There is a lot of chatter about online age verification. When the criticism turns to the EU's approach, it tends to be either uninformed or deliberately misleading.

Do we need online age verification?

This is partly an ideological question.

If you think age verification should not exist at all, the technical details won't matter to you. No implementation will be acceptable, because the objection is to age gates themselves, not to any particular mechanism.

I am not in that camp.

A 9-, 10-, or 14-year-old is not ready to wander the open internet without limits. This isn't just a matter of parental taste. Children and teenagers are still developing the cognitive, emotional, and social skills needed to handle manipulation, addiction loops, sexual content, gambling mechanics, grooming, harassment, algorithmic radicalization, and the rest of what adults themselves often struggle with.

Isn't it the family's job to set the limits?

Yes and no.

When children are very young, parents can set strict boundaries. But as kids move into their teens, parents also have an obligation to loosen them. Teenagers need spaces where they can act independently, make decisions, and talk to others — where they can learn to navigate the world without a parent looking over their shoulder.

The question is whether we can build online spaces where that gradual freedom is possible.

"I raised my kids to be smart and self-confident, and they would never do X."

Maybe. I hope I did too. But not all children are the same. They don't share the same temperament, support, confidence, parents, or protection. And even grounded, intelligent teenagers are vulnerable at times.

We already accept age restrictions elsewhere. Children can't drive, drink, gamble, or enter certain venues before a certain age. It is not absurd to think parts of the internet should be age-restricted too.

The hard question isn't whether age limits can ever be legitimate. It's how to enforce them without turning the internet into an identity checkpoint.

Is age verification the first step to mass online surveillance?

It can be.

Most people assume age verification means scanning an ID, uploading a passport, taking a selfie, or submitting to a face scan — which is exactly what many services already ask for.

Implemented that way, the critics are right to be alarmed.

To prove to a porn site, a gambling site, an online liquor store, or a religious forum that I'm an adult, I should not have to hand over my name, date of birth, ID number, face, address, or passport. That is a dangerous amount of information to give any private website, let alone one dealing with sensitive content.

There is another familiar pattern: sign in with a trusted third party.

A site might ask me to authenticate through my bank, my Google or Apple account, my mobile operator, or a government identity service. That avoids handing the site my documents, but it creates a different problem: now the identity provider learns which age-restricted sites I visit.

That's not much better.

In one version, the website learns who I am. In the other, the identity provider learns where I go. Both are scary.

But neither is the only way to do this.

The better primitive: a signed age attestation

A better design starts from a simple idea: prove only the thing that needs proving.

The website doesn't need my name, my date of birth, my ID number, or whether I'm 19, 37, or 74. It only needs to know whether I clear a threshold:

age >= required_age

The easiest way to picture this is a digitally signed attestation.

Take the offline version:

1. You go to a government office.
2. You show your passport or national ID.
3. They issue a card that says only one thing: "over 18".
4. The card carries official seals, signatures, and anti-forgery features.
5. You show that card at the entrance of an age-restricted venue.
6. The venue can confirm the card is genuine without learning your name, date of birth, or ID number.

The digital version is the same idea, with cryptography. An authorized issuer verifies your age once and issues a signed credential:

{
  "claim": "age_over_18",
  "value": true,
  "issuer": "Trusted Age Attestation Provider",
  "valid_until": "2027-12-31"
}

The issuer signs it:

signature = Sign(issuer_private_key, attestation)

A website can later verify it:

Verify(issuer_public_key, attestation, signature)

The key property: the website never has to contact the issuer. It only needs to know the attestation was signed by a trusted issuer and is still valid. And the issuer never learns where — or whether — you used it.

This is the core of the EU approach. The EU Age Verification Blueprint describes a system built on Proof of Age attestations, relying parties, attestation providers, age-verification apps, and trust lists. It is aligned with the European Digital Identity Wallet architecture and lets users prove they are over a certain age without disclosing their exact age or identity. ^{1 2 3}

Selective disclosure and zero-knowledge proofs

A signed attestation is already far better than uploading an ID to every site. But a subtle privacy risk remains.

If the wallet presents the same signed credential to many websites, those sites may be able to correlate visits. Even without my name, they could learn that the same anonymous adult visited site A, site B, and site C.

That's why the stronger version uses selective disclosure or zero-knowledge proofs. Instead of showing the underlying attestation, the wallet proves a statement about it:

I hold a valid Proof of Age attestation, signed by a trusted issuer, that proves age >= 18.

...without revealing the attestation itself.

The EU technical documentation describes this as generating a zero-knowledge proof from a Proof of Age attestation: the app encodes the attestation as private input to a circuit, uses public inputs such as the attestation provider's public key, and produces a zkSNARK proof. ^{4 5}

That's a big deal.

It means the privacy-preserving version isn't:

Here is my ID.

It isn't:

Here is my date of birth.

It isn't even:

Here is my signed age credential.

It's closer to:

Here is cryptographic proof that I hold a valid credential proving I am over 18. You can verify the proof, but you learn nothing about who I am.

That's the right direction, and the signs are that the EU is getting it right.

What privacy advocates should focus on

None of this makes the EU system automatically safe. A privacy-preserving architecture can still be ruined by bad implementation.

Things that would break the promise:

• stable identifiers reused across websites
• the issuer being contacted on every age check
• centralized logs of verification events
• wallet telemetry recording which relying parties requested proofs
• websites demanding more attributes than necessary
• weak wallet security
• poor UX that nudges users into oversharing
• browser or device fingerprinting that links otherwise anonymous proofs
• revocation checks that reveal where credentials are used
• closed, unaudited national implementations

So instead of fighting a system that is built to preserve privacy, we should be fighting to put the right checks in place — the ones that guarantee the implementation actually honors it.