Governments were advised by over 400 security and privacy academics from 29 countries on Monday, March 2 to delay implementing age-verification requirements on online platforms until the remaining privacy and security risks are properly addressed.
While the letter does not directly address California Assembly Bill 1043, similar legislative initiatives are currently being considered in several EU countries and U.S. states, including Colorado Senate Bill 26-051 and New York Senate Bill S8102A, which propose age-verification or age-attestation mechanisms at the operating-system level.
Here the letter in PDF format.
The letter is quite long, but here is a small extract.
Age-assurance checks are easy to bypass, as evidenced by current deployments being circumvented
using VPNs, bought or borrowed credentials, or props or AI-based tools (e.g., deepfakes or AI-generated profiles), to change the users’ appearance. Such checks also require the creation of Internet-wide trust infrastructures that do not exist today, whose technical deployment would be quite complex, and whose worldwide legal enforcement seems doubtful. They are not guaranteed to prevent minors from accessing harmful online content, or adults from entering children-specific spaces designed to be safe.
Implementing reliable age verification at scale would require the creation of an Internet-wide trust infrastructure that does not currently exist. Building and maintaining such an infrastructure would be technically complex, costly, and difficult to enforce across jurisdictions. In the United States, where many critical systems are often privatized, establishing a trusted infrastructure of this kind raises additional concerns, particularly regarding who would operate it and how trust would be ensured.
For example, companies such as Google operate large-scale data-driven business models that rely on collecting and monetizing personal information. Entrusting sensitive age-verification data to private data brokers raises serious privacy and ethical questions—especially when the information involved minors.
In my view, requiring operating systems to verify or signal a user’s age is an even weaker approach than the systems currently being discussed in the European Union. I respectfully urge governments to reconsider these laws, as they are unlikely to achieve their stated objectives.
In practice, these systems may create unintended consequences. Technically inclined teenagers will inevitably attempt to bypass such controls. On open source operating systems like Linux, modifying or disabling age-verification checks could take as little as twenty minutes for someone with modest technical knowledge. Once a working method is discovered, instructions are likely to spread rapidly online, allowing many others to replicate the bypass.
As a result, these laws risk placing otherwise ordinary teenagers in the position of deliberately circumventing legally mandated protections. In effect, the legislation could unintentionally encourage young users to engage in conduct that may violate the law.
More broadly, these systems may introduce new security and privacy risks by requiring the collection and processing of sensitive personal information. Since there is currently no technically reliable way to implement this mandate using existing technology, such infrastructures will inevitably expose sensitive information that may be useful to malicious actors, including criminals who target minors.
Finally, data brokers such as Google, Microsoft, and others will inevitably seek to collect and monetize this information. It would be far safer if they never obtained such data in the first place. A better policy approach would be to prohibit data brokers from collecting this type of sensitive information altogether.
This article is part of a series currently being written.
The author is a retired IT security and cybersecurity professional. Together with cryptographic researchers, he belongs to the community of experts who helped build and secure the Internet infrastructure that made global electronic commerce possible. When it comes to Internet security, this community understands the technical realities and risks involved.