It’s a beautiful Sunday afternoon, and I should be spending the day developing Conclave and playing Resident Evil Requiem. Yet here I am, writing this blog, because a topic important enough has come up to warrant the diversion:

Online Age Verification.

I have previously written about this on my Telegram channel, but you can only write so much in Telegram and it lacks depth. Thus, this article is born, and I hope you learn something from this deeper dive.

What Happened

In October of 2025, California passed Assembly Bill 1043, also known as the Digital Age Assurance Act. This bill requires all operating system (OS) providers to record the user’s age at account creation, and send the user’s age bracket to online service providers.

The California bill stirred up a lot of discussions, but this age verification trend isn’t new. Many similar laws have passed elsewhere in the world:

• In 2023, the UK passed the Online Safety Act, and it came into effect on March 17, 2025. Platforms must now use “highly effective age assurance” to protect children from harmful content online.
• Australia amended their Online Safety Act in 2024. As of December 10, 2025, all children under the age of 16 are barred from using social media.
• Brazil passed Law 15.211/25 (the Digital Child and Adolescent Statute) in 2025, which requires all IT products and services in Brazil to have protective designs by default.
• Canada is also considering banning social media for kids.

Additionally, more similar bills have been enacted or are pending in the U.S.:

“So many laws are passing to protect the kids,” you might think. It’s a good thing, right? You’ll soon learn that couldn’t be further from the truth. It’s quite the opposite.

It Has Never Been About the Kids

It is comical how much consensus there is, at least among the technically literate communities, that these “child protection” laws were never about protecting the children, but about capital interests, control and surveillance. I have spoken to dozens of family members, friends, and strangers on the Internet, and everyone agrees, without hesitation, that these “child protection” bills aren’t actually for protection of the children.

Comment from Louis Rossmann’s video.

Then why is every country and state doing it?

A Reddit user conducted thorough research, using publicly verifiable information, that Meta (formerly known as Facebook) is the culprit pushing all these laws. From the user’s analysis report:

Meta spent a record $26.3 million on federal lobbying in 2025, deployed 86+ lobbyists across 45 states.

From the Cambridge Analytica scandal to recently removing E2EE support from Instagram, Meta has built a reputable brand for not giving a f___ about user privacy. At this point, this should be common sense, and I shall not waste more words proving that. I don’t believe Meta is lobbying for these laws out of the sheer goodness of their heart wanting to protect children, so why are they spending millions pushing these laws? They won’t tell us, but below are some educated guesses:

1. Shifting the compliance burden and risks to operating system providers. Under the federal Children’s Online Privacy Protection Act (COPPA), platforms face fines of $50,000 per violation if they knowingly collect data from users under 13 without parental consent. AB 1043 and other similar laws require operating system providers to verify the users’ ages, so compliance burden and risks are off Meta’s shoulders. In other regions, Meta also uses third-party platforms like Yoti to perform age verification.
2. Maintaining competitive advantage. In regions such as the UK, requiring age verification for all online platforms creates barriers to entry. Meta can afford building the age verification infrastructure and paying third-party platforms like Yoti to comply with these regulations, while smaller companies and free content providers might not. This creates an advantage for Meta in the competition against smaller players.
3. Eliminating anonymity. Current age verification approaches typically require users to upload their government-issued ID and scan their faces with a third-party verification service provider like Persona or Yoti. This associates the person’s real-life identity with their online accounts, removing anonymity. Persona was also just found to collaborate with and share user personal information with the U.S. Government.
4. Collecting additional data. Meta gets to collect additional data such as the users’ driver licenses, legal names, precise age, which potentially allows them to better target advertisements for the users and to better train their AI models.
5. Normalizing surveillance infrastructure. Age verification requirements create permanent infrastructure for age classification at the device level, a great foundation for broader digital ID systems.

It is also no secret that the U.S. government loves to spy on its own citizens, so it might be reasonable to suspect that the governments and law enforcement also have great interest in passing these laws. In fact, the federal government is pushing the Kids Online Safety and Privacy Act (KOSPA), ending online anonymity and creating unprecedented mass surveillance.

According to an EFF report, Minnesota representative Leigh Finke pointed out, when she testified before the Minnesota House Commerce Finance and Policy Committee against bill HF1434, that the age verification laws aren’t protecting the children, but are instead used as tools to limit freedom of speech and access to information, particularly for LGBTQ+ youth who rely on the Internet for vital resources and community.

When EFF conducted a survey and asked thousands of young people how they felt about KOSPA, many oppose the bill, stating that the bill will be harmful to minors.

Image by EFF.

The Internet multinational mega-corporations and modern Gestapo have much to gain from the passage of these laws, while the real benefits for the kids and the youth’s opinions were ignored. These bills are pushing capital interests, control, and surveillance, not protecting the kids. “Protecting the kids” is the moral high ground, and a convenient excuse.

Against OS-Based Age Verification

Meta and the governments have their hidden agenda, and they likely aren’t acting on sheer goodwill. However, let’s give them the benefit of the doubt and follow Hanlon’s razor for a second, pretending that they are benign. Would their suggested operating-system-based age verification make sense? I think not, and here’s why:

1. It won’t protect children any better. AB 1043 does not require operating system providers to actually verify the user’s age. People can claim to be however old they wish, just like any kid can click the “I’m over 18” button on pornographic websites.

2. Storing PII (Personally Identifiable Information) in the operating system is a massive risk. In the old model, where users fill in their age on the website, only that website gets their age information. When this information is stored in the operating system, like in systemd’s userdb, any unsandboxed application running on the system can read it, including malware.

