This episode is brought to you by our sponsor Clavata.ai, a first-of-its-kind, automated content safety platform that allows you to go from defining a policy to enforcement in minutes. In our Bonus Chat, we speak with founder Brett Levenson on how to make T&S more consistent and explainable and the benefits of treating policy as code.
In this week’s roundup of the latest news in online speech, content moderation and internet regulation, Ben is joined by Thomas Hughes, CEO of Appeals Centre Europe and former Director at the Oversight Board. Together they discuss:
Once again, we’re reminded why age verification systems are fundamentally broken when it comes to privacy and security. Discord has disclosed that one of its third-party customer service providers was breached, exposing user data, including government-issued photo IDs, from users who had appealed age determinations.
Data potentially accessed by the hack includes things like names, usernames, emails, and the last four digits of credit card numbers. The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.” Full credit card numbers and passwords were not impacted by the breach, Discord says.
Seems pretty bad.
What makes this breach particularly instructive is that it highlights the perverse incentives created by age verification mandates. Discord wasn’t collecting government IDs because they wanted to—they were responding to age determination appeals, likely driven by legal and regulatory pressures to keep underage users away from certain content. The result? A treasure trove of sensitive identity documents sitting in the systems of a third-party customer service provider that had no business being in the identity verification game.
To “protect the children” we end up putting everyone at risk.
This is exactly the kind of incident that privacy advocates have been warning about for years as lawmakers push for increasingly stringent age verification requirements across the internet. Every time these systems are implemented, we’re told they’re secure, that the data will be protected, that sophisticated safeguards are in place. And every time, we eventually get stories like this one.
The pattern reveals a fundamental misunderstanding of how security works in practice versus theory. Age verification proponents consistently treat identity document collection as a simple technical problem with straightforward solutions, ignoring the complex ecosystem these requirements create. Companies like Discord find themselves forced to collect documents they don’t want, storing them with third-party processors they don’t fully control, creating attack surfaces that wouldn’t otherwise exist.
These third parties become attractive targets precisely because they aggregate identity documents from multiple platforms—a single breach can expose IDs collected on behalf of dozens of different services. When the inevitable breach occurs, it’s not just usernames and email addresses at risk—it’s the kind of documentation that can enable identity theft and fraud for years to come, affecting people who may have forgotten they ever uploaded an ID to appeal an automated age determination.
Discord, to its credit, appears to have responded appropriately to this incident:
The company is notifying impacted users now over email. If your ID might have been accessed, Discord will specify that. Discord also says it revoked the support provider’s access to Discord’s ticketing system, has notified data protection authorities, is working with law enforcement, and has reviewed “our threat detection systems and security controls for third-party support providers.”
But the fundamental problem remains: we’re creating systems that require the collection and storage of highly sensitive identity documents, often by companies that aren’t primarily in the business of securing such data. This isn’t Discord’s fault specifically—they were dealing with age verification appeals, likely driven by regulatory or legal pressures to prevent underage users from accessing certain content or features.
This breach should serve as yet another data point in the growing pile of evidence that age verification systems create more problems than they solve. The irony is that lawmakers pushing these requirements often claim to be protecting children’s privacy, while simultaneously mandating the creation of vast databases of identity documents that inevitably get breached. We’ve seen similar incidents affect everything from adult websites to social media platforms to online retailers, all because policymakers have decided that collecting copies of driver’s licenses and passports is somehow a reasonable solution to online age verification.
The real tragedy is that this won’t be the last such breach we see. As long as lawmakers continue pushing for more aggressive age verification requirements without considering the privacy and security implications, we’ll keep seeing stories like this one. The question isn’t whether these systems will be breached—it’s when, and how many people’s sensitive documents will be exposed in the process.
Just as states across the country are ramping up their age verification mandates, we get another reminder of why privacy advocates have been screaming about these policies from the rooftops. Each new law creates more pressure for platforms to collect more documents, stored by more third parties, creating more opportunities for exactly this kind of breach.
Perhaps it’s time to admit that the cure—requiring platforms to collect and store government IDs—might be worse than the disease.
New data from the UK’s age verification rollout provides hard evidence of what internet governance experts have been warning about for years: these laws don’t protect children—they systematically drive users from regulated, compliant platforms to unregulated, non-compliant ones while accomplishing nothing except creating a massive privacy surveillance apparatus.
The Washington Post has done the legwork that regulators apparently couldn’t be bothered with, analyzing traffic data from 90 major adult sites in the UK since their age verification requirements kicked in. The results are exactly what anyone with half a brain predicted:
To evaluate the early effectiveness of the law’s rollout, The Post gathered U.K. visitor estimates over the past year for 90 of the largest porn sites as ranked by the market intelligence firm Similarweb. The Post then used a software tool known as a virtual private network, or VPN, to appear online as a U.K. user and check whether the sites verified a visitor’s age.
The analysis found that 14 sites didn’t do an age check, and that all 14 had seen major boosts in their traffic from U.K. users. One explicit site saw its U.K. visitor count double since last August, to more than 350,000 visits this month.
As for the ones that actually went through complying with this poorly drafted law?
The sites that complied — by mandating that users show their government IDs or scan their faces through their webcams, so an algorithm could estimate whether they wereadults — saw visits from British internet addresses collapse.
