Prove You’re Old Enough: How Age-Verification Laws Are Quietly Building a Global Identity Infrastructure

In November 2024, the Australian federal parliament passed the Online Safety Amendment (Social Media Minimum Age) Act 2024 by an overwhelming margin, banning children under sixteen from using social media.¹ The law received royal assent in December, with an effective date of December 10, 2025. There was, however, a small awkwardness: the final report from the ACCS, the body responsible for evaluating the technical feasibility of enforcement, was not due until June 2025. The law had already passed. The question of how, exactly, to confirm “how old are you” was still being tested.

Australia’s chronological inversion was not an anomaly. Within the same legislative wave, the United Kingdom’s Online Safety Act 2023 empowered Ofcom to require platforms to implement “highly effective” age assurance starting July 2025²; France’s Loi SREN gave Arcom the authority to block pornographic websites³; at least twenty-one U.S. states enacted age-verification laws within three years⁴; Brazil’s Digital ECA took effect in March 2026⁵; Indonesia’s PP TUNAS launched the same month⁶; and Malaysia’s Online Safety Act 2025 and the UAE’s Federal Decree-Law No. 26/2025 both went into force in January 2026.⁷ From Canberra to London to Austin to Jakarta, at least twenty-five countries or jurisdictions moved on age-verification legislation in a span of three years.

The political logic driving this wave is strikingly uniform. Child safety is the rare issue that commands bipartisan — indeed, cross-partisan — consensus. No elected official wants to be caught standing on the side of “opposing the protection of children.” The result is that the pace of legislation has far outstripped the pace of technical evaluation and human-rights impact assessment. When Norway introduced its bill setting a fifteen-year-old threshold for social media in 2025, the government openly acknowledged that “no fully effective age-verification solution currently exists” — yet pressed ahead anyway.⁸ That children deserve protection is not in dispute. The real question is what kind of digital identity infrastructure “proving you are an adult” demands, and where, on a spectrum running from protective tool to surveillance apparatus, the design choices place it. Most of the schemes already in operation, propelled by political urgency, have landed at the high-risk end.

How Political Urgency Compressed Technical Deliberation

To grasp the scale of the gap, it helps to look back to 1998 and the U.S. Children’s Online Privacy Protection Act, better known as COPPA. The law required websites to obtain “verifiable parental consent” before collecting data from children under thirteen, but it specified no particular age-confirmation technology. Industry responded with the cheapest possible compliance: a checkbox reading “I am 13 or older.” That checkbox endured for more than two decades.⁹

Between COPPA and the UK’s Online Safety Act 2023 lies a turning point: the mounting controversy over content harms on social media. In the early 2020s, multiple countries held hearings and launched investigations into the injuries children sustained on social platforms. A political consensus — that platforms should be held responsible for children’s safety — crystallized with striking speed. Age verification was promoted from technical detail to political agenda item. Legislators needed visible action, and “confirm the user’s age” was the most intuitive policy lever available.

ISO/IEC 27566-1, the world’s first international standard for age-assurance systems, defines three core methods — verification, estimation, and inference — and recommends privacy-by-design principles alongside tiered approaches.¹⁰ This standard was not formally published until December 2025. By the time it appeared, twenty-one U.S. states had already legislated, the UK had begun enforcement, and Australian law was already in effect. Technical standards could not keep pace with political cycles, and countries chose their solutions in the absence of a shared technical baseline.

On June 27, 2025, the U.S. Supreme Court handed down a 6-to-3 ruling in Free Speech Coalition v. Paxton, declaring Texas’s age-verification law constitutional.¹¹ Justice Thomas, writing for the majority, applied intermediate scrutiny and stated plainly that “adults do not have a First Amendment right to avoid age verification.” The decision was, arguably, a global inflection point. Before Paxton, federal district courts in multiple states had issued preliminary injunctions blocking age-verification laws on First Amendment grounds. After Paxton, the presumption flipped — from presumptively unconstitutional to presumptively constitutional — and nine states completed their own legislation within the remainder of 2025, at a noticeably accelerated pace.

