More than 400 security and privacy experts are calling on lawmakers to halt the deployment of mandatory age verification.
The signatories of the open letter warn that regulations intended to protect children online could ultimately cause “more harm than good”.
For these specialists, the solution is clear. They’re demanding a “moratorium” on age verification laws until a “scientific consensus” is reached regarding the technical feasibility of age verification technology and its balance of benefits versus harm to the wider population.
What does the open letter say?
In their detailed open letter, the 419 data privacy and security scientists say that lawmakers are building a flawed age-assurance system — that it’s both ineffective and dangerous.
Since mandatory checks began in the UK last year, the methods of age verification have, in the main, proved remarkably easy to bypass.
From creative gamers using Death Stranding’s photo mode to trick Discord’s facial recognition, to the simple use of virtual private networks (VPNs) to spoof an IP address, you don’t need to be a “tech wizard” to find a workaround.
The tension then arises around VPNs. Lawmakers are increasingly viewing them as tools of circumvention — a “loophole that needs to be closed,” to quote one official — rather than software for privacy and encryption.
Governments worldwide are moving to restrict access to online services based on age. More than 370 scientists have written an open letter calling for a moratorium on age assessment technologies until there is solid evidence on feasibility and impact. A 🧵https://t.co/kHaJI4Y04CMarch 2, 2026
As a result, the UK, several US states, and France are now considering restricting VPN usage in a move that the signatories of the open letter warn will “create security risks.”
That then removes a key tool of data defence. Combine that with the increased storing and sharing of sensitive personal information that age verification processes demand, and we could be heading into a moment of peak vulnerability for large-scale leaks and hacks.
From facial scans to passport and credit card details — the laws could be inadvertently building a treasure trove, ready to be snatched.
How online services verify your age — and the risks involved
Current age-assurance methods broadly fall into three main categories.
Identification-based verification requires users to upload photos of government IDs or financial identifiers. As legal experts Matt Brennan and Graham Muise wrote on Tech Policy Press, uploading these documents is “fundamentally more risky than an in-person verification” because the sensitive data must be stored for a period of time.
This risk moved from the theoretical realm to reality last year when a third-party vendor used by Discord exposed the government-issued ID photos of approximately 70,000 users globally following a data breach.
Biometric verification is another common method. These systems estimate a user’s age by scanning their facial features. While accuracy rates are improving, the consequences of a data leak are far more permanent: unlike a password or a credit card, you cannot replace your face.
Recent reports highlighting the financial ties between verification provider Persona and Palantir co-founder Peter Thiel have raised further concerns. For privacy advocates, it hints at a troubling scenario regarding how our biometric details might be used if integrated into wider surveillance ecosystems.
More privacy-preserving alternatives do exist. While they aren’t yet as widespread as the methods mentioned above, Attribute-Based Verification (ABV) systems are slowly gaining traction.
These solutions significantly lower privacy risks because they don’t require users to share sensitive personal identifiers. However, ABV techniques are not without their own set of challenges.
Digital ID wallets are a prime example. They have the potential to offer a secure way to verify age, but these systems aren’t fully mature and will only be effective if they come with ironclad guarantees.
Specifically, that encryption standards won’t be weakened by other policies, and that the wallets themselves can never be repurposed for broader user tracking.
Performing age checks at the device or operating system (OS) level could also bridge the gap between safety and privacy. However, the scientists urging a “moratorium” argue there hasn’t been enough discussion regarding the long-term impact of these Privacy Enhancing Technologies (PETs).
They argue: “Removing privacy concerns does not address many of the harms that we mention. More generally, the use of PETs risks to bolster centralization by pushing users towards mainstream phone manufacturers that amass more power on the market.”
What’s next for the age verification debate?
People in the UK, US, Canada, Australia, Brazil, Chile, Colombia, the Philippines, and throughout Europe are already required — or soon will be — to undergo mandatory age checks to access content deemed harmful to minors.
And since Australia’s social media ban for under-16s, a growing number of governments are now crafting similar legislation.
However, in the global race to age-gate the web in the name of safety, these 400-strong members of the scientific and technical communities warn that our collective right to privacy has been disregarded. They are now calling on politicians to change direction.
Whether lawmakers will choose to listen and integrate their views, however, remains to be seen.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone using a VPN service to break the law or conduct illegal activities. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