To recap: compliant sites hemorrhaged users while non-compliant sites experienced massive growth. This represents a fundamental failure of regulatory design—the law creates competitive advantages for the least responsible actors while punishing those attempting to follow the rules.
The non-compliant sites aren’t just passively benefiting—they’re actively instructing users in circumvention:
Other sites instructed users how to navigate around the age gate by, for instance, using a special browser called Tor, which was built to browse what’s known as the “dark web.” One site directed British users to sign a petition urging Parliament to repeal the law alongside the comment, “Ur gov is dumb.”
This represents the predictable endpoint of poorly designed internet regulation: Instead of creating a safer online environment, the law has systematically incentivized users to migrate toward less regulated, less safe alternatives.
None of this is surprising. Earlier this year we discussed a study about what happened after an age verification law went into effect in Louisiana, and the (limited) result suggested a similar shift in traffic from the big sites that complied with the law to the very sketchy sites that did not.
The adult industry and experts have been screaming about this exact scenario for years. A recent blog post from one adult content platform puts it bluntly:
Preserving fair competition is one of the obligations of most states — but they simply don’t give a fuck about it. Right now, there are almost 3,000 (not an exaggeration) clones of our sites — not owned by us, but designed to look like our platforms, sometimes with a different makeover — stealing our content, and soon to be massively rewarded.
Regulators have no clue where people will go — but what’s likely is that users will scatter across so many sites, apps, proxies, and channels that they’ll become untraceable, guaranteeing the failure of future regulations. And unlike today, many of those new destinations will be dangerous, unmoderated, and openly hostile to enforcement.
This isn’t speculation anymore—it’s documented reality. That same blog post gave actual numbers showing that over a three day period testing age verification tech on their sites, that they were getting around only 10% of visitors willing to go through the process, and 90% going elsewhere:
July 4th : verification rate : 10,5% (89,5% of users gone)
July 3th : verification rate : 9,7% (91,3% of users gone)
July 2nd : verification rate even lower due to technical issues.
However, keep in mind that the drop of users is (maybe significantly) higher than shown, because the ones who simply don’t return (because they know there is an AV wall), are not counted.
The entire point of these laws is folly and they’re already doing real damage. There are literally millions of adult sites on the internet, plus social media, messaging apps, search engines, and peer-to-peer networks. Going after a handful of the most responsible, regulated sites just creates a competitive advantage for everyone else.
The WaPo story also highlights how this creates perverse incentives around compliance:
Companies seeking to comply with the law must pay for the age checks, whose costs can quickly climb; an Indiana judge said last year that one porn site, Pornhub, faced potential charges of more than $13 million a day. A Yoti representative said last year the company typically charges between 10 and 25 cents per face.
So the sites that try to follow the rules get hit with massive financial penalties for the privilege of losing 90% of their users to sketchier, fly-by-night competitors who ignore the law entirely.
What could possibly go wrong?
The age verification push has always been about looking like you’re “doing something” rather than actually solving problems. It’s pure regulatory theater. Now we have the data to prove it’s making things worse—driving users to less regulated sites while creating massive privacy risks for adults who just want to access legal content.
But hey, at least politicians get to pat themselves on the back for “protecting children” while the actual kids they’re supposedly protecting figure out how to use Tor browsers. Mission accomplished?
If you’ve read about the sudden appearance of age verification across the internet in the UK and thought it would never happen in the U.S., take note: many politicians want the same or even more strict laws. As of July 1st, South Dakota and Wyoming enacted laws requiring any website that hosts any sexual content to implement age verification measures. These laws would potentially capture a broad range of non-pornographic content, including classic literature and art, and expose a wide range of platforms, of all sizes, to civil or criminal liability for not using age verification on every user. That includes social media networks like X, Reddit, and Discord; online retailers like Amazon and Barnes & Noble; and streaming platforms like Netflix and Rumble—essentially, any site that allows user-generated or published content without gatekeeping access based on age.
These laws expand on the flawed logic from last month’s troubling Supreme Court decision, Free Speech Coalition v. Paxton, which gave Texas the green light to require age verification for sites where at least one-third (33.3%) of the content is sexual materials deemed “harmful to minors.” Wyoming and South Dakota seem to interpret this decision to give them license to require age verification—and potential legal liability—for any website that contains ANY image, video, or post that contains sexual content that could be interpreted as harmful to minors. Platforms or websites may be able to comply by implementing an “age gate” within certain sections of their sites where, for example, user-generated content is allowed, or at the point of entry to the entire site.
Although these laws are in effect, we do not believe the Supreme Court’s decision in FSC v. Paxton gives these laws any constitutional legitimacy. You do not need a law degree to see the difference between the Texas law—which targets sites where a substantial portion (one third) of content is “sexual material harmful to minors”—and these laws, which apply to any site that contains even a single instance of such material. In practice, it is the difference between burdening adults with age gates for websites that host “adult” content, and burdening the entire internet, including sites that allow user-generated content or published content.
Wyoming’s law is also particularly extreme: rather than provide enforcement by the Attorney General, HB0043 is a “bounty” law that deputizes any resident with a child to file civil lawsuits against websites they believe are in violation, effectively turning anyone into a potential content cop. There is no central agency, no regulatory oversight, and no clear standard. Instead, the law invites parents in Wyoming to take enforcement for the entire state—every resident, and everyone else’s children—into their own hands by suing websites that contain a single example of objectionable content. Though most other state age-verification laws often allow individuals to make reports to state Attorneys General who are responsible for enforcement, and some include a private right of action allowing parents or guardians to file civil claims for damages, the Wyoming law is similar to laws in Louisiana and Utah that rely entirely on civil enforcement.
