So, You’ve Hit An Age Gate. What Now?
from the getting-around-the-age-gate dept
EFF is against age gating and age verification mandates, and we hope we’ll win in getting existing ones overturned and new ones prevented. But mandates are already in effect, and every day many people are asked to verify their age across the web, despite prominent cases of sensitive data getting leaked in the process.
At some point, you may have been faced with the decision yourself: should I continue to use this service if I have to verify my age? And if so, how can I do that with the least risk to my personal information? This is our guide to navigating those decisions, with information on what questions to ask about the age verification options you’re presented with, and answers to those questions for some of the top most popular social media sites. Even though there’s no way to implement mandated age gates in a way that fully protects speech and privacy rights, our goal here is to help you minimize the infringement of your rights as you manage this awful situation.
Follow the Data
Since we know that leaks happen despite the best efforts of software engineers, we generally recommend submitting the absolute least amount of data possible. Unfortunately, that’s not going to be possible for everyone. Even facial age estimation solutions where pictures of your face never leave your device, offering some protection against data leakage, are not a good option for all users: facial age estimation works less well for people of color, trans and nonbinary people, and people with disabilities. There are some systems that use fancy cryptography so that a digital ID saved to your device won’t tell the website anything more than if you meet the age requirement, but access to that digital ID isn’t available to everyone or for all platforms. You may also not want to register for a digital ID and save it to your phone, if you don’t want to take the chance of all the information on it being exposed upon request of an over-zealous verifier, or you simply don’t want to be a part of a digital ID system
If you’re given the option of selecting a verification method and are deciding which to use, we recommend considering the following questions for each process allowed by each vendor:
- Data: What info does each method require?
- Access: Who can see the data during the course of the verification process?
- Retention: Who will hold onto that data after the verification process, and for how long?
- Audits: How sure are we that the stated claims will happen in practice? For example, are there external audits confirming that data is not accidentally leaked to another site along the way? Ideally these will be in-depth, security-focused audits by specialized auditors like NCC Group or Trail of Bits, instead of audits that merely certify adherence to standards.
- Visibility: Who will be aware that you’re attempting to verify your age, and will they know which platform you’re trying to verify for?
We attempt to provide answers to these questions below. To begin, there are two major factors to consider when answering these questions: the tools each platform uses, and the overall system those tools are part of.
In general, most platforms offer age estimation options like face scans as a first line of age assurance. These vary in intrusiveness, but their main problem is inaccuracy, particularly for marginalized users. Third-party age verification vendors Private ID and k-ID offer on-device facial age estimation, but another common vendor, Yoti, sends the image to their servers during age checks by some of the biggest platforms. This risks leaking the images themselves, and also the fact that you’re using that particular website, to the third party.
Then, there’s the document-based verification services, which require you to submit a hard identifier like a government-issued ID. This method thus requires you to prove both your age and your identity. A platform can do this in-house through a designated dataflow, or by sending that data to a third party. We’ve already seen examples of how this can fail. For example, Discord routed users’ ID data through its general customer service workflow so that a third-party vendor could perform manual review of verification appeals. No one involved ever deleted users’ data, so when the system was breached, Discord had to apologize for the catastrophic disclosure of nearly 70,000 photos of users’ ID documents. Overly long retention periods expose documents to risk of breaches and historical data requests. Some document verifiers have retention periods that are needlessly long. This is the case with Incode, which provides ID verification for Tiktok. Incode holds onto images forever by default, though TikTok should automatically start the deletion process on your behalf.
Some platforms offer alternatives, like proving that you own a credit card, or asking for your email to check if it appears in databases associated with adulthood (like home mortgage databases). These tend to involve less risk when it comes to the sensitivity of the data itself, especially since credit cards can be replaced, but in general still undermine anonymity and pseudonymity and pose a risk of tracking your online activity. We’d prefer to see more assurances across the board about how information is handled.
Each site offers users a menu of age assurance options to choose from. We’ve chosen to present these options in the rough order that we expect most people to prefer. Jump directly to a platform to learn more about its age checks:
- Meta – Facebook, Instagram, WhatsApp, Messenger, Threads
- Google – Gmail, YouTube
- TikTok
- Everywhere Else
Meta – Facebook, Instagram, WhatsApp, Messenger, Threads
Inferred Age
If Meta can guess your age, you may never even see an age verification screen. Meta, which runs Facebook, Threads, Instagram, Messenger, and WhatsApp, first tries to use information you’ve posted to guess your age, like looking at “Happy birthday!” messages. It’s a creepy reminder that they already have quite a lot of information about you.