The dissent, authored by Justices Kagan, Sotomayor, and Jackson, warned that the majority’s reasoning could extend well beyond pornographic websites.¹² That warning has already come true in California, where AB1043 expanded the age-verification framework into a “Digital Age Assurance” model applicable to any online service “likely to be accessed by minors.”¹³

The European Union charted a different course. With eIDAS 2.0, it opted for “build the infrastructure first, then layer on the applications,” requiring every member state to offer at least one EUDI Wallet by the end of 2026.¹⁴ The “dual anonymity” technical standard that France’s Arcom published in October 2024 is one of the rare cases in which a regulator, even under political pressure, attempted to preserve privacy.³ But these counterexamples are notable precisely because they are scarce.

The Technical Spectrum — From Self-Declaration to Universal Real-Name Registration

The technical approaches to age verification form a spectrum. At one extreme sits self-declaration, which collects almost no data. At the other lies a regime in which every user is linked in real time to a government database — universal real-name registration. Different countries, shaped by their political contexts, technological infrastructures, and governance traditions, have landed at different points along this spectrum. Three pairs of contrasts sketch the full picture.

The high-surveillance end — China’s anti-addiction system vs. ID upload in multiple U.S. states

China’s anti-addiction system occupies the far high-surveillance end of the spectrum. Since the “strict version” took effect in 2021, every online game user must undergo real-name verification through the NPPA, with the system connected in real time to the national population database and supplemented by random facial-recognition checks.¹⁵ Minors are permitted to play only during the hours of 8:00 to 9:00 p.m. on Fridays, Saturdays, Sundays, and statutory holidays — a combined total of three hours per week. This infrastructure has since expanded beyond gaming to other online services.

And yet, according to an academic study published in PMC (survey data, with attendant sampling biases), roughly seventy-seven per cent of minors successfully circumvented the real-name verification by borrowing relatives’ accounts.¹⁶ A population-wide identity infrastructure was built; the evasion rate among the very population it targeted remained staggeringly high. China subsequently intensified facial-recognition spot checks. The evasion persisted.

In the United States, at least twenty-one states require pornographic websites to perform age verification, with most schemes demanding that users upload government-issued identification.⁴ Louisiana’s LA Wallet uses a digital driver’s license as its verification tool — a step beyond uploading a photocopy of a physical license, but still tethered to a government ID. India’s Digital Personal Data Protection Act requires platforms to obtain “verifiable parental consent” before allowing anyone under eighteen to use their services, with the technical pathway split between Aadhaar’s centralized model and DigiLocker’s token-based approach.¹⁷ According to Medianama, Andhra Pradesh is exploring the use of DigiLocker age tokens to restrict social media access for thirteen- to sixteen-year-olds, though this remains at the planning stage with no independently verified implementation progress.¹⁸

The middle ground — Ofcom’s pluralist approach vs. Germany’s certification regime

Ofcom in the UK has approved a menu of age-assurance methods that may operate in parallel: facial age estimation, credit-card or bank verification, digital ID, telecom-operator verification, and official document scanning — while explicitly ruling out self-declaration.² As of October 2025, Ofcom had opened five enforcement programmes and twenty-one investigations, and in December fined AVS Group one million pounds.¹⁹ The strength of this model is its technical flexibility. The risk is the absence of a unified privacy standard: platforms can choose the cheapest option, and the cheapest is rarely the most privacy-friendly.

Yoti’s facial age estimation is the most widely deployed commercial solution to date, having processed more than one billion verifications. A 2024 NIST evaluation found that Yoti achieved a mean absolute error of 1.1 years in the thirteen-to-seventeen age bracket, ranking first.²⁰ But the NIST tests used standardized photographs; real-world variations in lighting, angle, and racial diversity could significantly degrade accuracy.