This is a textbook example of a “heckler’s veto,” where a single person can unilaterally decide what content the public is allowed to access. However, it is clear that the Wyoming legislature explicitly designed the law this way in a deliberate effort to sidestep state enforcement and avoid an early constitutional court challenge, as many other bounty laws targeting people who assist in abortions, drag performers, and trans people have done. The result? An open invitation from the Wyoming legislature to weaponize its citizens, and the courts, against platforms, big or small. Because when nearly anyone can sue any website over any content they deem unsafe for minors, the result isn’t safety. It’s censorship.
Imagine a Wyomingite stumbling across an NSFW subreddit or a Tumblr fanfic blog and deciding it violates the law. If they were a parent of a minor, that resident could sue the platform, potentially forcing those websites to restrict or geo-block access to the entire state in order to avoid the cost and risk of litigation. And because there’s no threshold for how much “harmful” content a site must host, a single image or passage could be enough. That also means your personal website or blog—if it includes any “sexual content harmful to minors”—is also at risk.
This law will likely be challenged, and eventually, halted, by the courts. But given that the state cannot enforce it, those challenges will not come until a parent sues a website. Until then, its mere existence poses a serious threat to free speech online. Risk-averse platforms may over-correct, over-censor, or even restrict access to the state entirely just to avoid the possibility of a lawsuit, as Pornhub has already done. And should sites impose age-verification schemes to comply, they will be a speech and privacy disaster for all state residents.
And let’s be clear: these state laws are not outliers. They are part of a growing political movement to redefine terms like “obscene,” “pornographic,” and “sexually explicit” as catchalls to restrict content for both adults and young people alike. What starts in one state and one lawsuit can quickly become a national blueprint.
Age-verification laws like these have relied on vague language, intimidating enforcement mechanisms, and public complacency to take root. Courts may eventually strike them down, but in the meantime, users, platforms, creators, and digital rights advocacy groups need to stay alert, speak up against these laws, and push back while they can. When governments expand censorship and surveillance offline, it’s our job at EFF to protect your access to a free and open internet. Because if we don’t push back now, the internet as we know it— the messy, diverse, and open internet we know—could disappear behind a wall of fear and censorship.
Ready to join us? Urge your state lawmakers to reject harmful age-verification laws. Call or email your representatives to oppose KOSA and any other proposed federal age-checking mandates. Make your voice heard by talking to your friends and family about what we all stand to lose if the age-gated internet becomes a global reality. Because the fight for a free internet starts with us.
How do you comply with a law that prohibits collecting personal information from children under 13? If you said “by not collecting personal information from children under 13,” congratulations, you understand the law better than Louisiana’s Attorney General.
The state of Louisiana has filed a lawsuit against Roblox that includes what might be one of the most breathtakingly contradictory legal arguments I’ve ever encountered (ht: Liz Dye). In a complaint that runs 42 pages and accuses Roblox of being “the perfect place for pedophiles,” the Louisiana AG manages to argue that Roblox violated COPPA (the Children’s Online Privacy Protection Act) by… complying with COPPA.
Let’s dive into paragraph 113, which is doing some truly Olympic-level mental gymnastics:
Defendantcould have also required children under 13 to provide their names and email addressesand obtain parental approval – a fundamental protection against predators – but refused to do so. This decision allowed the company to bypass certain protections that are mandated by federal law and designed to protect children. The Children’s Online Privacy Protection Act (“COPPA”)prohibits companies like Defendant from collecting, using, or disclosing the personal information of children under 13without verifiable parental consent. COPPA was enacted because Congress recognized the heightened vulnerability of children on the internet. As the Federal Trade Commission (“F’TC”) noted the limited capacity of children to “understand fully the potentially serious safety and privacy implications” of sharing their personal information.
So let me get this straight: COPPA (according to Louisiana’s Attorney General) prohibits collecting personal information from kids under 13 without parental consent. Roblox doesn’t collect names or email addresses during sign-up in order to comply with the law by avoiding the collection of personal information that would trigger COPPA’s requirements. And Louisiana’s AG thinks this is… a violation of COPPA?
COPPA explicitly gives companies a choice: either don’t collect personal information from children, or collect it with verifiable parental consent. It’s right there in the law. Louisiana is essentially arguing that if you choose option A (don’t collect), you’re violating the law because you didn’t choose option B (collect with consent). Louisiana’s legal theory would make about as much sense as a law saying “you can either wear a red shirt or a blue shirt,” and then arresting someone for wearing red because they did so to “avoid” wearing the blue shirt.
Under their interpretation, every company that serves children would be required to collect personal information from those children, just so they could then get parental consent. The privacy law becomes a mandatory surveillance law.
This is yet another one of those laws in which law enforcement officials view actual compliance with the law (i.e., not doing something) as “sidestepping” the law. The lawsuit literally claims that a few paragraphs later:
Yet instead of implementing safeguards to comply with COPPA, Defendant chose to bypass these protections altogether. Defendant intentionally avoids requesting a name or email address during sign-up to sidestep the requirement of verifiable parental consent.
The lawsuit essentially claims that Roblox “bypassed” COPPA’s requirements by following them. The logic appears to be that because COPPA allows for collection of data with parental consent, companies are somehow required to collect that data and get that consent, rather than simply choosing not to collect the data in the first place.
That’s not how laws work. That’s not how any of this works.
COPPA doesn’t mandate age verification or data collection. It sets rules for what you must do if you collect personal information on a service targeted at children. If you don’t collect that information, you don’t trigger COPPA’s requirements. It’s compliance, not evasion.
Now, Louisiana might try to argue that Roblox’s approach creates a loophole that facilitates harm to children by making it easier for predators to create anonymous accounts. But that’s not what COPPA is designed to prevent. COPPA is a privacy law—its purpose is to prevent the unauthorized collection of children’s personal information, not to mandate surveillance systems. Indeed, the thinking behind COPPA is that children are more safe if companies are not collecting their data. And Louisiana’s position seems to be “but doing that makes them less safe.”
If Louisiana wants platforms to implement stronger identity verification for child safety reasons, they should advocate for new legislation designed for that purpose (and see if they can make a law that actually survives Constitutional scrutiny), not twist existing privacy protections into their opposite.
The interpretation by AG Liz Murrill creates an absurd Catch-22: the lawsuit argues Roblox should have illegally collected children’s personal information in order to ensure it wasn’t illegally collecting children’s personal information.
The COPPA misunderstanding isn’t the lawsuit’s only legal misstep. The complaint reveals a broader pattern of treating routine content moderation challenges as evidence of illegal conduct. For instance, the lawsuit faults Roblox because some kids are able to bypass text filters by using alternative spelling. I only wish I were kidding:
Because Roblox is deceptive by design, children are exposed to graphic sexual material and the existing safety features are woefully inadequate. For example, Roblox’s chat filtering feature is designed to filter inappropriate content and personal information on accounts aged 12 and younger but is less restrictive for accounts aged 13 and above. However, these filters are easily bypassed by obscuring text with alphanumeric combinations (e.g., “D1DDY P13NS”).
Ah yes, the legal theory that content filtering technology must be perfect, or it’s “deceptive by design.” This is a bit like suing a car company because some people speed, or suing a bank because some people rob banks. If your security measure can be circumvented by anyone, ever, then obviously you’re running a criminal enterprise.
Has AG Murrill met any children recently? Because I have news for her: kids are really good at getting around rules. They’ve been figuring out creative ways to say forbidden words since approximately the dawn of language. The fact that some 12-year-old somewhere has figured out that “D1DDY P13NS” bypasses a content filter is not evidence of a criminal conspiracy—it’s evidence that 12-year-olds exist.
This legal theory would make every content moderation system on the internet potentially fraudulent. The fact that some users work around filters doesn’t make the filters themselves deceptive any more than the existence of lock picks makes door locks fraudulent.
Also note the assumption in there that all children are automatically exposed to inappropriate content, which is quite a claim.
Also, this next paragraph is just bizarre. Does Murrill think the kids these days are out there seeking out Sean Diddy Combs’ virtual party experiences?
The report confirmed that Defendant actively hosted over 600 “Diddy” games, with titles like “Survive Diddy,” “Run from Diddy Simulator,” and “Diddy Party,” which appear to recreate reported incidents involving the music mogul Sean Combs, publicly known as “Diddy.” Diddy was federally indicted and is underwent trial for sex trafficking of minors and other grievous criminal charges regarding allegations surrounding reports about “freak-off’ parties-events which, according to testimony, multiple lawsuits and mediareports, allegedly involved forced drug use, violent assaults, and the sex trafficking of minors, including victims as young as 10 years old.
I mean, yes, those sure sound to be in extremely poor taste, but it’s a bit of a weird thing for Louisiana to be focusing on. I’m pretty sure that kids today aren’t seeking out fake parties mimicking the sex parties of a washed-up hip hop star whose biggest hits were way before any of them were born.
There are legitimate concerns about child safety on gaming platforms. Roblox, like every major social platform, faces real challenges in protecting young users from predators and inappropriate content. Those are serious issues worth discussing and addressing.
But this particular legal theory is bananas. It’s the kind of argument that makes you wonder if anyone at the Louisiana AG’s office actually read COPPA before filing a lawsuit about it.
The complaint does raise other issues about Roblox’s safety measures and content moderation that might have more legal merit (Roblox insists that the lawsuit is complete garbage). But when your lead argument is essentially “they violated the law by following the law,” it doesn’t exactly inspire confidence in the rest of your legal reasoning.
This feels like someone Googled “COPPA requirements” for about five minutes, half-understood what they read, and then built an entire lawsuit around a fundamental misreading of the statute. The result is a complaint that accidentally argues companies should violate COPPA in order to comply with COPPA.
The broader implications here are troubling. If Louisiana’s interpretation were to gain traction, it could create perverse incentives for companies to collect more personal data from children rather than less—exactly the opposite of what privacy advocates have been fighting for. Instead of rewarding platforms that take a privacy-protective approach, this legal theory would punish them for not being invasive enough.
Maybe Louisiana’s AG should have spent less time crafting inflammatory soundbites about “pedophile playgrounds” and more time, you know, reading the actual law they’re claiming was violated. Just a thought.
Bluesky made a major statement last week when it announced that it would be geoblocking Mississippi IP addresses from accessing its site—making it the first major social media platform to completely block access from a US state.