If Meta cannot guess your age, or if Meta infers you’re too young, it will next ask you to verify your age using either facial age estimation, or by uploading your photo ID.
Face Scan
If you choose to use facial age estimation, you’ll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that “as soon as an age has been estimated, the facial image is immediately and permanently deleted.” Though it’s not as good as not having that data in the first place, Yoti’s security measures include a bug bounty program and annual penetration testing. Researchers from Mint Secure found that Yoti’s app and website are filled with trackers, so the fact that you’re verifying your age could be not only shared to Yoti, but leaked to third-party data brokers as well.
You may not want to use this option if you’re worried about third parties potentially being able to know you’re trying to verify your age with Meta. You also might not want to use this if you’re worried about a current picture of your face accidentally leaking—for example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you’d be concerned with identifying your location or embarrassing you in the background in case the image leaks.
Upload ID
If Yoti’s age estimation decides your face looks too young, or if you opt out of facial age estimation, your next recourse is to send Meta a photo of your ID. Meta sends that photo to Yoti to verify the ID. Meta says it will hold onto that ID image for 30 days, then delete it. Meanwhile, Yoti claims it will delete the image immediately after verification. Of course, bugs and process oversights exist, such as accidentally replicating information in logs or support queues, but at least they have stated processes. Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting leaked through errors or hacking, but it also lets Meta see the information needed to tie your profile to your identity—which you may not want. If you don’t want Meta to know your name and where you live, or rely on both Meta and Yoti to keep to their deletion promises, this option may not be right for you.
Google – Gmail, YouTube
Inferred Age
If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all. Google first uses information it already knows to try to guess your age, like how long you’ve had the account and your YouTube viewing habits. It’s yet another creepy reminder of how much information these corporations have on you, but at least in this case they aren’t likely to ask for even more identifying data.
If Google cannot guess your age, or decides you’re too young, Google will next ask you to verify your age. You’ll be given a variety of options for how to do so, with availability that will depend on your location and your age.
Google’s methods to assure your age include ID verification, facial age estimation, verification by proxy, and digital ID. To prove you’re over 18, you may be able to use facial age estimation, give Google your credit card information, or tell a third-party provider your email address.
Face Scan
If you choose to use facial age estimation, you’ll be sent to a website run by Private ID, a third-party verification service. The website will load Private ID’s verifier within the page—this means that your selfie will be checked without any images leaving your device. If the system decides you’re over 18, it will let Google know that, and only that. Of course, no technology is perfect—should Private ID be mandated to target you specifically, there’s nothing to stop it from sending down code that does in fact upload your image, and you probably won’t notice. But unless your threat model includes being specifically targeted by a state actor or Private ID, that’s unlikely to be something you need to worry about. For most people, no one else will see your image during this process. Private ID will, however, be told that your device is trying to verify your age with Google and Google will still find out if Private ID thinks that you’re under 18.
If Private ID’s age estimation decides your face looks too young, you may next be able to decide if you’d rather let Google verify your age by giving it your credit card information, photo ID, or digital ID, or by letting Google send your email address to a third-party verifier.
Email Usage
If you choose to provide your email address, Google sends it on to a company called VerifyMy. VerifyMy will use your email address to see if you’ve done things like get a mortgage or paid for utilities using that email address. If you use Gmail as your email provider, this may be a privacy-protective option with respect to Google, as Google will then already know the email address associated with the account. But it does tell VerifyMy and its third-party partners that the person behind this email address is looking to verify their age, which you may not want them to know. VerifyMy uses “proprietary algorithms and external data sources” that involve sending your email address to “trusted third parties, such as data aggregators.” It claims to “ensure that such third parties are contractually bound to meet these requirements,” but you’ll have to trust it on that one—we haven’t seen any mention of who those parties are, so you’ll have no way to check up on their practices and security. On the bright side, VerifyMy and its partners do claim to delete your information as soon as the check is completed.
Credit Card Verification
If you choose to let Google use your credit card information, you’ll be asked to set up a Google Payments account. Note that debit cards won’t be accepted, since it’s much easier for many debit cards to be issued to people under 18. Google will then charge a small amount to the card, and refund it once it goes through. If you choose this method, you’ll have to tell Google your credit card info, but the fact that it’s done through Google Payments (their regular card-processing system) means that at least your credit card information won’t be sitting around in some unsecured system. Even if your credit card information happens to accidentally be leaked, this is a relatively low-risk option, since credit cards come with solid fraud protection. If your credit card info gets leaked, you should easily be able to dispute fraudulent charges and replace the card.
