AVPA, academics, advocacy groups trade letters over age assurance tech

New rifts have opened up in the debate over the safety and privacy status of age assurance technology. An open letter signed by nearly 400 scientists and academics argues that “age assurance technologies to implement access control to internet services,” and the regulations that mandate their use, do more harm than good.

The letter has drawn a response from the Age Verification Providers Association (AVPA), which says the scientist’s arguments are based on false assumptions and evaluate age assurance “through the lens of worst case, centralised and identity heavy implementations.”

In tandem, a coalition of the Center for Democracy & Technology (CDT), the Software & Information Industry Association (SIIA) and libertarian conservative thinktank Americans for Prosperity (AFP) has sent a letter to the House Committee on Energy and Commerce, suggesting methods for age assurance currently under consideration by U.S. legislators “create unprecedented risks to the privacy, security, and constitutional rights of all Americans.”

This, too, has drawn a response from AVPA, which has now sent its own letter to the committee, saying that the CDT and company’s letter “reflects an outdated understanding of modern age assurance technologies and creates a false dichotomy between child protection and civil liberties.”

CDT, SIIA, Koch family: age assurance forces platforms to collect identity data

The CDT, which has been fighting online safety legislation since 1994, says in its letter that “mandatory age verification for products and services risks forcing the collection of deeply personal information, including potentially biometrics data or government IDs, when it is unnecessary.”

Age assurance requirements, it says, conflict with data minimization principles, in that they “force platforms or their chosen age verification partner to know more about their users, creating massive databases of identity documents and facial scans that are prime targets for cybercriminals.”

No age assurance objection would be complete without an appeal to the First Amendment, and this is no exception: “Mandatory age verification restricts access to constitutionally protected speech for everyone,” says the letter. It chills anonymous speech, a “cornerstone of American democracy.” And, it “creates serve as a total barrier to the modern town square, creating an inequitable digital divide.”

The signatories have suggestions on what to do instead. They call on Congress to pass a comprehensive federal privacy law (last tried for in 2024). And they urge Congress to “incentivize adoption of less intrusive age assurance methods.”

“Empowering parents and youth with control over their data and their online experience and giving them choice about how to communicate and signal age to online services could trigger additional guardrails based on company policies and can help families navigate the online world.”

AVPA responds: age assurance doesn’t mean what you think it means

The group’s language is rife with errors and elisions. At best, it demonstrates insufficient knowledge of the technology being discussed, as in the assertion that age verification “forces platforms to know more about their users.

At worst, it’s just more lobbying against regulations in principle, funded by the wealth of billionaires. Americans for Prosperity is the primary political advocacy group for the Koch family, and the reference to “the modern town square” is lifted from arguments from social media firms, which have anointed themselves as such. (Indeed, NetChoice, which litigates online safety laws on behalf of Big Tech, has been quick to repeat some of its inaccuracies in a celebratory statement.)

AVPA’s letter sums up the problems with the letter succinctly: “Protecting minors online does not require the creation of centralized identity databases, nor does it require platforms to collect government identification documents. Contemporary age assurance systems are specifically designed to avoid those outcomes. Indeed, the essence of age verification is proving your age without disclosing your identity.”

In other words, age assurance is not identity assurance: “Age assurance, when properly designed, does not eliminate anonymity. It completely separates identity from age eligibility. A user can demonstrate that they are over 18 without disclosing their name, address, specific date of birth or government ID to a website. That is fundamentally different from identification.”

AVPA has been making its argument to various government bodies for years, and as such has some direct suggestions of its own on how Congress might address the issue: Establish “clear outcome-based standards for ‘highly effective’ age assurance rather than prescribing specific technologies,” implement independent testing, audit and certification mechanisms, explicit data minimization and role-separation requirements, and clear accountability for platforms to prevent underage use or harm.

“Carefully designed, standards-based age assurance can materially reduce minors’ exposure to age-restricted content and high-risk functionality while preserving anonymity, preventing personal data retention and respecting constitutional protections.”