Unlike tech giants with vast resources, we’re a small team focused on building decentralized social technology that puts users in control. Age verification systems require substantial infrastructure and developer time investments, complex privacy protections, and ongoing compliance monitoring — costs that can easily overwhelm smaller providers. This dynamic entrenches existing big tech platforms while stifling the innovation and competition that benefits users.
We believe effective child safety policies should be carefully tailored to address real harms, without creating huge obstacles for smaller providers and resulting in negative consequences for free expression. That’s why until legal challenges to this law are resolved,we’ve made the difficult decision to block access from Mississippi IP addresses. We know this is disappointing for our users in Mississippi, but we believe this is a necessary measure while the courts review the legal arguments.
Some companies have been blocked by foreign countries, or blocked access in other countries. But geoblocking specific states had generally been limited to adult content sites in the past. This unprecedented response highlights just how unworkable Mississippi’s law really is.
Here at Techdirt, we’ve been warning about the dangerous negative consequences of age verification mandates for years. But even then there are variations in the pure ridiculousness of some of these laws. Some can be dealt with. Some are effectively impossible. Enter Mississippi’s HB 1126.
The bill is ridiculous in many, many ways. It first requires “digital service providers” (defined fairly broadly) to engage in age verification of every new user (the bill is written so badly that it’s not clear if it applies to accounts from before the bill goes into effect). If the user is deemed to be under the age of 18, the site is required to get “parental consent” before making the service available.
The parental consent requirements alone show how divorced from reality this law is. Picture this: your 17-year-old wants to join a social media platform, so now you need to:
A digital service provider shall not permit an account holder who is a known minor to be an account holder unless the known minor has the express consent from a parent or guardian. Acceptable methods of obtaining express consent of a parent or guardian include any of the following:
(a) Providing a form for the minor’s parent or guardian to sign and return to the digital service provider by common carrier, facsimile, or electronic scan;
(b) Providing a toll-free telephone number for the known minor’s parent or guardian to call to consent;
(c) Coordinating a call with a known minor’s parent or guardian over video conferencing technology;
(d) Collecting information related to the government-issued identification of the known minor’s parent or guardian and deleting that information after confirming the identity of the known minor’s parent or guardian;
(e) Allowing the known minor’s parent or guardian to provide consent by responding to an email and taking additional steps to verify the identity of the known minor’s parent or guardian; or
(f) Any other commercially reasonable method of obtaining consent in light of available technology.
So if your teenager wants to use Bluesky (or any other digital service), you might need to mail in a signed form, hop on a video call with the company, or hand over your government ID to verify you’re really their parent—all so they can post about their favorite bands or follow local news. What if the kid is estranged from their parents? What if their parents disagree over whether or not their child can use the site? How do you verify that it’s actually a legal guardian? The law is effectively silent on all that.
There’s a lot more that’s problematic in the law as well. Even if the parent gives permission, a site is still required to block kids from accessing anything deemed harmful… but also shouldn’t stop the kid from searching for harmful information. It basically demands the impossible.
And if a kid does access ambiguously “harmful” information any parent can sue and sites can face penalties of up to $10k per violation and the potential of criminal penalties as well.
NetChoice, the trade group that has been kept busy the last few years suing (and mostly winning) to stop every unconstitutional internet law, sued over this law, and, after some procedural nonsense related to last year’s Supreme Court ruling in Moody, got a temporary restraining order blocking the law from going into effect (at least against NetChoice’s members). Judge Halil Suleyman Ozerden recognized how obviously unconstitutional the law was, noting that the law was incredibly broad, was not even remotely narrowly tailored to the state’s compelling interest. Basically this law is a mess and the state has no reasonable defense:
In short, NetChoice has carried its burden of demonstrating that there are a number of supervisory technologies available for parents to monitor their children that the State could publicize… Yet, the Act requires all users (both adults and minors) to verify their ages before creating an account to access a broad range of protected speech on a broad range of covered websites. This burdens the First Amendment rights of adults using the websites of Netchoice’s covered members, which makes it seriously overinclusive. But NetChoice has also presented persuasive evidence that “[u]ncertainty about how broadly the Act extends—and how Defendant will interpret the Act—may spur members to engage in over-inclusive moderation that would block valuable content from all users,” and that not all covered websites have the ability to “age-gate,” meaning that “they are unable to separate the content available on adults’ accounts from content available on minors’ accounts.” …. This likewise renders H.B. 1126 overinclusive.
The Act also requires all minors under the age of eighteen, regardless of age and level of maturity, to secure parental consent to engage in protected speech activities on a broad range of covered websites, which represents a one-size-fits-all approach to all children from birth to age 17 years and 364-days old. H.B. 1126 is thus overinclusive as to Netchoice’s covered members to the extent it is intended as an aid to parental authority beyond the resources for monitoring children’s internet activity NetChoice has already identified, because not all children forbidden by the Act to create accounts on their own have parents who will care whether they create such accounts. See Brown, 564 U.S. at 789, 804 (holding the state act purporting to aid parental authority by prohibiting the sale or rental of “violent video games” to minors “vastly overinclusive” because “[n]ot all of the children who are forbidden to purchase violent video games on their own have parents who care whether they purchase violent video games” (emphasis in original)).