Digital ID
If the option is available to you, you may be able to use your digital ID to verify your age with Google. In some regions, you’ll be given the option to use your digital ID. In some cases, it’s possible to only reveal your age information when you use a digital ID. If you’re given that choice, it can be a good privacy-preserving option. Depending on the implementation, there’s a chance that the verification step will “phone home” to the ID provider (usually a government) to let them know the service asked for your age. It’s a complicated and varied topic that you can learn more about by visiting EFF’s page on digital identity.
Upload ID
Should none of these options work for you, your final recourse is to send Google a photo of your ID. Here, you’ll be asked to take a photo of an acceptable ID and send it to Google. Though the help page only states that your ID “will be stored securely,” the verification process page says ID “will be deleted after your date of birth is successfully verified.” Acceptable IDs vary by country, but are generally government-issued photo IDs. We like that it’s deleted immediately, though we have questions about what Google means when it says your ID will be used to “improve [its] verification services for Google products and protect against fraud and abuse.” No system is perfect, and we can only hope that Google schedules outside audits regularly.
TikTok
Inferred Age
If TikTok can guess your age, you may never even see an age verification notification. TikTok first tries to use information you’ve posted to estimate your age, looking through your videos and photos to analyze your face and listen to your voice. By uploading any videos, TikTok believes you’ve given it consent to try to guess how old you look and sound.
If TikTok decides you’re too young, appeal to revoke their age decision before the deadline passes. If TikTok cannot guess your age, or decides you’re too young, it will automatically revoke your access based on age—including either restricting features or deleting your account. To get your access and account back, you’ll have a limited amount of time to verify your age. As soon as you see the notification that your account is restricted, you’ll want to act fast because in some places you’ll have as little as 23 days before the deadline passes.
When you get that notification, you’re given various options to verify your age based on your location.
Face Scan
If you’re given the option to use facial age estimation, you’ll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that “as soon as an age has been estimated, the facial image is immediately and permanently deleted.” Though it’s not as good as not having that data in the first place, Yoti’s security measures include a bug bounty program and annual penetration testing. However, researchers from Mint Secure found that Yoti’s app and website are filled with trackers, so the fact that you’re verifying your age could be leaked not only to Yoti, but to third-party data brokers as well.
You may not want to use this option if you’re worried about third parties potentially being able to know you’re trying to verify your age with TikTok. You also might not want to use this if you’re worried about a current picture of your face accidentally leaking—for example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID or your credit card information, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you’d be concerned with identifying your location or embarrassing you in the background in case the image leaks.
Credit Card Verification
If you have a credit card in your name, TikTok will accept that as proof that you’re over 18. Note that debit cards won’t be accepted, since it’s much easier for many debit cards to be issued to people under 18. TikTok will charge a small amount to the credit card, and refund it once it goes through. It’s unclear if this goes through their regular payment process, or if your credit card information will be sent through and stored in a separate, less secure system. Luckily, these days credit cards come with solid fraud protection, so if your credit card gets leaked, you should easily be able to dispute fraudulent charges and replace the card. That said, we’d rather TikTok provide assurances that the information will be processed securely.
Credit Card Verification of a Parent or Guardian
Sometimes, if you’re between 13 and 17, you’ll be given the option to let your parent or guardian confirm your age. You’ll tell TikTok their email address, and TikTok will send your parent or guardian an email asking them (a) to confirm your date of birth, and (b) to verify their own age by proving that they own a valid credit card. This option doesn’t always seem to be offered, and in the one case we could find, it’s possible that TikTok never followed up with the parent. So it’s unclear how or if TikTok verifies that the adult whose email you provide is your parent or guardian. If you want to use credit card verification but you’re not old enough to have a credit card, and you’re ok with letting an adult know you use TikTok, this option may be reasonable to try.
Photo with a Random Adult?
Bizarrely, if you’re between 13 and 17, TikTok claims to offer the option to take a photo with literally any random adult to confirm your age. Its help page says that any trusted adult over 25 can be chosen, as long as they’re holding a piece of paper with the code on it that TikTok provides. It also mentions that a third-party provider is used here, but doesn’t say which one. We haven’t found any evidence of this verification method being offered. Please do let us know if you’ve used this method to verify your age on TikTok!
