IAB/W3C Workshop on Age-Based Restrictions on Content Access (agews)

Yanzi Lin, Vivianna Lieu, Cheng Zhang, Weiqian Zhang, Lorrie Faith Cranor, Sarah Scheffler

Slides: Measuring User Responses to Age Verification Architectures: Evidence from a Deceptive Online Experiment

Sylvain Chatel, Christian Knabenhans, Wouter Lueks, Mathilde Raynal, Carmela Troncoso, and Ádám Vécsi

Requiring age verification to access online services is a controversial topic. The main motivation for introducing age controls is the protection of children. Requiring a certain age to access particular online services impedes children’s access to content inappropriate to their age. Yet, this benefit is often contrasted with the dangers to privacy, freedom of information, and power balance that such checks can result in. Privacy-enhancing technologies (PETs), specifically PETs based on zero-knowledge proofs, are often portrayed as a means to bring balance to this complex problem.

In this paper, we present our reflections on whether PETs can actually bring that balance. Concretely, we reflect on the fundamental limitations of PETs when it comes to addressing the problems associated with age verification regardless of architectural decisions; and on issues stemming from the architectural choices in which PETs that support online age verification are integrated “as a service” or in the form of libraries.

Yoti

The rapid evolution of the digital landscape necessitates robust and ethical standards for online age assurance to safeguard individuals, particularly children, while respecting privacy and facilitating legitimate access to services. As regulatory bodies globally, including those in the UK, EU, and Australia, increasingly mandate age-appropriate access and "highly effective age assurance" for online platforms, the need for clear, practical, and interoperable standards becomes paramount.

This position paper, informed by extensive experience and drawing on detailed insights into the implementation and challenges of age assurance technologies, advocates for an approach that prioritises a diverse range of flexible tools, anchored in transparency, independent auditing, and user-centric design.

Phil Archer

Between 2000 and 2008, I worked for an international membership organization called the Internet Content Rating Association (ICRA). A year after I was made redundant I wrote a lengthy paper on why that initiative failed, despite its political attractiveness and significant industry support. The purpose of this short paper is simply to offer a succinct version of that as a warning. A child protection solution based solely on metadata provided voluntarily by content creators that is then read by filters that act purely on the basis of that metadata will fail just as completely as ICRA and its predecessor, RSACi did.

Dennis Jackson

Content restrictions of any kind raise many difficult questions. This paper does not argue for or against their introduction. Instead, it asks: if these restrictions are to be rolled out by legal fiat, who should be responsible for enforcing them at the technical level?

There are only two answers compatible with the end-to-end principle: either the device that displays the content to the user or the service that delivers the content to the device.

Ehsan Toreini

This article takes a critical view on the current infrastructures for proof of age. We recognise the accuracy and efficiencies of such systems for adults; however, we argue there are fundamental issues with the adsversarial model. Unlike conventional identity management solutions, the adversary in these systems is children, who are themselves considered a vulnerable group with strict privacy requirements. This particularly makes the efficient protection against fraudalant actors a challenging problem. In this paper, we first elaborate on the nature of the adversary, a child who intends to manipulate the proof-of-age infrastructure to access services. Then, we discuss the privacy aspects of such an adversarial model. Finally, we explain our views on the blindspots in this domain.

Eric Goldman

In an effort to protect children online, regulators around the country and the world are enacting laws that compel Internet publishers to age-authenticate every reader (minors and adults alike) and then require publishers to restrict minors’ access to online content or resources. This Article calls these measures “segregate-and-suppress” laws.

Legally mandating differential treatment between minors and adults superficially sounds like common sense, but implementing this principle online leads to surprising and counterproductive outcomes. Requiring readers to authenticate their age exposes minors (and adults) to significant privacy and security risks, and it dramatically reshapes the Internet’s functioning to the detriment of almost everyone. Further, due to the inherent tradeoffs involved, segregate-and-suppress laws inevitably harm some minors.

In other words, segregate-and-suppress laws seek to protect minors online by harming minors online. To avoid this paradox, regulators should deprioritize segregate-and-suppress laws and, instead, develop a wider and more thoughtful toolkit of online child safety measures.