3. It is unreasonable to shift the compliance costs onto FOSS developers. In the old model, content providers are responsible for verifying the age of their users. They make money from their services to cover the compliance costs. With AB 1043, open source developers working on Linux installers and display managers are now suddenly liable for verifying user ages, even though they probably don’t make any money from it and have nothing to do with online content. They also risk getting fined $2,500 per accidental violation per child, while not making any money from the services. This is unjustifiable.

4. Operating systems outside of California will have age verification logic stuffed into them. If an operating system wants to be legal in California, it has to implement age verification. However, considering code maintainability and distribution costs, vendors will most likely not be able to maintain a separate code base or compile a separate release of the operating system just for California. This means these operating systems, distributed for other regions, will also have age verification logic in them. Case in point, XDG is considering to add support for parental controls. If they add it, this code will likely be on every Linux Desktop, whether they’re in California or not.

5. Compliance requirements impede technical advancement. Operating system providers risk facing millions of dollars of fines in California, and there are associated costs to adding age verification features. Many providers, as you can see in this list, will simply geo-block California and refuse to provide service to regions with age verification laws. This hinders innovation and is a loss for the entire world.

6. These age verification features are paving the way for even more similar laws in other states and countries. Now that the infrastructure is in place, the regions that might have otherwise rejected similar laws on the grounds of technical feasibility and implementation costs can now follow up with a similar law. Existing totalitarian states can also make use of these tools to conduct further mass surveillance on their citizens.

The legislators either are ignorant and got tricked by Meta into enacting laws without understanding how technology works, or worse, colluded with or were bribed by Meta and deliberately steered things in this direction, knowing the consequences. Either way, these are bad laws, and should never have been enacted.

Alternative Approaches to Protecting Kids Online

As we talked about, the current age verification laws that are being pushed are malicious, or at best, ineffective. Yet, we still need to protect the kids from the truly harmful content online. What could parents and legislators actually do to effectively protect kids online? Here are some personal recommendations:

1. Hold the parents accountable. A child’s parents chose to give birth to that child. The parents are adults who should be responsible for their own doings. Child neglect is a crime in many countries, and in all 50 states in the U.S. If a parent forgets to feed their kids, they are committing a crime. How is neglecting the kids’ online safety all of a sudden entirely someone else’s responsibility? The parents should parent. Punishments will ensure that they do.
2. Use an age verification solution based on Zero-Knowledge Proofs (ZKPs). ZKP allows users to produce cryptographic proof about their claims without revealing additional information. For example, a pornographic website can verify, using cryptographic proof, that a user is over 18 years old, without knowing their name or driver’s license ID. Google Wallet already uses ZKP to allow users to prove their ages without revealing their full identity. Additionally, many vendors are releasing different libraries to help service providers and governments build their own ZKP infrastructure, such as Microsoft’s Nova and Google’s Longfellow ZK. ZKP is a great way to reliably verify the users’ ages while protecting their privacy. You can read more about this on Soatok’s blog.
3. Educate the parents. Parents need to know how to properly educate their children, and how to setup their devices to protect their children online. Provide the parents with educational material, or even mandatory courses to teach the parents how to parent their kids, including how to communicate with the kids, how to teach the kids about sex, and other important aspects about parenting. Companies like Apple, Google, and Microsoft also provide guides on how to setup parental controls on their devices and services.
4. Educate the children. Simply blocking people under a certain age from accessing certain content isn’t the best solution to the underlying problems. People don’t suddenly gain extra knowledge and self-control the day they turn 18. Many adults still lack proper sex and other education. The society should ensure kids are adequately educated and have the right concepts on sex, violence, etc., so they don’t develop mental issues, make dumb choices, or harm others. Provide guidance rather than blockage. From personal experience – you can’t stop them from getting around the blockades anyways.

Act Now and Block the Bills

As we established above, these age verification bills:

• don’t help protect the kids (any better than existing measures);
• kill online anonymity and privacy;
• create mass surveillance; and
• impede economic and technological advancements.

Therefore, we should block these bills and seek alternative measures.

Image by EFF.

“But I really don’t care as much,” I hear you mumble. Sure. Privacy might not be a concern for you, but it is for many more, like me. Online anonymity and privacy could also be a matter of life and death for people like whistle-blowers, journalists, and activists. The kind of people we, the ordinary, rely on to keep the society running free of corruption and tyranny. If you still have questions about why we should keep high standards of privacy, I recommend that you watch Glenn Greenwald’s TED Talk “Why privacy matters.”

If you think other activists and liberal politicians will just let things play out, think again. Democracy doesn’t work by people lying on their couches watching Major League, or huddling up in their gaming chairs playing Stardew Valley, hoping the world will somehow become a better place tomorrow. Rights are never granted. Rights are earned. In a democracy, everyone needs to care and act.

So I implore you to act. Spread the word. Tell your friends. Tell your lawmakers this quote from Louis Rossmann:

If this is how you’re gonna spend your time, I’m not voting for you the next time, and I don’t care who the other guy is.

If you have the means and you really care, consider donating to advocates like the EFF like I did so they can lobby for digital privacy and free speech:

These Are Dire Times for Privacy and Free Speech

We have been inundated with horrible news in the past few years – all the age control laws, the EU wanting to kill all private digital communications, Canada seeking to give police unwarranted access to all digital service metadata, Russia banning Telegram, the U.S. Government buying advertising data for mass surveillance… the list just goes on.

Image by EFF.

However, the worst thing that could really happen right now, is you losing hope and giving up. This is especially true for people living in democratic countries. If there’s enough will, things can still be turned around. Like I said earlier in this article, rights aren’t granted, but earned. Keep fighting for your privacy and your rights. There will come a time when we see the light of day.

By the way, I’m building Conclave, an E2EE, MLS-based chat protocol to fight censorship and make secure communications more accessible for everyone. If you’re interested, come take a look, or help out.

This article is licensed under CC BY 4.0.