This follows on what happens in basically every district court over laws like this. But, of course, Mississippi is in the Fifth Circuit, where good judicial systems go to die. What happened next perfectly encapsulates why the Fifth Circuit has become synonymous with lawless judicial activism. A month later the Fifth Circuit—with no explanation—said the law could go into effect, putting a “stay” on the TRO. No reasoning. No analysis. Just a naked power grab that ignores clear Supreme Court precedent.
NetChoice went to the Supreme Court’s shadow docket, where the Supreme Court refused to vacate the Fifth Circuit’s ruling, even as Justice Kavanaugh explained that it was pretty obvious the law was unconstitutional: We had mentioned this very odd result when it happened. Here’s Kavanaugh:
To be clear, NetChoice has, in my view, demonstrated that it is likely to succeed on the merits—namely, that enforcement of the Mississippi law would likely violate its members’ First Amendment rights under this Court’s precedents. See Moody v. NetChoice, LLC, 603 U. S. 707 (2024); Brown v. Entertainment Merchants Assn., 564 U. S. 786 (2011); cf. Free Speech Coalition, Inc. v. Paxton, 606 U. S. ___ (2025). Given those precedents, it is no surprise that the District Court in this case enjoined enforcement of the Mississippi law and that seven other Federal District Courts have likewise enjoined enforcement of similar state laws.
Okay? So why are you letting the law go into effect?
… because NetChoice has not sufficiently demonstrated that the balance of harms and equities favors it at this time, I concur in the Court’s denial of the application for interim relief.
What?!? This is judicial gaslighting at its finest. The Supreme Court has said, repeatedly, that denial of your First Amendment rights is very much a harm. But apparently, they all forgot that.
And now social media users begin to suffer. Welcome to the two-tiered internet. As Bluesky explained, there’s basically no other reasonable way to comply with this law short of blocking all users from the state:
Mississippi’s approach would fundamentally change how users access Bluesky. The Supreme Court’s recentdecisionleaves us facing a hard reality: comply with Mississippi’s age assurancelaw—and make every Mississippi Bluesky user hand over sensitive personal information and undergo age checks to access the site—or risk massive fines. The law would also require us to identify and track which users are children, unlike our approach in other regions. We think this law creates challenges that go beyond its child safety goals, and creates significant barriers that limit free speech and disproportionately harm smaller platforms and emerging technologies.
The harm is immediate and concrete. Mississippi now has a fundamentally different internet than the rest of the country—one where geography determines your access to information and communities. This is exactly the kind of balkanization that the internet was designed to prevent. The Mississippi Free Press, a fantastic independent journalism site covering news in Mississippi, has said that Bluesky has been a huge part of their distribution:
For those of us at the Mississippi Free Press, this is a significant blow. We left Twitter earlier this year for a lot of reasons, and have since made Bluesky our main social media platform (it’s also where we have the most followers).
[….]
We don’t know yet what this will mean for our ability to continue to post on Bluesky. Frankly, I’m more concerned about how this will prevent our readers who follow us on Bluesky from continuing to do so.
Think about what this means: A local news organization in Mississippi can no longer easily reach its readers through a major social media platform because of their state government’s actions. Independent journalism—already struggling—now faces additional barriers created by the very government it’s trying to hold accountable.
MFP’s news editor, Ashton Pittman has made it clear where the blame lies for this: with Mississippi’s legislators who (on a bipartisan basis) passed this terrible law:
To be clear, I'm not blaming BlueSky for this situation.I understand perfectly well WHY BlueSky is blocking access to Mississippi IPs; the state government gave them no other viable choice.We are looking into our options, of course (including VPNs).
And, yes, as with every other age-gating law that shows up anywhere in the world, all it’s really doing is promoting VPN subscriptions. The tech-savvy will route around the censorship. Everyone else—including the most vulnerable populations this law claims to protect—gets cut off.
Separately, I’ve seen some commentary regarding how this somehow goes against Bluesky’s decentralization promises, but nothing can be further from the truth. Understanding why requires grasping how the AT Protocol actually works. Bluesky is one provider on the wider Atmosphere (the rapidly growing set of services using the underlying ATprotocol). Each of those services can make their own decision of how to comply with the law here. Bluesky made this point in its explanation:
This decision applies only to the Bluesky app, which is one service built on the AT Protocol. Other apps and services may choose to respond differently. We believe this flexibility is one of the strengths of decentralized systems—different providers can make decisions that align with their values and capabilities, especially during periods of regulatory uncertainty. We remain committed to building a protocol that enables openness and choice.
This is actually decentralization working as intended. If this were Twitter or Facebook, users would have no alternatives when states make dangerous policy choices. With AT Protocol, other providers could theoretically serve Mississippi users differently (though they’d face the same impossible legal risks). More importantly, users retain their identity and social connections across different providers within the network.
The key thing to remember is that nothing in this law actually makes kids safer. Like all age verification laws, it just creates a ridiculous scenario that infringes on people’s rights, closes off portions of the open internet, and serves no purpose other than enabling legislators to pat themselves on the back and pretend they’ve done something useful.
One hopes that the legislators in Mississippi will reconsider this bad law. Or that the courts (which continue to review this law) issue a new injunction that the Fifth Circuit and the Supreme Court don’t reject.