Germany has taken the certification route. The KJM approves only age-verification systems that have passed its review, requiring identity confirmation, minimal data collection, encrypted transmission, and GDPR compliance. Requirements tightened further after the revised JMStV took effect in December 2025.²¹

France’s Arcom scheme merits separate attention. The technical standard published in October 2024 mandates “dual anonymity”: a bank or telecom operator verifies the user’s age, and the pornographic website receives only a binary result — “adult” or “minor” — with no knowledge of the user’s identity. Simultaneously, the intermediary has no knowledge of which website the user is visiting.³ It is an attempt to achieve a privacy-friendly outcome within existing legal constraints, but its scope is limited to pornographic websites, the transition period is just three months, and it has not yet been extended to social media.

Malaysia’s Online Safety Act 2025 requires social media platforms to bar users under sixteen and to implement eKYC verification; the MCMC has established a regulatory sandbox to test age-assurance technologies.⁷ Thailand is considering a “double lock” system — e-ID combined with a daily two-hour usage cap — but the proposal remains in draft form.²²

The low-intrusion end — zero-knowledge proofs and token-based schemes

Spain’s Cartera Digital Beta began testing in September 2024, using zero-knowledge proofs to confirm whether a user meets the legal age threshold.²³ The core design principle: “The website receives only a valid-or-invalid result, with no access to the user’s name, date of birth, or any credential information.” This scheme has been selected as the foundational technology for the EU’s white-label age-verification app.

The EU’s age-verification blueprint, published in July 2025, integrates zero-knowledge proofs and is being piloted in five countries — Denmark, France, Greece, Italy, and Spain — with customized national apps expected in early 2026.²⁴ The euCONSENT project’s AgeAware system uses a token-based architecture paired with anonymization services.²⁵ A collaboration between Google and Germany’s Sparkassen savings-bank network combines the Credential Manager API with zero-knowledge proofs, with public availability anticipated in the first half of 2026.²⁶ W3C Verifiable Credentials 2.0 became an official standard in May 2025, and TruAge’s product has integrated the core technology, using encrypted single-use tokens for age verification in retail settings since 2021.²⁷

Overturned and stalled cases

South Korea’s gaming curfew law stands as an instructive cautionary tale. Enacted in 2011, it prohibited anyone under seventeen from playing online games between midnight and six a.m., backed by real-name authentication. It was repealed in August 2021, after the rise of mobile gaming rendered it ineffective, alternative measures became available, and a social consensus formed that the policy had produced no positive outcomes.²⁸ The Korean case demonstrates that even highly coercive age-verification regimes can be rolled back when they prove ineffectual. But the prerequisite for rollback is a political system that permits policy reversal — a condition not every country meets.

Japan’s Information Distribution Platform Act, which took effect in April 2025, deliberately omits mandatory age verification.²⁹ Canada’s Bill C-63 died when Parliament was dissolved; Bill S-209 has been reintroduced, but no federal-level age-verification law is currently in force.³⁰ Singapore’s Online Safety Code, effective since July 2023, includes app-store-level age confirmation but stops short of government ID verification.³¹

The Structural Slope — From Child Protection to a Universal Identity Gate

Will infrastructure built for child protection expand into a universal digital identity gate? This proposition describes a structural tendency — rooted in the interaction between infrastructure scalability and policy path dependence — and the cases that have already materialized provide an inductive basis.

California’s AB1043 extended what was originally a pornographic-website age-verification requirement into a “Digital Age Assurance” model applicable to any online service “likely to be accessed by minors.”¹³ Illinois’s Digital Age Assurance Act goes further still: its legislative rationale explicitly states the intention to “embed age verification into the digital infrastructure itself.” The expansion pathway from pornographic sites to the entire web is plain to see.

The Irish government has been pushing to extend the Public Services Card from social welfare to identity verification for banks, credit unions, and utilities, adding a date-of-birth field for age-verification purposes.³² While the PSC’s expansion may have policy drivers independent of age verification — digital-government efficiency, for instance — and current reports come from advocacy-oriented media, the very fact that age-verification functionality is being folded into an already-expanding infrastructure confirms the multi-purpose tendency of such systems.

The UK’s GOV.UK Verify, having underperformed, was replaced by One Login, and in September 2025 the Prime Minister announced a digital ID initiative built on One Login and the GOV.UK Wallet.³³ A failed login system evolved into a multi-purpose digital identity wallet. The EU’s eIDAS 2.0 requires every member state to provide at least one EUDI Wallet by the end of 2026, with age verification as an explicit use case; all large private enterprises must accept the Wallet by December 2027.¹⁴ A wallet infrastructure built for age verification doubles as general-purpose digital identity infrastructure.

These cases converge on a single logic: once infrastructure is in place, the marginal cost of extension is low, sunk investments demand returns, and new policy requirements can free-ride on what already exists. Scalability naturally generates policy incentives.

But structural tendency is not inexorable expansion. Arcom’s “dual anonymity” architecture is designed to limit scalability — even if borrowed by other domains, it is difficult to repurpose as a general-purpose tracking tool.³ The EUDI Wallet’s selective-disclosure design allows users to reveal only “I am over eighteen” rather than their full personal data.¹⁴ And the repeal of South Korea’s curfew law demonstrates that infrastructure expansion is not irreversible.²⁸

Centralized age-verification infrastructure as a high-value attack target is the other face of structural slope. In October 2025, 5CA, a third-party verification vendor for Discord, was breached, exposing approximately seventy thousand government ID photographs that users had uploaded for age verification.³⁴ AU10TIX’s administrative login credentials were exposed for over a year.³⁵ Tea App leaked seventy-two thousand photographs in July 2025; IDMerit’s database was exposed in November of the same year.³⁶ Each of these incidents occurred at third-party verification providers — an inherent risk of centralized architectures. On-device or zero-knowledge schemes carry a fundamentally different risk profile.

Four Shocks to Digital Rights

The human-rights impact of age-verification legislation reaches every person who needs to go online. Children are simply the first group named. Four dimensions of pressure operate simultaneously, and they reinforce one another.

Privacy. GDPR Article 8 sets the age threshold for children’s consent; Article 9 imposes higher protections on sensitive data.³⁷ Enforcing the age confirmation required by Article 8 often necessitates collecting precisely the kind of sensitive data that Article 9 is designed to protect — deploying more intrusive means to achieve a protective end. Article 8 of the European Convention on Human Rights guarantees the privacy of correspondence free from interference³⁸; age verification requires users to disclose identity information to third parties, constituting a direct interference with that guarantee. In an open letter co-signed by sixty-three digital-rights organizations, EDRi named this contradiction directly: age-verification tools “systematically leak data, whether through government ID, AI age prediction, or other methods, threatening the privacy and data-protection rights of both children and adults.”³⁹

Anonymity. The UN Human Rights Council report A/HRC/29/32 states unequivocally that states should promote strong encryption and anonymity, and that individuals have the right to use anonymous tools to protect the privacy of their digital communications.⁴⁰ Age verification, by its very nature, requires users to disclose age-related information at some point in the process, rendering it incompatible with fully anonymous browsing. The deeper paradox is this: Article 16 of the UN Convention on the Rights of the Child protects children’s right to privacy, including the right to use pseudonyms and encrypted communications.⁴¹ Age verification designed to protect children may erode the very privacy rights that belong to children themselves. In their groundbreaking 2017 study, Livingstone and Third observed that children in the digital environment are simultaneously subjects in need of protection and agents entitled to autonomy — and that the tension between these two roles is the central challenge of policy design.⁴²

Freedom of expression. The Paxton ruling is the watershed moment for free-speech impact. The EFF condemned the decision as one that “tramples free speech and undermines privacy” — forcing adults to upload sensitive personal information in order to access lawful speech.¹² The chilling effect is not hypothetical. Pornhub (owned by Aylo) chose to block access entirely in states that had implemented ID-verification laws, including Texas, Utah, and Louisiana. Aylo told CNN that traffic from Louisiana dropped by approximately eighty per cent after the law took effect.⁴³ This is self-reported data from a company with an incentive to exaggerate the impact in order to lobby against the legislation. But the broader pattern — lawful content providers exiting markets, users migrating to unregulated channels — is corroborated by multiple sources. California’s AB1043 extends age verification to any service “likely to be accessed by minors,“¹³ meaning that the barrier to information access could spread from specific content categories to general internet services.