Nick Doty & Aliya Bhatia

In an effort to block kids from online content intended for adults, some have argued that age- verification or age-assurance tools offer the possibility of simple, effective guardrails. In our brief to the Supreme Court last year, CDT laid out serious concerns these tools raise regarding privacy and free expression – in addition to questions about their efficacy. But that doesn’t mean technical work can’t address some valid concerns about minors’ access to adult content online. In particular, two categories of work related to internet standards (labeling and signaling) are worth pursuing right now, and a third may be worth evaluating in the future (anonymous attestations). We propose principles to evaluate those and any other technical mechanisms, including their efficacy, accessibility and impacts on user privacy, safety and free expression.

Andrew Shaw

This paper presents an overview of security considerations for the use of age assurance technologies online, primarily from an architectural perspective. This paper will also consider current IETF work that could be relevant to this problem space. This paper is written in the context of the UK legal and regulatory environment but does not represent UK government policy. This paper does not make any judgment on the merits of, or issues that may affect, age assurance systems currently in deployment.

David Cooke and Sarah Bain

We are writing on behalf of Aylo and Ethical Capital Partners (ECP). Aylo (formerly MindGeek), is a technology and media company, owner of a large portfolio of adult entertainment properties (Pornhub, YouPorn, Redtube, Brazzers). ECP is a private equity firm managed by a multi- disciplinary advisory team with legal, regulatory, law enforcement, public engagement, capital markets and investment banking experience. Just over a year ago, ECP acquired Aylo.

Our submission is meant to provide insights into the complexities of site-based age verification, highlighting its challenges within existing approaches and the unintended consequences it presents. Additionally, we propose a device-level solution and wish to situate the issue of age verification within the broader context of making the internet safer for all.

Sofía Celi, Kyle den Hartog, Hamed Haddadi

Today, it’s widely acknowledged that we face serious chal- lenges in controlling what content is accessible to children online, and more importantly we currently lack effective tools to address this in a privacy-preserving and effective way. The core difficulty lies in the tradeoffs involved. But if we approach the problem thoughtfully, we can strike a balance: preserving the Web’s openness and user agency, minimizing unnecessary data collection and privacy harms, and empowering guardians (whether parents, teachers, or school IT administrators) to better manage what children are exposed to. In doing so, we might even unlock broader benefits, such as combating misinformation, and curbing manipulation and fraud by bots or foreign actors. These are ambitious goals: but how do we make them a reality?

Steven M. Bellovin

To a first technical approximation, it is straightforward to construct a privacy-preserving, credential-based age verification system for the Worldwide Web. However, the legal, economic, and social obstacles are formidable, and possibly insurmountable, especially in certain countries.

Julia Hanson, George Tankersley, Theresa O’Connor

Age verification laws that require websites to verify users’ ages can threaten online privacy, especially if technical solutions to satisfy legal requirements are not implemented thoughtfully. In this paper, we outline several privacy risks posed by solutions to age verification requirements on the web and propose privacy principles to guide the development of privacy-preserving alternatives.

Andrew Campling, David Wright

Tools exist that allow parents to set boundaries for their children’s online access and experience, including access to specific categories of content, some of which have age- appropriate settings. However, these tools currently operate independently, some within operating systems and others within individual applications. The functionality can vary widely, and sometimes even common terms can have different meanings. Even knowledgeable and motivated parents struggle with the plethora of options, especially where children have access to multiple devices on different platforms.

The lack of standardisation of parental control software is hindering its ability to protect children. The authors believe that effective parental controls are a better option than banning children from accessing the benefits of the Internet. We propose developing a new protocol to aid interworking between the many options that are currently on the market.

Yanzi Lin, Vivianna Lieu, Cheng Zhang, Weiqian Zhang, Lorrie Faith Cranor, Sarah Scheffler

Following the U.S. Supreme Court’s decision in Free Speech Coalition v. Paxton (2025), which established that age verification systems must be “adequately tailored,” understanding user behavior has become legally relevant for system design. This preliminary study empirically examines how different age verification methods affect user behavior through a deceptive online experiment framed as usability testing for a mock gambling website. Participants (n=99 U.S. residents) were randomly assigned to six verification conditions, including simple checkbox self-declaration, government-issued ID upload, and AI-based facial age estimation. Results show stark differences in user responses: checkbox verification achieved 95.2% completion rates, while government ID methods drove up to 60.5% of users to return their study without finishing. We also tested the effects of privacy disclosures on completion rates. These had mixed effects, with detailed data handling information both increasing completion rates and polarizing user comfort levels. In a survey accompanying the empirical study, participants expressed significant privacy concerns about document- based methods, citing fears of identity theft and data misuse. These findings provide empirical evidence that can be applied to the U.S. Constitutional requirement for “adequate tailoring” of age verification systems, as well as policy analysis and technical design of age verification more broadly. We outline plans for expanded research using R-rated movie content to examine these effects at larger scale.

