As more countries plan to age-gate social media for under-16s, the debate over age verification is no longer about whether it’s coming, but what kind of internet it will create. Some experts warn that we’re sleepwalking our way into an architecture we’ve considered little about.
Discord’s rollout of teen-by-default safety settings — and its acknowledgment that many adults will not need to verify because of “information we already have” — has sharpened a wider conversation already unfolding where governments and platforms are exploring or introducing age-gating measures and social media restrictions for under-16s.
Australia has already moved ahead with a ban for younger users. The UK is debating similar proposals, while several European jurisdictions and US states are pushing legislation that would require platforms to verify age before granting access to certain services or content.
Identity checks, once confined to gambling or adult websites, are moving into mainstream social platforms and everyday digital life.
From safety tool to identity infrastructure
For many, the issue is not the intent — protecting children — but the infrastructure which is being created in the process. From Discord’s statement on Tuesday, which assures users that not everyone will need to complete age checks, it appears to be using an age inference model.
This, experts say, is likely a mix of device fingerprinting, activity patterns, server membership history, and purchase data from its premium Nitro subscriptions. Inference suggests that if you act old enough and your usage patterns match adult behavior, their model classifies you without promoting verification.
But people are worried. The same model that “already knows” you’re an adult also already knows everything about you. Which feels like Big Tech surveillance to many of its critics.
To exacerbate the issue, reports emerged over the weekend that Discord has informed some UK users that they may be part of "an experiment" with Persona, an age verification vendor whose investors include Peter Thiel, co-founder of ICE's premier surveillance provider, Palantir.
For George Gerchow, faculty at IANS Research and chief security officer at Bedrock Data, the line is crossed when age checks become persistent identity systems.
“When age verification becomes long-term identity storage, you’ve crossed from safety tooling into surveillance infrastructure,” he said.
“The biggest privacy trade-off in age verification is the volume of sensitive data collected and how long and where it’s retained. There are often multiple copies for backup, and tracking lineage is nearly impossible.”
Biometrics, he added, compounds the risk. “Unlike passwords, biometrics can’t be rotated if they’re exposed,” Gerchow said, adding that the safest systems verify a single attribute — such as whether someone is over a threshold — without retaining identity data.
The normalization of identity checks
Security engineers are increasingly viewing age verification as the first step toward a broader identity layer across the internet.
Nik Kale, a principal engineer at Cisco focused on identity governance and trust boundaries, said platforms such as Discord were “sleepwalking” into this structural shift.
“Age verification is the wedge, but once the identity verification infrastructure exists, the use cases expand,” he said. “Today it’s ‘are you over 13?’ Tomorrow it’s ‘are you who you say you are?’ for every interaction.”
The long-term impact, he argued, is not being fully considered.
“The history of enterprise systems tells us that identity infrastructure, once built, never gets smaller. It only accumulates new purposes.”
Even privacy-focussed identity vendors see the same trajectory. Fraser Edwards, co-founder and CEO of Cheqd, notes that age checks are no longer confined to the edges of the internet.
“Age verification used to sit at the edges… gambling sites or adult platforms. Now it’s appearing inside mainstream communication tools used by teenagers. When verification becomes a condition for full participation, anonymity shifts from being the default to being conditional.”
Fraser Edwards, co-founder and CEO of Cheqd
Aaron Painter, CEO at Nametag, a digital identity security company that claims to protect user accounts from impersonation and deepfakes, believes that this ‘normalization’ makes design choices critical.
“Success shouldn’t be measured by how many IDs get collected,” he said. “The goal is to protect kids, not invade everyone's privacy.”
Ian Kane, CEO and founder of Firepan, a blockchain infrastructure firm focused on asset tokenization, notes that once major platforms adopt identity checks, the rest of the ecosystem tends to follow.
“It slowly moves from ‘optional’ to ‘expected’ without most users consciously agreeing to it,” he said.
“These systems usually outlive their original purpose and get repurposed for things no one planned at launch.”
A Trojan horse — or overdue safety?
Privacy advocates argue the shift risks mission creep. Silkie Carlo, director of the British civil liberties NGO Big Brother Watch, predicted that bans on under-16s will not keep young people off social media.
Last month, following the announcement that the UK was mulling a social media ban for minors, she wrote in the Telegraph:
“Teens will steal credit cards and IDs, use VPNs… and piggyback adults’ accounts.”
“In reality, there is no such thing as a social media ban for under-16s. There are only digital ID checks for every single one of us.”
Carlo described the approach as a structural expansion of surveillance power.
“It’s a Trojan horse for more surveillance and censorship online… an eye-watering mass data and surveillance risk that tips the balance of power even further away from the individual and kills anonymity online.”
The privacy architecture conundrum
Across industry and advocacy groups alike, a shared concern emerges: the risk lies less in age verification itself than in how it is implemented.
Painter frames the issue as one of design discipline. “High assurance doesn’t require high data exhaust… Minimizing collection, separating duties, and deleting data by default… reduce risk while still meeting safety goals.”
Clyde Williamson, senior product security architect at cloud data security firm Protegrity, warned that identity data often ends up in ecosystems not designed to protect it.
“What are the privacy trade-offs, particularly around biometrics and data retention? This is one of the more absurd side effects of security theater. Without solving a real problem, we inject sensitive data into systems that didn’t really need it,” he said, noting the danger of irreversible identifiers entering environments with weak incentives to safeguard them.
Sarah Bone, co-founder of secure private messaging platform YEO, believes that normalization of identity prompts brings new threats.
“Identity checkpoints can lead to black markets for verified accounts, higher fraud, and exclusion of legitimate users. They also concentrate risk if verification systems or suppliers are compromised.”
At the same time, she added, platforms can maintain a balance — keeping everyday use pseudonymous while requiring proof only for higher-risk features.
Building it properly
If age-gated infrastructure is inevitable, experts say the priority is building systems that verify attributes rather than identities.
Gerchow described models that confirm eligibility without retaining identity artifacts.
Painter pointed to cryptographically attested checks and strict data minimization. Laurie and Kane highlighted decentralised identity and digital wallet approaches.
Derek Scruggs founded the nonprofit Cardless ID because he believes that “ identity verification is a public good”. His suggestion: a system where users verify once, data is destroyed, and future checks return only a yes/no response.
In essence, prove the fact, not the person.
When verification becomes 'access layer to the internet'
The broader concern is not simply whether age verification works — but what it becomes once embedded into the architecture of everyday platforms.
Kale believes the implications extend beyond child safety.
“Platforms are making irreversible architectural decisions under time pressure, and the long-term implications — for privacy, for power concentration, for what ‘access’ means on the internet — aren’t part of the design conversation yet.”
Nik Kale, principal engineer, Cisco
As more countries move toward age-gating — from Australia’s ban to ongoing proposals across Europe, the UK, and US states — the shift is accelerating.
Age checks are no longer a niche requirement. They are becoming an access layer.
And once identity becomes the gateway to participation online, reversing that change may be far harder than implementing it.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked