one of the toughest social media bans in the country — prohibiting anyone under 14 from creating accounts at all — VPN demand in the state surged by 1,150%. Teenagers are not confused by VPNs. Borrowed IDs, shared accounts, and a five-minute search are all it takes to circumvent an age gate. The people who get blocked are not determined minors; they are adults who lack government-issued ID, or who are flagged by error-prone automated systems, or who simply don't want to hand their biometric data to a company they've never heard of.

The system protects no one particularly well, and it breaches the privacy of anyone.

This is the Way

The frustrating thing is that this problem is genuinely solvable — just not with the approach governments are currently mandating.

The technology already exists to let someone prove they are over 18 without telling a website who they are. It's called Self-Sovereign Identity (SSI), and its core tool is the Verifiable Credential.

Here is how it works in plain terms.

Imagine your government issues you a digital identity credential — the equivalent of a driver's license, but stored in an app on your phone rather than in a laminated card in your wallet. That credential is cryptographically signed by the government. It contains your name, your date of birth, your address, and all the other things a license contains.

Now you want to sign up for a platform that requires age verification. Under the current model, you upload your license to a stranger's server and hope for the best. Under the SSI model, you do something different: you open your wallet app, and instead of sharing your credential, you share a proof derived from it. The proof says one thing and one thing only: this person is over 18. It is cryptographically verified — meaning the platform can confirm with certainty that a trusted authority (your government) issued this credential and that the claim is genuine — without the platform ever seeing your name, your birth date, your address, your ID number, or your image. Nothing is transmitted to a third-party server. Nothing is stored. There is nothing to breach.

This is called selective disclosure, and it is a foundational feature of the W3C Verifiable Credentials standard — a published, open international specification that has reached official recommendation status. More advanced implementations use zero-knowledge proofs, which allow you to prove a mathematical statement (e.g., "my age is greater than 18") without revealing the underlying data at all.

The trust triangle here is elegant: the government issues the credential, you hold it in your wallet, and the platform verifies it. At no point does the platform need to know anything about you except the single fact it is entitled to know. Not even the identity system provider learns what you are doing with your credential.

Ireland's government is already exploring exactly this model — a government-run age verification app that responds to platform queries with nothing but a yes or no. No identity transmitted. No database of IDs sitting on a third-party server waiting to be stolen.

Even the EU's own initiative EBSI supports the use of government issued verifiable credentials. This network is set to go live in Q2 of 2026 and opens a realm of possibilities for government backed identity that does not require you to hand over all your data to a supposedly trust-worthy third-party.

Why Aren't We Doing This?

Because it's harder, slower, and less profitable than the alternative.

The current approach is convenient for governments because it outsources the hard problem to private companies. It's profitable for those private companies because centralizing identity data is a lucrative business. And it appears to satisfy legislators who need to show constituents they are "doing something."

SSI requires governments to actually issue digital credentials at scale, which means building infrastructure, establishing standards, and coordinating across agencies. It requires platforms to implement a new verification flow. It requires that someone make the political case for a privacy-preserving approach when "just check their ID" is so much easier to explain in a press release.

None of that is impossible. The EU's eIDAS regulation is already building toward a European Digital Identity Wallet. The W3C standards are stable and production-ready. The cryptography is proven. What is missing is the political will to demand that age verification be done right rather than merely done fast.

What Is Actually at Stake

There is one more dimension to this that rarely gets discussed in the context of protecting children: the infrastructure being built right now will not stay in this or that country, and it will not stay limited to social media.

When you mandate centralized age verification at scale, you build the technical and legal architecture for linking real identities to online behavior. That architecture gets exported, copied, and adapted. Countries that do not share liberal democratic values about free expression and political dissent are watching closely. Many of their citizens use the same platforms, and those platforms are now building identity-linkage systems under Western legal pressure.

Anonymous and pseudonymous online participation has always been a tool of political survival for people whose governments would punish them for speaking. An age verification system that treats anonymity as a bug to be eliminated is not neutral infrastructure. It is a choice about what the global internet looks like — and who it is safe for.

Protecting children online is a serious goal that deserves serious solutions. Mandatory mass collection of government IDs by private companies with a proven track record of losing that data is not a serious solution. It is a serious problem masquerading as one.

The technology to do this better exists. The standards are written. The only thing left to decide is whether we demand that governments use them.

Further reading: The Electronic Frontier Foundation's Age Verification Resource Hub, and the W3C Verifiable Credentials Data Model 2.0 specification.