EFF launches Age Verification Hub

This keeps coming up and we keep having the same debates about what Age Verification isn't.

For the folks in the back row:

Age Verification isn't about Kids or Censorship, It's about Surveillance

Age Verification isn't about Kids or Censorship, It's about Surveillance

Age Verification isn't about Kids or Censorship, It's about Surveillance

Without even reaching for my tinfoil hat, the strategy at work here is clear [0 1 2]. If we have to know that you're not a minor, then we also have to know who you are so we can make any techniques to obfuscate that illegal. By turning this from "keep an eye on your kids" to "prove you're not a kid" they've created the conditions to make privacy itself illegal.

VPNs are next. Then PGP. Then anything else that makes it hard for them to know who you are, what you say, and who you say it to.

Please, please don't fall into the trap and start discussing whether or not this is going to be effective to protect kids. It isn't, and that isn't the point.

0 https://www.eff.org/deeplinks/2025/11/lawmakers-want-ban-vpn...

1 https://www.techradar.com/vpn/vpn-privacy-security/vpn-usage...

2 https://hansard.parliament.uk/Lords/2025-09-15/debates/57714...

> If we have to know that you're not a minor, then we also have to know who you are

That is untrue

Are you aware of any age verification systems that do not have this property?

(This includes being robust against law enforcement action, legal or otherwise.)

Like many mention in other comments on this post, it's possible to implement using ZKPs. There are likely other methods that would be effective without compromising privacy. None of them are part of the Age Verification discussion because kids are not the actual point of Age Verification.

When I say "if we have to know you're not a kid, we have to know who you are" I'm not stating an actual truth, but the argument as it is playing out politically.

> None of them are part of the Age Verification discussion because kids are not the actual point of Age Verification.

The EU age verification solution says implementations SHOULD implement[1] their ZKP protocol[2]. Not linking it to the user is stated as an explicit goal:

Unlinkability: The goal of the solution is to prevent user profiling and tracking by avoiding linkable transactions. Initially, the solution will rely on batch issuance to protect users from colluding RPs. Zero-Knowledge Proof (ZKP) mechanisms will be considered to offer protection. More details are provided in Section 7.

[1]: https://ageverification.dev/av-doc-technical-specification/d...

[2]: https://ageverification.dev/av-doc-technical-specification/d...

One thing to keep in mind when reading about any "ZKP protocol" is that on its own the term has the same inherent vagueness as "end-to-end encrypted" - especially when like here there are more than two parties concerned to solve a single verification.

What information is not disclosed to whom? In what way is it ZK?

One example is Googles "zero-knowledge age verification" where AFAICT, Google still has full insight into all the sensitive data and metadata. It's not like they inherently need to be the designated middleman but that is how the scheme is designed. Therefore I find it ingeniously marketed. A bit like saying "Facebook Messenger protects all your messages with end-to-end encryption", which is arguably technically true but misleading and not an honest statement.