In June, French President Emmanuel Macron declared that he’ll ban social media for children under 15, stating, “Platforms have the ability to verify age. Let’s do it.”
We’ve all seen what that “verification” actually looks like: “I’m over 18.” One click, and you’re in. This is how the internet currently “protects” minors. It’s laughable, until you realize that this system is failing millions of children and teens every day.
In the U.S., Federal Trade Commission Chair Andrew Ferguson also highlighted this profound inadequacy, calling simple date-of-birth entries “little to no barrier” for underage access.
This admission from a top regulator underscores what many have long known: Current systems throughout the world are failing our children.
The other extreme can be even worse. Platforms requiring actual age verification often demand personal documents and store them in databases that have become high-value targets for bad actors. In December, Signzy, a major know-your-customer provider, suffered a malware attack exposing customer data, including scans of IDs and selfie biometrics.
Similarly, in January, a massive data breach at education technology provider PowerSchool compromised the sensitive information of 60 million students. Such events are clear indicators of systemic vulnerabilities.
Exposing personal identifiable data could lead bad actors right to the doorstep of children, youth and family members, the exact opposite of what age verification requirements are supposed to accomplish.
Today’s age verification tools were not designed for the digital age. Applying financial-focused risk management procedures (like “know-your-customer”) to social platforms or gaming sites is invasive and dangerous.
When sensitive documents are uploaded and stored on third-party servers, data breaches aren’t a matter of if, only when.
For kids and families, this is unacceptable. For developers and platforms, it creates massive legal and regulatory challenges. For society, we’re missing an opportunity to implement real protection that respects privacy.
We’re caught in a false choice: either no protection at all or too much vulnerable surveillance. But we no longer have to choose between these two failures. Zero-knowledge identity protocols remove this mutual exclusivity with enhanced security, privacy and user experience.
Zero-knowledge cryptographic technology allows someone to prove something is true without revealing the underlying information.
Think of it as showing you’re old enough to enter a venue without showing your ID or revealing your name. The mathematical proof confirms that you meet the requirement.
This approach enables users to cryptographically prove their age without exposing other sensitive information. For instance, they can confirm they are over 18 without revealing their exact birthdate or other identifiable features beyond what’s necessary.
The process generally involves a few key stages. Initially, a user interacts with their government-issued ID through a secure application, often on a smartphone. This interaction permits the extraction of necessary data directly from the document’s secure elements.
Next, a cryptographic proof is generated. This proof is a mathematical assertion that the user meets a specific age criterion (e.g., over 18). Crucially, this proof contains no personally identifiable information itself; it only confirms the truth of the age claim.
This privacy-preserving proof can then be shared with an online service or platform.
The platform verifies the proof’s authenticity and validity using cryptographic techniques, confirming the user’s age qualification without ever accessing or storing the underlying personal data from the ID. The platform learns only if the user is old enough.
Major tech companies are already recognizing the potential. Google announced that it’s integrating zero-knowledge proof technology into Google Wallet for age verification, with partners like Bumble already on board.
Developers can integrate zero-knowledge age verification into their applications through open-source libraries and verification contracts.
These systems check the cryptographic proof and confirm whether a user meets the defined minimum age threshold, all without storing or even seeing the user’s full identity.
The programmability of these systems is crucial for global deployment. Zero-knowledge protocols can automatically adjust to local regulations (e.g., age 16, 18 or 21) while maintaining the same privacy guarantees.
Consider how this technology transforms real-world platforms.
Gaming sites verify users meet age requirements without collecting ID copies. Dating apps confirm users’ real ages without accessing other personal information.
Content platforms gate mature content based on cryptographic proof rather than self-reported information or vulnerable document storage.
This is privacy-first protection, enforceable by code and leveraging proven cryptographic technologies. Users maintain full control over their information, choosing what to disclose in each online interaction.
We shouldn’t accept that verifying a child’s age online requires sacrificing privacy, or that doing nothing is acceptable either.
The regulatory landscape is already shifting.Â
New York’s SAFE for Kids Act began requiring platforms to use age determination technology and restrict “addictive” feeds to minors without parental consent.
Other legislation, like the federal Take It Down Act and state-level App Store accountability acts, also signals a move towards stricter online safety, though some raise privacy concerns about mass data collection.
Current age verification methods are also proving unreliable.
The United Kingdom’s Office of Communications recently fined OnlyFans operator Fenix International approximately $1.4 million for providing inaccurate information about its age verification, highlighting how even “advanced” biometric systems can fail.
As legislation aimed at protecting minors online continues to evolve, the technology industry should lead by example. We can protect vulnerable users without exposing their most sensitive information to bad actors.
We can continue with systems that either don’t work or create massive privacy risks, or we can embrace cryptographic solutions that protect both children and privacy.
Platforms now have access to privacy-preserving tools that respect both user autonomy and legal responsibility. There’s no excuse not to build better. Parents deserve peace of mind, kids deserve safety and we all deserve a more thoughtful internet.
With increasing regulatory scrutiny and growing public demand for better protections, the impetus to shift away from ineffective checkboxes and invasive data collection toward genuinely workable solutions is clear: It is time to move on from the checkbox era.
Rene Reinsberg is an entrepreneur who has co-founded multiple ventures including Celo, Self and Locu (acquired by GoDaddy). Jane Khodarkovsky is a former trial attorney and human trafficking finance specialist in the Money Laundering and Asset Recovery Section, Criminal Division, in the U.S. Department of Justice. She is currently a partner at Arktouros.
Â