The digital divide. Age verification presupposes that users possess government-issued identification, a bank account, a smartphone, or a biometric device. Those who lack these — the unbanked, refugees, undocumented migrants, residents of remote areas — are effectively excluded from the lawful internet.⁴⁴ India’s case illustrates the problem concretely. The DPDP Act requires platforms to obtain verifiable parental consent, but in communities with low digital literacy, children from disadvantaged backgrounds may be shut out because their parents cannot complete a digital consent process. The mechanism designed to protect children becomes the gate that excludes the most vulnerable among them.¹⁷

The 5Rights Foundation offers a useful reminder against reducing this debate to a zero-sum contest. The children’s-rights organization simultaneously argues that “age assurance is necessary” and that “age assurance must be privacy-friendly.”⁴⁵ It helped develop the IEEE 2089.1 standard, which provides a five-tier assurance framework — ranging from minimally intrusive age-range inference to full identity verification — allowing different risk levels of content to be matched with correspondingly calibrated tiers of verification.⁴⁶ The framework attempts to break the assumption that protection necessarily requires surveillance.

Better Solutions Exist, but They Are Politically Weak

If more privacy-friendly technical solutions already exist, why haven’t most countries adopted them?

Spain’s Cartera Digital Beta uses zero-knowledge proofs: the website receives only a binary valid-or-invalid result, with no exposure to personal data.²³ The EU blueprint is being tested in five countries; euCONSENT’s AgeAware uses token-based architecture with anonymization; Google and Sparkassen combine the Credential Manager API with ZKP; W3C VC 2.0’s TruAge has been running in retail since 2021.^24252627 There is no shortage of solutions.

But a 2025 analysis by Brave identified the fundamental limitation of zero-knowledge proofs with clinical precision: ZKP ensures that subsequent age confirmations no longer leak personal data, but “the first time” a user’s real age is confirmed, some trusted party still needs to see identity information.⁴⁷ If that trusted party is the government, then the government possesses, at minimum, a record of the user’s activity at the moment of initial verification. ZKP dramatically reduces the privacy risks of everyday use, but it does not eliminate them entirely.

Acknowledging this limitation, why is a ZKP scheme still vastly superior to blanket ID uploads? The difference lies in the frequency and scope of data exposure. Under a blanket ID-upload model, every access event generates a record containing complete personal data, stored on a third-party server — the Discord/5CA breach is the consequence of precisely this model.³⁴ Under a ZKP model, the initial verification occurs once; every subsequent access transmits only a non-traceable token. Even if a website is breached, the attacker obtains only tokens that cannot be linked to real identities.

Privacy-friendly solutions are politically weak for at least three reasons. The first is a timing mismatch. Most ZKP and token-based schemes did not enter pilot testing until 2025 or 2026, but legislative pressure had already built by 2023 and 2024.⁴⁸ ISO/IEC 27566-1 was not published until December 2025.¹⁰ When legislators need immediately deployable solutions, commercially mature high-intrusion options enjoy a first-mover advantage.

The second is the structure of vested interests. Yoti has processed more than a billion verifications and can present a track record to regulators.²⁰ Germany’s KJM-certified AVS systems have already formed a market.²¹ Newer ZKP-based solutions must compete against entrenched interests for both resources and regulatory attention.

The third is deployment complexity. A ZKP scheme requires coordination among at least three parties — a government ID issuer, an anonymization intermediary, and the website. ID upload or facial scanning requires only a single service provider. Under the pressure of political urgency, simpler-to-deploy solutions are naturally favored.

The EU’s systemic approach — enacting eIDAS 2.0 to establish an infrastructure framework first, then embedding age-verification functionality within it — could, if successful, become a model for the institutional adoption of better solutions.¹⁴ But the EUDI Wallet’s deployment timeline has slipped to the end of 2026, and the political pressure for age verification will not wait.