Martin Bieri, Olivier Blazy, Solenn Brunet, and Jerome Gorin

Age verification is increasingly mandated by law, especially in online services. In this paper, we present a proof-of-concept protocol for privacy-preserving age verification. Our approach allows users to prove compliance with age requirements without revealing their identity to the service provider. Furthermore, the website remains unaware of which authority issued the age certification, and the certification authority does not learn which website is making the request or the specific age being verified. This design ensures strong privacy guarantees for all parties involved. Its properties served as a baseline for part of the reference document published by the French regulator ARCOM.

Martin Thomson

A great many governments worldwide are enacting laws that seek to limit the ability of children to access content that is designated for adults only. At the most abstract of levels, this is a good thing. Some material requires maturity and experience to handle. It is worth ensuring that children are not exposed to things that they are insufficiently prepared for.

The challenge is in determining the right implementation; a question that has policy and technical aspects.

Any system that involves restrictions will unavoidably have some consequences for adults. This is appropriate, as protection of children is a social obligation shared by all. The difficult political question is then what costs — to factors like privacy and choice — are acceptable.

This brief looks at a much narrower question: given the technical solutions being developed in response to legislative efforts — or even those mandated in law — are there better alternatives?

Wes Hardaker

Consider the case where a perfect age-verification technology exists. Will that actually make it possible to implement a world-wide platform that achieves the adult population’s goals of restricting motivated youth to access content they’re interested in? In this document, we discuss the motivation levels of both the Publisher’s and Consumer’s cases that must be considered, along with the potential challenges faced in addressing the problem space.

Thibault Meunier, Marwan Fayed

Enforcing age-based restrictions at the server creates a tension between enabling compliance and preserving clients’ privacy. We argue that both are achievable by expanding the problem statement to include unsolicited content alongside restricted material. Doing so means we can prevent accidental exposure to ineligible material for those who should not have it; we can also include adults who do not want to be exposed to certain materials that may appear without warning or consent. Both are achievable even in the presence of VPNs.

In this document, we argue that a client-side proof that sends nothing to the server is sufficient for compliance, and has stronger privacy properties, with minimal server changes which facilitate wider adoption. In addition this model of delivery can cater to an important demographic: Eligible users who do not wish to be accidentally exposed to unsolicited content, and should not have to express that preference to servers.

Given reasonable operating system and software supports, eligible and ineligible content preferences can be expressed and provably enforced by the client --- without returning data to the server or involving third parties while browning the web and accessing the Internet.

Sarah Scheffler and Shuang Liu

This submission argues for the following points, gleaned from our team’s ongoing research in applied cryptography and policy analysis of age verification based on identity documents (IDs):

1. Standards should prioritize age verification methods that transmit less information, share sensitive information with fewer entities, and allow users more control over which entities to share sensitive information with;
2. The most privacy-preserving methods for ID-based age checking that maintain verifiability are trusted notaries (often called selective disclosure or trusted attestation in the context of age or credential verification) or cryptographic zero-knowledge proofs – we discuss these in the body;
3. Sensitive private information is not limited to the content of the ID;
4. When presenting credentials in a privacy-preserving way, holders should know what information they are sending;
5. Standards should take a broad definition of “identifying information”; and
6. Standards should encourage purpose restriction and deletion of information collected during age verification as a best practice.

Tom Newton & Tim Levy

This paper explores the multifaceted challenges associated with age-based restrictions on online content access for young people, encompassing technological, ethical, business, privacy and practical considerations.

Contemporary views on age based restrictions view platforms as the gatekeepers of content and so aim to fix safety at that level. Such a view places the onus on publishers but is awash with issues including imprecision and error rates, susceptibility to avoidance, concerns around privacy, the prohibitive costs for small platforms and the removal of practical choice by parents.

Alternative network-based filtering models for age-gating access have different but similarly challenging issues including misalignment with the IETF’s core mission of end-to-end privacy enhancing Internet protocols.

As an alternative, this paper proposes a reliable and secure alternative. An architecture whereby guardians (whether parental, or in loco parentis, e.g. schools) can, and are indeed expected to, install or configure reliable safety technology on devices.

Benjamin VanderSloot

Websites typically ask visitors to assert they are of legal age before serving them adult content. As the EFF identified last year, numerous efforts are underway to require websites to instead verify their visitor’s age. The mechanisms vary, but typically require users to present credentials derived from digitized identity documents or upload selfies for automated age estimation.

