Their technical analysis catalogs all major implementation approaches — government ID upload, credit card verification, third-party identity oracles, facial age estimation, and device-level age tokens — and concludes that none can verify age without touching the underlying identity itself. They argue this is not a bug but a structural inevitability: age is a derived attribute of identity, making surveillance capability an inherent byproduct.
Submitted the BOTE Project's findings to Hacker News where it reached 250 points, signaling strong community agreement with the thesis that age verification mandates are effectively building general-purpose surveillance systems under the guise of child protection.
They trace the data flows of the most privacy-friendly proposal — device-level age tokens — and show that even this approach requires a token issuer who knows the user's real identity and the fact that they verified their age. This creates a centralized chokepoint that knows who is accessing age-gated content, undermining the privacy claims of the architecture.
The editorial notes that at least 19 US states, the EU's Digital Services Act, and the UK's Online Safety Act are all pushing age verification mandates simultaneously. Despite differing in scope, they all converge on the same unsolved technical problem — proving age without creating surveillance — yet legislation is advancing regardless.
The BOTE Project published a detailed technical analysis of age verification systems currently mandated or proposed across multiple US states and the EU, examining the surveillance infrastructure these laws require. The findings, which hit 250 points on Hacker News, lay out a simple thesis: every age verification architecture proposed to date creates a mass surveillance capability as a structural side effect, not a bug.
The legislative momentum is real. At least 19 US states have enacted or introduced age verification requirements for online platforms, primarily targeting adult content but increasingly extending to social media. The EU's Digital Services Act includes age assurance provisions. The UK's Online Safety Act mandates age verification for platforms likely to be accessed by children. Each jurisdiction is slightly different in scope, but they converge on the same technical problem: proving a user is over a threshold age before granting access.
The BOTE Project's research catalogs the major implementation approaches — government ID upload, credit card verification, third-party identity oracles, facial age estimation, and device-level age tokens — and finds that none of them achieve the stated goal without creating something far more powerful than an age gate.
The core technical problem is straightforward, and developers who've worked on identity systems will recognize it immediately: age is a derived attribute of identity, and you cannot verify a derived attribute without touching the underlying identity itself.
Consider the most "privacy-preserving" approach currently proposed: a device-level age token. The idea is that a user verifies their age once with a trusted provider, receives a cryptographic token stored on their device, and presents that token to websites. No personal data leaves the device after the initial verification. Sounds reasonable — until you trace the data flows.
The token issuer knows your real identity (they verified it). The token itself, even if it contains no PII, is a stable identifier that correlates visits across sites. If the token is per-site to prevent correlation, the issuer needs to know which site you're visiting to issue a scoped token — creating a complete browsing log at the issuer. If the token is universal to avoid that, you've built a supercookie. There is no configuration of this system that doesn't create a surveillance-capable chokepoint somewhere in the chain.
Facial age estimation — the approach favored by companies like Yoti — avoids the identity binding problem but introduces biometric collection at scale. When you normalize submitting a face scan to access a website, you've built the infrastructure for facial recognition surveillance and simply promised not to use it that way. The technical capability precedes the policy constraint, and history suggests which one yields first.
The ID upload approach, used in states like Louisiana and Texas, is the most obviously dangerous: users submit government-issued identification directly to websites or third-party verifiers. Data breach statistics make the outcome predictable. The state of Louisiana's initial implementation had websites retaining ID data — a honeypot linking real identities to browsing patterns that any competent attacker would target.
What makes the BOTE Project's analysis particularly useful for developers is the structural argument: these aren't implementation flaws that better engineering can fix. They're inherent properties of the problem. Verifying age at the point of content access mathematically requires creating a linkage between identity and content consumption — the exact data structure that defines surveillance.
If you're building a platform that falls under these mandates, you face a genuine engineering dilemma. The law requires you to verify age. Every method of verifying age creates liability you don't want and data you shouldn't hold.
The pragmatic reality: most compliance implementations today use third-party age verification providers — companies like Yoti, VerifyMy, or Agora — that act as intermediaries. This offloads some liability but doesn't eliminate the structural problem. You're now dependent on a third party's security practices for data that, if breached, creates existential legal exposure. And you're paying per-verification fees that scale with your user base, creating a compliance cost that disproportionately burdens smaller platforms.
For developers evaluating compliance architectures, the key question isn't "which verification method is most private" — it's "which creates the least durable surveillance capability when (not if) the regulatory scope expands." Louisiana's law started with adult content. Utah's expanded to social media. The EU's covers any platform "likely to be accessed by children" — which is functionally every website.
Some concrete defensive measures if you must implement age verification:
- Minimize retention. Verify and discard. If your provider retains verification records, that's a liability, not a feature. Demand contractual deletion guarantees with audit rights. - Avoid biometrics. Facial estimation creates biometric data under BIPA-style laws in Illinois, Texas, and Washington. The compliance cost of holding biometric data exceeds the convenience. - Isolate the verification flow. The age check should be architecturally separated from your application — different subdomain, different server, no shared cookies or session state. When the inevitable breach or subpoena hits the verification system, your application data should be unreachable. - Log the minimum. A boolean "verified: yes" with a timestamp is all your application needs. Don't store the method, the provider's response payload, or any intermediate data.
The age verification debate is really a proxy war over whether the internet's default architecture should include identity verification at the access layer. The "protect the children" framing makes opposition politically expensive, which is precisely why it's the chosen vehicle. Developers should watch the W3C's Privacy-Preserving Age Verification work and the emerging "age estimation" API proposals — not because they solve the problem, but because whatever ships in browsers becomes the de facto standard that every jurisdiction's law will reference. The infrastructure you build for age verification today is the identity infrastructure governments will mandate for everything tomorrow. Build accordingly — which means building as little of it as possible.
I wonder if not private age verification could not be solved with the right cryptographic protocol.You would have to register using a digital ID with a government agency, to get a age certificate. Most European countries already have digital IDs, used for all sorts of things: such as taxes, online b
It's easy-ish to verify someone is human and of-age without needing any intrusive agent. One big problem is that the folk pushing for surveillance via verification hate that model and have capital to crush the idea. Another is adoption of some system that works; where the perfect blocks what&#x
So to avoid it all I have to do is stop using social media? LGTM
what do governments get out of this? Like I get it from ad/commercial perspective, but I don't see how this is highly unpopular from governments and still being implemented
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I wish people would stop sharing this website, their research is massively written by LLMs and looks good at a glance, but it goes in every direction at the same time and lacks logical connections. And the claims don't really match their sources.Their initial publication was backed by a Git rep