Taiwan’s Blank Slate and the World’s Closing Window

As of this writing, the author has found no age-verification legislative activity directly relevant to Taiwan. Neither the NCC nor the Ministry of Digital Affairs has introduced a related bill. This blank slate is worth noting — it could reflect deliberate caution, or it could simply be a matter of lag. With at least twenty-five countries having already activated age-verification regimes, Taiwan will eventually face the same question. When it does, its technical choices will be made within an international landscape of established practices and standards that has already taken shape.

A structural tension runs between the policy intent and the technical implementation of age-verification legislation. When “proving you are an adult” requires a digital identity infrastructure, the risk profile of that infrastructure is determined by its architectural choices. Most schemes already in operation, driven by political urgency, have chosen the high-risk end, giving child-safety mechanisms a structural tendency to expand into universal digital identity gates.

But tendency is not destiny. Arcom’s dual-anonymity architecture, Spain’s Cartera Digital Beta with its zero-knowledge proofs, the EUDI Wallet’s selective-disclosure design, the repeal of South Korea’s gaming curfew — all demonstrate that technical design and policy reversal can constrain the expansionary impulse. The necessity of protecting children is beyond dispute. What will truly determine the outcome is the architecture chosen to do the protecting. Technical choice multiplied by governance design — that is the equation that decides whether age-verification legislation ultimately lands on the side of “protective tool” or “surveillance infrastructure.” That choice is being made in countries around the world right now, and the window for getting it right is closing.