Until then, it really sucks that the state of Mississippi has effectively decided that smaller, upstart social media sites have three awful choices: comply with the law and block all access, disobey the law and risk ruinous liability, or comply with the law by collecting a ton of extremely sensitive data and setting up an impossible and unworkable system of “parental consent” that will create a huge mess for both kids and parents. The option Bluesky took seems like the only sensible one in this scenario.
Here we go again. Whenever policy makers insist that there’s some “nerd harder” solution to tricky societal problems, actual experts have to spend a ridiculous amount of time explaining basic realities to them. Sometimes those are realities about the technology. And sometimes it’s realities about the technology.
This time it’s age verification’s turn.
Steve Bellovin—one of the most respected security researchers out there, and instrumental in showing why “safe” crypto backdoors can’t exist—just published a short paper arguing that so‑called privacy‑protecting (“zero‑knowledge”) age verification can exist in theory, but not in practical reality.
Bellovin walks through the proposed architectures and then hits a variety of “insurmountable obstacles” that break privacy once you leave the whiteboard and touch reality. This isn’t all of them, but here are a few of the important points from his paper.
Identity‑proofing creates a privacy bottleneck. Somewhere, an identity provider must verify you. Even if it later mints an unlinkable token, that provider is the weak link—and in regulated systems it will not be allowed to “just delete” your information. As Bellovin puts it:
Regulation implies the ability for governments to audit the regulated entities’ behavior. That in turn implies that logs must be kept. It is likely that such logs would include user names, addresses, ages, and forms of credentials presented.
Then there’s the issue of fraud and duplication of credentials. Accepting multiple credential types increases coverage and increases abuse; people can and do hold multiple valid IDs:
The fact that multiple forms of ID are acceptable… exacerbates the fraud issue…This makes it impossible to prevent a single person from obtaining multiple primary credentials, including ones for use by underage individuals.
Cost and access will absolutely chill speech. Identity providers are expensive. If users pay, you’ve built a wealth test for lawful speech. If sites pay, the costs roll downhill (fees, ads, data‑for‑access) and coverage narrows to the cheapest providers who may also be more susceptible to breaches:
Operating an IDP is likely to be expensive… If web sites shoulder the cost, they will have to recover it from their users. That would imply higher access charges, more ads (with their own privacy challenges), or both.
Sharing credentials drives mission creep, which will create dangers with the technology. If a token proves only “over 18,” people will share it (parents to kids, friends to friends). To deter that, providers tie tokens to identities/devices or bundle more attributes—making them more linkable and more revocable:
If the only use of the primary credential is obtaining age-verifying subcredentials, this isn’t much of a deterrent—many people simply won’t care…That, however, creates pressure for mission creep… , including opening bank accounts, employment verification, and vaccination certificates; however, this is also a major point of social control, since it is possible to revoke a primary credential and with it all derived subcredentials.
The end result, then is you’re not just attacking privacy again, but you’re creating a tool for authoritarian pressure:
Those who are disfavored by authoritarian governments may lose access not just to pornography, but to social media and all of these other services.
He also grounds it in lived reality, with a case study that shows who gets locked out first:
Consider a hypothetical person “Chris”, a non-driving senior citizen living with an adult child in a rural area of the U.S… Apart from the expense— quite possibly non-trivial for a poor family—Chris must persuade their child to then drive them 80 kilometers or more to a motor vehicles office…
There is also the social aspect. Imagine the embarrassment to all of an older parent having to explain to their child that they wish to view pornography.
None of this is an attack on the math. It’s a reminder that deployment reality ruins the cryptographic ideal. There’s more in the paper, but you get the idea.
Stateside, the Foundation for American Innovation published a paper this February with the cute title “On the Internet, No One Knows You’re a Dog,” which now appears to have vanished from their website (?!?) but not before NY State Senator Andrew Gounardes—who’s never met a bad internet bill he didn’t support—cited it to push a statewide age‑verification law. (You can still find the paper via the Internet Archive, though it’s pretty much vanished from Google search…)
I should note how this also seems like yet another example of “protect the children!” moral panics crossing traditional partisan lines. Here’s an idea being pushed by aggressive technocrats in the EU… and then picked up excitedly by FAI, a right-leaning organization with close ties to the Trump White House (even as it keeps criticizing the EU approach to regulating the internet), and then used by a liberal Democrat in NY to justify a bad law.
This cross-partisan embrace of “privacy-preserving” age verification should terrify anyone who values civil liberties. When aggressive EU technocrats, Trump-aligned think tanks, and supposedly progressive Democrats all rally behind the same surveillance infrastructure—each convinced they’re the good guys—you’re witnessing the construction of an authoritarian tool that will outlast any particular administration’s priorities.
Meanwhile, because the conservatives on the Supreme Court decided they can toss decades of First Amendment precedent around age verification because they’re offended by naked people online, the stakes here aren’t hypothetical.
Privacy advocates are in the same place Bellovin is. EFF’s recent summary is blunt about what zero‑knowledge proofs can’t do in this context:
What ZKPs don’t do is mitigate verifier abuse or limit their requests, such as over-asking for information they don’t need or limiting the number of times they request your age over time. They don’t prevent websites or applications from collecting other kinds of observable personally identifiable information like your IP address or other device information while interacting with them.
