A growing coalition of computer scientists, privacy researchers, and security experts has signed an open letter opposing age verification mandates, some of which are scheduled to take effect in January 2027. The letter, hosted at csa-scientist-open-letter.org, argues that the technical approaches governments are demanding don’t actually work as promised — and that they’d create massive new privacy and security risks for everyone online, not just minors.
The core argument is blunt. No existing age verification system can reliably confirm a user’s age without simultaneously collecting sensitive personal data — government IDs, biometric scans, or behavioral profiling — that becomes a target for breaches, surveillance, and misuse. The signatories aren’t saying child safety doesn’t matter. They’re saying the proposed technical solutions are fundamentally flawed.
This matters right now because multiple jurisdictions are converging on similar mandates. In the United States, a wave of state-level laws requiring age verification for adult content sites has accelerated since Louisiana’s Act 440 took effect in 2023. Texas, Virginia, Utah, and more than a dozen other states have passed or proposed similar requirements. The UK’s Online Safety Act, enforced by Ofcom, includes age verification provisions that platforms are scrambling to implement. Australia passed legislation in late 2024 effectively banning children under 16 from social media, with enforcement mechanisms still being worked out. And the EU’s Digital Services Act touches on age assurance obligations as well.
Early 2027 appears to be a critical compliance deadline for several of these overlapping frameworks. The open letter is timed to land before platforms and regulators lock in their technical approaches.
So what specifically do the scientists object to? Several things. First, identity verification systems that require uploading a government-issued ID create honeypots of personal data. We’ve seen what happens with those — breaches at companies like Equifax, T-Mobile, and countless others have exposed hundreds of millions of records. Adding a new requirement that millions of people hand over ID documents to access websites dramatically expands the attack surface. Second, biometric age estimation — using AI to guess someone’s age from a selfie — is inaccurate across demographics, particularly for people of color and transgender individuals, as research from the National Institute of Standards and Technology (NIST) has repeatedly documented. Third, any system that logs what sites a person visits and ties that activity to a verified identity is, by definition, a surveillance infrastructure. Even if built with good intentions.
The letter also takes aim at so-called “privacy-preserving” age verification tokens. These are cryptographic schemes where a third party confirms a user’s age and issues a token that a website can check without learning the user’s identity. In theory, elegant. In practice, the signatories argue, these systems still require a trusted third party that knows both your identity and the fact that you’re requesting access to age-restricted content. That’s a single point of failure. And trust in third parties has a poor track record.
Not a hypothetical concern. VPNs marketed as privacy tools have been caught logging user data. Certificate authorities have been compromised. The scientists are saying: don’t build a system whose safety depends on every actor in the chain behaving perfectly forever.
Industry reaction has been split. Groups like the TechFreedom think tank and the Electronic Frontier Foundation have long opposed age verification mandates on both technical and First Amendment grounds. The EFF has called these laws “a backdoor to universal internet ID.” On the other side, organizations like the National Center on Sexual Exploitation and various children’s advocacy groups argue that the status quo — essentially an honor system where websites ask users to click a button confirming they’re 18 — is failing kids.
Platform companies are in an awkward position. Pornhub’s parent company Aylo pulled out of several US states rather than comply with age verification laws, arguing the requirements drive users to less regulated sites. Meta, meanwhile, has publicly supported federal age verification legislation, a move critics read as an attempt to shift liability away from platform design choices and onto a government-mandated system.
The scientists behind the letter aren’t proposing that nothing be done. They suggest device-level parental controls, investment in digital literacy programs, and enforcement against platforms that actively target minors — approaches that don’t require building new centralized identity infrastructure. Whether legislators find that persuasive is another question entirely.
But the letter’s real value is as a technical reality check. Politicians on both sides of the aisle have treated age verification as a solved engineering problem. It isn’t. And hundreds of researchers with direct expertise are now saying so publicly, with their names attached, before these mandates become locked-in policy. That should give regulators pause — though given the political incentives around child safety legislation, it may not.
WebProNews is an iEntry Publication