---

References

1. Australian Parliament, Online Safety Amendment (Social Media Minimum Age) Act 2024, Federal Register of Legislation C2024A00127, royal assent December 2024; eSafety Commissioner ACCS technical trial final report expected June 2025. Source grade A.
2. Ofcom, “Roadmap to Regulation,” mandatory age assurance from July 25, 2025; tick-box explicitly excluded. Source grade A.
3. Arcom, “Technical guidelines on age verification,” October 2024, “dual anonymity” technical standard; transition period through April 11, 2025. Source grade A.
4. Sidley Austin LLP analysis; EFF, “Age Verification Threats Across the Globe: 2025 in Review”; at least 21 U.S. states have enacted age-verification laws. Source grade A.
5. Brazil.gov.br, Digital ECA (Law No. 15,211/2025), passed September 2025, effective March 2026. Source grade A.
6. Library of Congress; JURIST, PP TUNAS, prohibiting those under 16 from opening accounts on high-risk platforms, effective March 2026. Source grade A.
7. Richard Wee Chambers; AVPA, Malaysia Online Safety Act 2025, effective January 2026; Baker McKenzie, UAE Federal Decree-Law No. 26/2025, effective January 2026. Source grade A.
8. Norwegian government (regjeringen.no), “Norway moves forward with age limit for social media,” 15-year social media threshold bill. Source grade A.
9. U.S. Congress, Children’s Online Privacy Protection Act (COPPA), 1998. Source grade A.
10. ISO, ISO/IEC 27566-1:2025 — Age assurance systems — Part 1: Framework, published December 2025. Source grade A.
11. U.S. Supreme Court, Free Speech Coalition, Inc. v. Paxton, No. 23-1122, decided June 27, 2025, 6:3 majority opinion. Source grade A.
12. EFF, “Today’s Supreme Court Decision on Age Verification Tramples Free Speech,” June 2025, including analysis of the Kagan, Sotomayor, and Jackson dissent. Source grade A.
13. BillTrack50; EFF, California AB1043 expanding age verification into Digital Age Assurance. Source grade A.
14. European Commission, “EUDI Regulation,” eIDAS 2.0; Baker McKenzie (March 2026), “EU: EUDI Wallet Harmonizes Identification and Age-Gating.” Source grade A.
15. China’s anti-addiction system, NPPA administrative regulations + revision of the Law on the Protection of Minors + Regulations on the Protection of Minors in Cyberspace, effective January 1, 2024. Source grade A.
16. PMC (2025), “High compliance and reduced online gaming time among Chinese adolescents after the 2021 gaming policy”; 77% evasion rate based on survey data. Source grade A.
17. India, Digital Personal Data Protection Act, 2023; Deccan Herald; Lexology analysis. Source grade A.
18. Medianama (April 2026), Andhra Pradesh exploring DigiLocker age tokens; currently at planning stage. Source grade C.
19. Ofcom enforcement records, 5 enforcement programmes and 21 investigations from October 2025; December 2025 fine of GBP 1 million against AVS Group. Source grade A.
20. Yoti (July 2025), “Facial Age Estimation White Paper”; NIST evaluation: MAE of 1.1 years for ages 13-17, ranked first (standardized photograph conditions). Source grade A.
21. Gataca; Freshfields analysis; Germany’s JMStV revised version effective December 2025; KJM certification requirements. Source grade A.
22. Tech for Good Institute (2025), “Safeguarding the Digital Generation”; Thailand’s “double lock” proposal in draft form. Source grade B.
23. Spanish government official announcement; Biometric Update, Cartera Digital Beta testing ZKP age verification from September 2024. Source grade A.
24. European Commission, “Blueprint for an age verification solution”; five-country pilot, developed by T-Scy. Source grade A.
25. euCONSENT official; Biometric Update, AgeAware PoC demonstrated in Amsterdam, April 2025. Source grade B.
26. ID Tech Wire, Google-Sparkassen ZKP pilot Q4 2025, publicly available H1 2026. Source grade B.
27. W3C, Verifiable Credentials Data Model v2.0, became W3C Recommendation May 2025; TruAge product integrating VC 2.0. Source grade A.
28. Korea Times; Korea Herald, South Korea gaming curfew law enacted 2011, repealed August 2021. Source grade B.
29. Nippon.com; Japan Times, Japan Information Distribution Platform Act effective April 2025, no mandatory age verification. Source grade B.
30. Parliament of Canada; OpenMedia, Bill C-63 died; Bill S-209 reintroduced. Source grade A.
31. IMDA official, Singapore Online Safety Code effective July 2023. Source grade A.
32. El-Balad; State of Surveillance, reporting on Ireland’s Public Services Card expansion. Source grade B.
33. State of Surveillance (2026); GOV.UK official announcements, One Login to Wallet evolution. Source grade B.
34. NBC News (2025), “70,000 government ID photos exposed in Discord user hack,” October 2025. Source grade B.
35. EFF; security researcher reports, AU10TIX credentials exposed for over one year. Source grade B.
36. Regula Forensics (2025), “5 Identity Verification Incidents That Shook 2025”; Tea App 72,000-photo leak (July 2025); IDMerit database exposure (November 2025). Source grade B.
37. GDPR Art. 8 (age of consent for children) and Art. 9 (special protection for sensitive data). Source grade A.
38. European Convention on Human Rights Art. 8. Source grade A.
39. EDRi, “Open letter: The dangers of age verification proposals to fundamental rights online”; 63 organizations co-signed. Source grade A.
40. OHCHR, A/HRC/29/32: Report on encryption, anonymity, and the human rights framework, 2015. Source grade A.
41. UN Convention on the Rights of the Child Art. 16. Source grade A.
42. Livingstone, S. & Third, A. (2017). “Children and young people’s rights in the digital age.” New Media & Society, 19, 657-670. Source grade A.
43. CNN; Aylo self-reported approximately 80% traffic drop for Pornhub in Louisiana. Source grade B (self-reported data).
44. EFF (December 2025), “The Year States Chose Surveillance Over Safety”; exclusionary effects of age verification on populations lacking ID. Source grade B.
45. 5Rights Foundation, “Access restrictions to protect children and their rights.” Source grade A.
46. 5Rights Foundation, “Age Assurance as a spectrum”; IEEE 2089.1 standard five-tier assurance framework. Source grade A.
47. Brave (2025), “The limits of zero-knowledge for age-verification”; ZKP does not solve the initial verification problem. Source grade A.
48. EFF (April 2025), “Digital Identities and the Future of Age Verification in Europe.” Source grade A.