Scientists and academics: we don’t know yet what effect age checks will have

Meanwhile, the joint statement of security and privacy scientists and researchers on age assurance comes at the argument from the perspective of enabling kids to access and safely use all the internet tools available to them. “Current discussions regarding the need for regulating social media, AI chatbots, or instant messaging would require all users – minors and adults – to prove their age to converse with friends and family, read news, or search for information; well beyond what has ever happened in our offline lives.”

The major flaw here is ignoring a by-now well established fact: social media has been purposefully designed to be addictive. When the intention of the tools themselves rests on bad faith, they do not qualify as neutral, enabling communication mechanisms; no one is ever just reading the news on Facebook, whether they recognize it or not.

Finally, the argument against age assurance technologies points back at the platforms and services it is attempting to frame as cornerstones of free speech.

“We are writing this letter to call for a moratorium on deployment plans until the scientific consensus settles on the benefits and harms that age-assurance technologies can bring, and on the technical feasibility of such a deployment,” it says. “Two critical issues have not been addressed: whether age assurance is efficacious and what the potential damages to general security and privacy are.”

“We believe that it is dangerous and socially unacceptable to introduce a large-scale access control mechanism without a clear understanding of the implications that different design decisions can have on security, privacy, equality, and ultimately on the freedom of decision and autonomy of individuals and nations.”

AVPA: actually we do know quite a bit about age checks, thanks

Australia is in the process of measuring just how efficacious age assurance technologies are, and what impacts they have on privacy and safety. The Age Assurance technology Trial evaluated a range of age assurance technologies and published the results in an extensive final report.

Meanwhile, the assumption that social media firms should be able to operate as load bearing elements of culture and society, with minimal regulation, has become so ingrained as to be taken for gospel.

The letter raises some valid concerns, but its assertions have already largely been answered elsewhere. AVPA lists them in bullet form: “Age assurance does not require universal identity disclosure.” The ability to bypass age checks is not a disqualifying feature; “no regulatory safeguard achieves perfect compliance.” Tokenised and reusable age attributes can operate without exposing underlying identity; there is no need for government ID. The risk of migration to fringe sites “argues for consistent enforcement, not policy abandonment.”

In short (again), age assurance is not identity verification, it’s not promising to be a perfect solution but rather a piece of the online safety puzzle.

“The open letter correctly identifies real implementation risks,” AVPA says. “However, many criticisms assume either flawed centralized models or an unrealistic standard of perfect effectiveness. Privacy preserving, decentralized, standards-based age assurance can materially reduce harm when implemented as one component of a layered child protection framework.  The age verification sector has been acutely conscious of these concerns for years, and continuously evolves to mitigate the risks.”

“The choice is not between total surveillance and total inaction. It is between imperfect but ever-improving safeguards, and continued unmitigated exposure of minors to well-documented online risks.”

Outdated dream of a utopian internet ignores what it has become

At the core of the issue are fundamental ideas about what the internet should or must be. A LinkedIn post from Bart Preneel, a professor at the University of Leuven in Belgium, illustrates the conceptual stakes: “Countries including Australia and several EU Member States are advancing age-verification laws. What once seemed unthinkable – systematic access control to the internet – is becoming mainstream policy.”

This “shifts the default from trust to systematic control and could undermine the internet’s role as a space for information, community and democratic participation” and contradicts the end-to-end principle of internet design.

The suggestion exposes the gap between the academic position and how most people experience the online world. For one, as AVPA points out, the internet is already regulated; just ask your bank. More generally, the notion that the internet – home of 4chan, Grok the AI Nudification Bot, and suicide-coach large language models – is still “a space for information, community and democratic participation” is a laughable naivete rooted in an outdated technoutopian vision that has not come to pass.

One wonders how the academics might respond to the question framed differently: “How is the end-to-end principle realized in the model of an internet controlled by four or five guys on yachts?” It’s high time to take off the rosy glasses, and see the internet for what it is.

Article Topics

age verification  |  AVPA  |  Center for Democracy & Technology  |  digital identity  |  legislation