How Does Showing My ID To Your Website Protect Kids?

Look, I'm all for protecting kids and teens from danger. I'm also for protecting senior citizens from danger. Heck, I'd like to protect everyone from danger.

OK, now that we've gotten that disclaimer out of the way, let's get real. There are definitely online dangers that I'm uncomfortable with children and teens being exposed to:

• AI chatbots that encourages suicide.
• Radical ideologies that lead to harming others. (Unfortunately I don't think we have anything close to universal agreement on what those ideologies are)
• Scammers, hucksters, and con-men.
• Sexual predators and human traffickers. (You get where I'm going here, I won't belabor the point)
• And others that I'm sure will come to me right after I hit "publish."

I'm quite confident that as parents and family members of children and teens you have some items of your own to add to this list, and I think that's fantastic. One of the perks of living in the US is that you get a lot of autonomy over what you allow your children access to as they grow up, and what you protect them from. We all have different risk profiles and risk acceptance criteria, and this is as it should be.

However, many jurisdictions around the world have started requiring some proof of age in order to access common parts of the Internet, such as social media sites, common communication and collaboration sites, and the like. On top of that we're now seeing major SaaS solutions such as Discord choose to not just enforce these policies in the jurisdictions where they're required but to simply roll this out worldwide starting in March 2026.

Discord to roll out age verification next month | TechCrunch

All users will be put into a “teen-appropriate experience” by default unless they prove that they are adults.

TechCrunchAisha Malik

Let's unpack this trend and look at just how this is supposed to work, and how it doesn't really.

Also, for the purposes of the rest of this article we will refer to whatever content we want to protect kids from as "icky" content.

By the way, what is the standard for identifying icky content? Who is the arbiter of such content? Are we about to have an Internet version of the MPAA and PMRC?

Age Verification Prevents Underage Access To Icky Content

The concept is deceptively simple, if requiring ID is good enough for buying alcohol or tobacco products, then it should be good enough for accessing potentially icky online content.

Not really much more to say about the concept. It makes sense...in an "offline" world.

Online Is Not Offline

It turns out that there is a huge difference between the bouncer checking your ID and a website making you upload a copy of it. In fact the chances of that ID being viewed by unauthorized parties goes up at least geometrically:

• You likely have a local copy now stored on your phone or computer, that could be visible to a malicious actor
• Your phone probably backs up your photos to a cloud environment by default - another place that could be breached to suddenly compromise your ID
• The ID likely exists (at least for a short period) on the servers of that online organization, and may also be shared with any organization they use to validate the ID is valid, and you have no visibility into that process. If by some strange chance your ID isn't being uploaded anywhere, that means the verification is being done by software locally on your computer/phone/device, and I predict that will quickly get hacked and force the validation to be done server-side.
• The ID may need to be kept by the online organization for a period of time to comply with relevant laws, meaning it now sits around waiting to be breached

So my privacy is now actively at risk in the name of preventing kids from accessing icky content on a particular website/SaaS solution/etc. Oh, and I have to do this AGAIN for each site/service in scope for age identification. If every place my ID lives gives me a 1 in 1000 chance of being breached, then I only need to show my ID to about 250 sites in order to guarantee it gets breached. Yes, I made those numbers up, but those numbers are probably low, in the US if you've got a cellular service provider you have about a 1 in 1 chance of having that data breached over any given 5 year period.

Well, What About a Photo Of Me To Prove Age?

Well, that probably works for those of us with more salt than pepper, age lines, receding hairlines, and facial hair (especially ear and nose). Those who have been blessed with eternally young features will still likely have to share their ID. And newly minted adults who just passed whatever birthday milestone they need to be considered adults will obviously still have to show ID.

But even if pictures were good enough, we probably need to talk about facial recognition and related "AI" capabilities. The error rates on facial recognition apps are disgustingly high, especially among people who are not BOTH white and male. Research on systems currently in use by DHS indicates a 35% false positive rate, which is absolutely unacceptable. The rate goes to 50% for Hispanics and Latinos.

Other Verification Methods

So ID's are out, as are biometrics (photos). What other options are being suggested? Well, Australia is suggesting that you can use your bank account information to verify your age. Just a question, but when have you ever given financial information to a website and didn't suddenly start getting charged for using that service?

Heuristic analysis - reviewing what you do online/on the site and inferring your age from that is also on the table. Or snooping communications when someone sends you a birthday greeting "happy 21st birthday Bill!" has been floated as well. The "good news" here is that many social media sites are already collecting this sort of data to target ads to you, so what's one more invasive (and probably inaccurate) use of that info?