Photo ID and Face Comparison
If you aren’t offered or have failed the other options, you’ll have to verify your age by submitting a copy of your ID and matching photo of your face. You’ll be sent to Incode, a third-party verification service. In a disappointing failure to meet the industry standard, Incode itself doesn’t automatically delete the data you give it once the process is complete, but TikTok does claim to “start the process to delete the information you submitted,” which should include telling Incode to delete your data once the process is done. If you want to be sure, you can ask Incode to delete that data yourself. Incode tells TikTok that you met the age threshold without providing your exact date of birth, but then TikTok wants to know the exact date anyway, so it’ll ask for your date of birth even after your age has been verified.
TikTok itself might not see your actual ID depending on its implementation choices, but Incode will. Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting accidentally leaked through errors or hacking. If you don’t want TikTok or Incode to know your name, what you look like, and where you live—or if you don’t want to rely on both TikTok and Incode to keep to their deletion promises—then this option may not be right for you.
Everywhere Else
We’ve covered the major providers here, but age verification is unfortunately being required of many other services that you might use as well. While the providers and processes may vary, the same general principles will apply. If you’re trying to choose what information to provide to continue to use a service, consider the “follow the data” questions mentioned above, and try to find out how the company will store and process the data you give it. The less sensitive information, the fewer people have access to it, and the more quickly it will be deleted, the better. You may even come to recognize popular names in the age verification industry: Spotify and OnlyFans use Yoti (just like Meta and Tiktok), Quora and Discord use k-ID, and so on.
Unfortunately, it should be clear by now that none of the age verification options are perfect in terms of protecting information, providing access to everyone, and safely handling sensitive data. That’s just one of the reasons that EFF is against age-gating mandates, and is working to stop and overturn them across the United States and around the world.
Republished from the EFF’s Deeplinks blog.
Filed Under: age gating, age verification, credit cards, face scans, id, privacy
Companies: facebook, google, instagram, meta, tiktok, whatsapp, youtube
Comments on “So, You’ve Hit An Age Gate. What Now?”
One thing to remember is that, regardless of the site’s stated policies or promises, the government will certainly require the site to be able to prove they verified a user’s age and that the user was over 18 at the time. This requires storing all the information used to verify the user’s age indefinitely.
Re:
This is not a certainty. There’s a reason many of the listed examples in the article do not store data. The UK for instance, specifically discourages long term storage. See for instance here: If you use a hard identifier to assess age, you may only need to retain a yes or no output once you’ve completed the check. etc.
Age verification is being rolled out in places with actual privacy laws like GDPR. Not only would promising to delete data and then not doing it be fraudulent, in many cases it’d be illegal under the privacy laws themselves.
Some laws may require it, which you can verify by checking the law in question. But it is not always a requirement.
Re: Re:
Basically every single place I stayed in Europe the last two times I’ve been there demanded that I send them my 100% unredacted passport via WhatsApp, and without fail all of them either completely ignored my request for a copy of a privacy policy or just said that it doesn’t apply to them. Hotels, AirBNBs/VRBOs, etc. So I’m skeptical that GDPR actually provides meaningful protections.
This is super cool.
Many credit card services now allow you to generate virtual cards. They’re meant to be used for online shopping (And can be made site-specific), to help mitigate if it leaks. Do those work? If so, that should be an extra layer of security.
Re:
Historically, one could also order a secondary credit card with a different number and with any chosen name printed on it (excepting alphabetic restrictions). Long ago, a now-defunct humor site called Zug got a credit card labelled “Michael Jackson” and used it for a prank.
You could hypothetically get one labelled “Arianity” if you normally go by a different name that you don’t want a site to learn. Or get one for your kid so they don’t have to bother you with age-verification bullshit.
Paranoia is common sense
I remember buying wine and the checker asked for my birthday. As I have no obligation to tell them the truth, I lied. My teen-aged daughter was shocked.
For these services, there’s no obligation to be truthful. So, show them a picture of Richard Nixon to prove your age. Make up a really, really fake looking ID if you have to, with a fake name, naturally.
Re:
See if you can be the first one to use Woz’s fake I.D.. Also see Woz’s story about it:
I won’t. Discord will likely be dead to me at the end of the month. It’s sad that so many game developers shut down their forums for Discord.
Re:
While I don’t know that anyone predicted exactly this, everyone should’ve been aware that a large centralized service of this sort is bound to enshittify in some form. Especially if site operators don’t have to pay to move their forums there.