ZKPs are a great tool for sharing less data about ourselves over time or in a one time transaction. But this doesn’t do a lot about the data broker industry thatalready hasmassive, existing profiles of data on people… Going from presenting your physical ID maybe 2-3 times a week to potentially proving your age to multiple websites and apps every day online is going to render going online itself as a burden at minimum and a barrier entirely at most for those who can’t obtain an ID.
There are absolutely contexts where ZK proofs can reduce disclosure—closed ecosystems, narrow deployments, no legal logging/audit mandates, low adversarial pressure, and little incentive to share credentials. That is not what these laws create. They create audit trails, liability, and incentives that recreate linkability.
A few months back we had professor Eric Goldman on the podcast to talk about his excellent paper on age verification/assurance. His bottom line matched Bellovin’s deployment‑reality critique: the tech creates serious harms regardless of branding. “Zero‑knowledge” doesn’t change the incentives, the governance, or the fact that someone, somewhere, has to check your ID and keep enough records to satisfy auditors and courts.
Lawmakers who want to control the internet will keep waving around “privacy‑preserving” as cover (Hi Senator Gounardes!). Bellovin just explained, with receipts, why that cover doesn’t actually protect privacy. It adds identity friction to lawful speech, supercharges data linkage, and hands governments and intermediaries a revocation switch. That’s not child protection; it’s infrastructure for control.
Age verification laws and regulations that target online pornography and digital sex work are far from being the “modest” child safety measures intended to protect public decency favored by the far–right.
Proponents of these laws benefit from the fearmongering and framing of age verification as a necessity to protect children from inappropriate material found on the internet. But often in the discourse, there’s a clear detachment between the political motivations of lawmakers and the realities of being a sex worker or working in a profession that is directly impacted by age verification laws targeting unfavored speech.
Because of the detachment, implications are far-reaching. Laws that require “age assurance” regimes are a clear impediment to labor and the ability of sex workers to legally earn income. There needs to be further discussion and analysis of age verification laws as a labor issue, in addition to the underlying contexts of free speech rights. While not a traditional “labor issue,” like union rights and equal pay, the government’s role in regulating and restricting forms of expression that can be produced, distributed, and monetized for entertainment media consumption is a dimension of the age-gating issue often overlooked and/or ignored.
Digital sex workers’ incomes and living conditions are dependent on platforms for content distribution. Sites like OnlyFans, Pornhub, xHamster, Chaturbate, and literally thousands more grant performers and content creators access to revenue generation opportunities that are remote, distributed, and confidential.
Due to these platforms forming the foundations of a trend-setting, technology-innovating, digitally native entertainment industry, age verification laws target digital sex workers’ means of distribution and, in a lot of cases, means of production. The overwhelming majority of adult content creators and adult performers are self-employed—classified as independent contractors and/or small business owners. Some performers have incorporated, with others adding trademarks and intellectual property protections on their branding.
Consider a few examples of adult content creators actively engaging in the activity of running a small business or self-employed enterprise. Platforms such as OnlyFans issue tax forms so that content creators can accurately report their income to the IRS and their state tax authorities. Or take the example of the performer-creator, going by the stage name Gigi Dior, duking it out with high-fashion house Christian Dior in front of the Trademark Trial and Appeal Board at the U.S. Patent and Trademark Office. Activities and actions like these aren’t seen by the vast majority of consumers—or, importantly, the critics of the entire online adult ecosystem.
We all hear the “think of the children” mantra from the Helen Lovejoys of the world daily. We are seeing it now with Collective Shout teaming up with Visa and Mastercard to clamp down on NSFW gaming. We are seeing it in the United Kingdom with calls from both the House of Commons and the House of Lords to ban certain types of pornography to comply with a broad interpretation of the Online Safety Act of 2023.
At least 40 percent of all United States residents live in jurisdictions with age verification laws. Millions of adult content creators are diverse and dynamic. Faced with all of these mounting regulatory pressures, adult entertainment performers and adult content creators—particularly those operating with marginalized identities—have developed a range of creative strategies to sustain their work, visibility, and autonomy in the national digital space. Inaccessibility is a legitimate issue that goes far beyond concerns of consumers.
While these laws are often framed as protecting children, the actual barrier they create is for adults — the lawful consumers who make up the legitimate market for adult entertainment. Under laws like Texas’s HB 1181, anyone wanting to access adult content must submit government-issued ID or sensitive personal data to a third-party vendor. Many adults are unwilling to do this, not because they wish to evade age restrictions, but because they don’t trust where that data will go, how it will be stored, or who might access it.
The result is that large numbers of adults — the only legal audience for these performers in the first place — stop visiting legitimate platforms altogether. That loss of audience directly translates into a loss of income for adult content creators. For an industry where the majority of workers are self-employed, often operating as small businesses, the shrinkage of the paying customer base is an existential threat.
This is why age verification mandates should also be seen as a labor rights issue. They are not simply regulating content; they are regulating the ability of consenting adults to transact with one another in a lawful marketplace. By forcing privacy-invasive hurdles onto the consumer side, these laws effectively shut down the market for legal adult work, undermining the economic stability of performers and driving audiences toward unregulated, unsafe spaces.
Protecting minors is essential, but there are less harmful ways to do it — including privacy-preserving age estimation, community moderation, and robust sex education. Until lawmakers acknowledge this labor dimension, age verification laws will continue to function as a political tool that erodes the rights and livelihoods of both workers and adult consumers.
Michael McGrady covers the tech and legal sides of the online porn business.