Legal requirements for websites to verify visitor ages come with substantial risks for user privacy and open access to the web. Unlike self-assertion, the methods put forward for age verification entail leaking information about the user to third parties, impacting privacy. For any given jurisdiction enacting such requirements, a substantial fraction of websites may be unable to participate and so either choose to self-censor through geo-blocking or be censored by regulators, affecting open access to the web, even between adults.

These issues can be mitigated with an architectural change, moving the enforcement from the website to the device, where it can remain under the control of the device owner. We propose such a system for web browsers, which achieves the same goal of restricting access to inappropriate content with fewer externalities.

We do not take a stance how the verification of age should be done, instead focusing on which party enforces the verification. We take the question of where the verification occurs as the critical one, separating it from the question of how that verification is performed.
The core of this proposal is to place a responsibility on the browser to respect existing signals from the operating system about the user’s content preferences and from websites about the content they contain.

Heather Flanagan and Leif Johansson

The urgency to develop reliable, privacy-respecting mechanisms for age verification has collided with the realities of standards development and deployment. Technical architectures are being proposed with insufficient regard for whether they can be deployed in real-world environments— across jurisdictions, across devices, and at scale. This paper focuses on the foundational architectural and protocol properties needed to make any age verification system viable, drawing on RFC 5218’s criteria for successful protocols and Kim Cameron’s Laws of Identity.

We do not address every aspect of age verification. Instead, we concentrate on deployability, because without it, even the most elegant privacy technology will remain theoretical.

John Perrino

The global adoption of age-based restrictions for online content risks creating a fragmented and challenging landscape for Internet and Web architects. As jurisdictions from the United Kingdom to Australia enact diverse and sometimes conflicting regulations, the technical community faces a critical task: designing solutions to meet these policy demands without sacrificing core principles of privacy, accessibility, and an open, interoperable Internet.

This paper provides a comparative survey of complex global policy requirements to provide a foundational map for technical constraints, architectural trade-offs, and interoperability challenges that the IAB, W3C, and broader technical community must address to develop workable solutions.

Iain Corby

I am the Executive Director of the Age Verification Providers Association (AVPA) which represents companies that deliver privacy-preserving, standards-based, regulator-approved age assurance technologies. I submit this paper in a personal capacity with the benefit of that experience, and welcome the opportunity to contribute to the IAB/W3C/TAG workshop.

Mark Nottingham

Around the world, policymakers are considering (and in some cases implementing) age restriction systems for Internet content. This document explores the unwanted impacts on the Internet that these systems are likely to have, and makes recommendations to increase their chances of becoming a successful part of the Internet infrastructure.

Will Earp, David Wright, SWGfL

This paper sets out the practical considerations for deploying age-based content restrictions in real-world contexts, particularly those affecting children in education and home environments.
Drawing on operational experience across thousands of UK schools and homes, we explore how viable age-based restrictions are fundamentally predicated on the availability of effective, layered content filtering systems.
We also highlight how recent changes to internet protocols (e.g., ECH and DNS-over-HTTPS) are eroding the transparency and enforceability of these systems, raising critical questions about how age assurance can be technically maintained without resorting to device prohibition or invasive surveillance.

Gianpaolo Angelo Scalone, Kevin Smith

As digital content becomes increasingly accessible, protecting minors from harmful or inappropriate material is a growing concern for regulators, platforms, and infrastructure providers. Age-based access restrictions are emerging as a key tool to address this challenge. Telecommunications providers (‘telcos’) offer unique capabilities for identity verification, persistent identifiers, and network-level enforcement. This paper explores the technical and architectural implications of implementing age-based restrictions, with a particular focus on telco infrastructure. It also considers alternative verification methods, blocking mechanisms, and the governance of content restriction lists.

Sarah Forland, Nat Meysenburg, & Erika Solis

Legislators across the United States are contemplating age verification mandates as a way to limit the potential harms of online experiences for youth and restrict access to age-inappropriate material. While more efforts are needed to ensure children can safely and securely access online spaces, age verification mandates may actually pose more risks than benefits—resulting in unintended consequences for the constitutional rights, privacy, and security of all users.

Most age verification legislation is currently aimed at online content that faces age barriers in the real world. However, some legislators have gone further to target social media platforms. Given the outsized impact of widespread age verification requirements and the potential for serious unintended consequences, this report aims to demystify and clarify these key concepts related to online age verification.