Re:
I anticipate a large uptick in teenagers complaining about their prostates and property tax rates and kids these days on Discord to fool the AI age assessment.
I actually appreciate what Discord is doing… but only because I was getting tired of everyone just spinning up yet another Discord server with twenty plus channels for minute topics nobody engages in and their own requirements for usernames vs real names, default notifications, owners using messages to all users for random pointless messages, etc.
Discord is doing us a favor by killing itself off so better alternatives can get more attention.
Re:
That sounds like more of a problem with the Discords you and your small friend groups make. I, for one, really liked the ability to make small semi-private spaces for close-knit groups. I hope that whatever replaces Discord has that ability because I don’t want to be forced into giant channels moving the speed of Twitch chat where nobody knows your name and nobody cares what you think.
Re: Re:
No friends groups. Mostly hacker conference discords, kickstarter indie tech device support, niche interests, my union, stuff like that. Things where that’s the primary or only venue provided for communication because they want to outsource support to other users. (Not including my union. They respond to email too.)
Re:
I’m not familiar with Discord. Why would people running their own servers be affected by this age-gate? Are central accounts used even on decentralized servers?
Re: Re:
A “server” on Discord is a community created by someone, typically on a particular topic or for a particular event or group. It’s not a physical server or a decentralized instance of the software. Discord the company has access to and moderation control of it all.
First
The Gov. will pass the regulations.
States will Write up the laws.
USA corps will follow thru, as they have with a FEW of the rep states, who have been Kick from certain site access.
Once its all done. the USA will look at the net and see what they Missed.
THEY CANT control services OUTSIDE the USA.
What do they do?
RESTRICT ACCESS TO THE WORLD WIDE WEB.
Who needs to restrict Anything when you restrict EVERYTHING.
Wait til you see Sainsburys FaceWatch.
ZERO percent positive ID. Instead it basically (and this isn’t a joke) says ALL brown-skinned men with beard are terrorists and must be store-banned immediately.
They’ve had a few public cases, and paid a LARGE amount of hush money to others.
The system has “targets” rather than true recognition. So turban = terrorist. Brown skin = terrorist Arabic clothing = terrorist.
It’s not even checking faces against a database, just spitting out by-design racist results.
It’s even suggested small children with dark-colored scarfs on are terrorists because it saw “brown skin” and what it assumed was a beard!
Age Verification
After a massive issue with recent third party data breach, what Discord is doing will be a big backlash. I mean yeah they’re “protecting” children and that’s good and all but their audience and users are adults, and they’re already losing a lot of users. I’ve been out of Discord channels over a month already. I found Gather Communities on iOS play store. Didn’t need ID and verification. Learned about it from my car communities. So I think I’m good.
Re:
Protecting would be good; “protecting” with scare-quotes, not so much. Most of the stuff they claim to be protecting children from, like pornography, has never harmed any of them, and at worst has made them uncomfortable. As Anthony Jeselnik said:
I don’t think that this has anything to do with age. It’s about IDENTITY. Knowledge is power, and knowing someone’s secrets can be very useful when you want to control them.
Not that I want to encourage these idiots to crack down more, but...
… surely there must be a million webcam filters out there that will age you up. And if there aren’t, there will be a few months from now. And you’re not going to detect them from inside a browser, nor should you be able to. What are these people thinking?
Re:
Or just feed in a video of Donald Trump?
TIRED: Free new credit card, driver’s license, and credito monitoring when your data gets leaked.
WIRED: Free plastic surgery and new hands when your biometrics get leaked.
Re:
Your biometrics get “leaked” every time you walk down the street. Which is why nobody with any understanding uses them for much of anything in authentication, and definitely not for remote authentication. If you use them that way and get into trouble, that’s your fault, not the fault of “leakers”.
Re: Re:
To make this point, the Chaos Computer Club once published the fingerprints of a German Home Secretary, who was pushing for greater use of bio-metric data (in 2008):
Bypass it
I just saw this: “discord/twitch/kick/snapchat age verifier: age[-]verifies your account automatically as an adult on any website using k-id”.
If you depend on such things, maybe get it done now just in case (“it doesn’t matter if you are in the UK or similar region that currently has access to this, this will verify your account for the future global rollout”). And if it doesn’t work, think about whether you’re gonna be the tool for giving in to the “real” verification process (cf. a Techdirt headline from yesterday).