Bluntly none of these seem to be a particularly privacy protecting option.

What About My Privacy?

It turns out I'm older than 18. I'm even older than 21. What if I want to privately access this icky content as a mature, consenting adult? We've already covered how this sort of thing impacts the likelihood of my private data being accessed by someone I don't agree should have access to it. I'll argue that having to proactively prove my age, or even having my age inferred from my activity, is an invasion of my privacy that I shouldn't have to undergo in order to be online.

Government Overreach

We already know that governments - the US government as a notable example here - loves asking online companies to turn over user data, with or without a warrant or a subpoena. Being able to confirm my ID tied to my online account absolutely invalidates any expectation of privacy online, and is a key step to censorship. Feel free to tell me that I'm overreacting, but we all have our own privacy posture, and we all have our own concerns and focus. You may not care if your government knows who you are down to every last Facebook comment. I do.

Skirting Jurisdictional Requirements

Well, if I want to protect my privacy (and perhaps risk violating the law), it is child's play these days to use a VPN connection of some sort to "fake" where you're connecting from. Just take a look at the evidence from the United Kingdom. They enacted their age verification law in July of 2025 and, well, VPN traffic seems to be up.

VPNs are just one method, people are using, essentially, fake IDs as well - an older sibling's ID as an example, and other methods to bypass age verification tests. (manual manipulation of cookies seems like a reasonable possibility for poorly implemented systems as well, but that's just a "guess.")

Avoiding Services That Require Age Verification

Don't like Discord's new requirement? Well that's simple, use a different service.

I know, sounds simple. But let's recognize that it isn't just about YOU moving services, you have to bring a whole group with you - that's what social media is after all, groups. So you can't just pick up and move, you have to bring your group with you.

Ever try to convince a group of people to move from one social media platform to another? Let's just say that my Friendica account is sitting fallow while my group is still on Facebook.

The answer is to walk away from these platforms, but doing so is a social event, not the decision of a single person at a time - unless you're happy walking away from the online community, which not that many of us are. Even if you get one group to leave you may be part of several on a single platform and you're not going to convince all of them to go.

I can also point out that the vast majority of my friends, family, and contacts still choose to use basic texting though I've worked hard to migrate them to Signal.

I share those realities NOT to prevent you from trying, but to make sure you're aware of the situation. I still have the Friendica account, and I still use Signal where I can, and I'm happy when I can use either.

Are We Going About This Backwards?

It seems to me that we're actually going about this backwards. Truly. This is the puritanical approach to imparting a particular moral code on everyone - enforcing someone's idea of icky content and legislating who has access to it and how. Again, the parallel to the MPAA comes to mind.

It seems to me that there are ways that are far less privacy invasive to achieve the stated goal of protecting children from the icky stuff on the Internet, and they already mostly exist!

• DNS filtering and blocking. DNS continues to be one of the most underutilized opportunities to limit access to icky stuff. Solutions like OpenDNS, Pi-Hole, and many others help families and individuals manage what sites are accessible by preventing or redirecting lookups to them. Don't want the kids getting to that adult site? Block it via DNS. It works, at least as long as they're behind your DNS system. There are agents and options to be installed as admin on end devices that can make these DNS solutions work wherever the device is as well.
• Parental control apps and settings. Parents has a plethora of solutions that can be installed on their kids systems that offer a high degree of control over what they can and cannot do online, including their ability to install particular apps. Cellular providers offer controls on mobile devices as well.
• Shared logins to children's accounts. Yes, it is an invasion of the children's privacy, but at least it doesn't invade "everyone's" privacy. But it can be important and appropriate for parents to have access to these systems to help monitor what their children are interacting with online.

There are also non-tech ways to do this as well:

• As a parent, be involved in what your children are doing online. Modeling good online behavior, taking an interest in their activities, and being a resource they can talk to goes a long way towards protecting children.
• Limit their access to and time on Internet connected devices, especially unsupervised time.
• Speak with your children about the icky stuff on the Internet and help them learn to make good decisions for themselves about this stuff. Build trust and confidence with them that they can make good decisions.

I know, I've wandered dangerously into Dr. Spock territory here, (not Mr. Spock you Treckies!) and I'm not necessarily really qualified to do that. At this point I'm parroting advice I've seen given out by others, but that I believe is important.

I appreciate that we, as a society, owe a lot to the generations to come. But I don't believe that compromising everyone's privacy (including theirs) is the right way to help them grow up in a world where they don't get exposed to icky stuff on the Internet until adulthood. There are other options with roughly the same success rate. Let's choose those methods instead.