Online age checks create a pointless privacy risk, research finds.
When a bartender checks an ID, they quickly verify a customer’s date of birth and identity before serving them.
Companies that employ online age verification claim their products function the same way on the web. That bartender analogy has, in part, justified laws passed in twenty-five US states—comprising more than 40% of Americans—mandating the use of digital age verification to gate access across social media and adult content online. Further regulation, targeting social media sites, is currently in process in a number of states.
However, new research from Georgia Institute of Technology (Georgia Tech) and the University of California, Irvine (UC Irvine) reveals that the reality of online age verification is far from ideal.
The study found that the vast majority of sites covered by these laws do not appear to enforce age verification at all. When sites do comply, they often route users through third party age verification services.
The researchers found that one such third party, Yoti, a London-based company used by Meta, OnlyFans, Sony PlayStation, and TikTok, provides services for an estimated 60% of websites deploying age verification services.
Depending on the verification method, a verification attempt via Yoti may transmit a user’s IP address and/or OS and browser metadata sufficient to uniquely identify and track devices. Some of the IP, OS, and browser metadata may be sent to credit card companies and IP geolocation services, while ID information may be sent to a known data broker, or another verification service.
“There have been laws passed and court cases settled on the promise that these companies are incentivized to keep users’ data private,” says Assistant Professor Michael A. Specter at Georgia Tech’s School of Cybersecurity and Privacy. “We found that reality is starkly different.”
Aside from privacy concerns, researchers note that differing state policies could lead to what they call the “Balkanization of the US web.” In other words, users may have access to different parts of the internet depending on the state they are in—potentially limiting the free exchange of ideas and information.
According to Assistant Professor Harry Oppenheimer of the Jimmy and Rosalynn Carter School of Public Policy, users are already accustomed to experiencing the internet differently across countries. However, this may signal the beginning of similar fragmentation within the United States.
“We are going to start seeing comparable differences between US states,” says Oppenheimer. “Users in some states will now have to go through additional steps to access information. Close your laptop in New York before a flight to Dallas and try to load the same web page—now you see two different results.”
“We also observed age verification deployed on websites accessed from New York, which has no law requiring verification,” says Associate Professor Paul Pearce of UC Irvine’s computer science department.
“We don’t know why these sites are deploying such verification—it could be a move to limit liability or simplify operations. Regardless, it points to an emerging threat for the open Internet where restrictive laws from some states could impact the entire country and beyond.”
The study is part of the proceedings of the 47th IEEE Symposium on Security and Privacy and was presented in San Francisco on May 20th.
CORRECTION: A previous version of this article, posted in error, included statements that were not part of the researchers’ findings or intent. This version has been updated for clarity, and to reflect the research as published in IEEE S&P.
Source: Georgia Tech
