Two of the most consequential internet bills in the democratic world moved on the same day. On June 29 the US House passed the Kids Internet and Digital Safety Act, a package built around a revised Kids Online Safety Act, by 267 to 117. In Brussels negotiators sat for what was billed as the final trilogue on Chat Control 2.0, the EU's long-running child-protection regulation. Both bills spent months under fire, and both visibly retreated: KOSA's controversial "duty of care" clause, which critics warned would turn platforms into speech police, was dropped, and EU negotiators dropped the mandatory client-side scanning of private messages that would have broken encryption for everyone.
What survived in both is the quieter, less-contested mechanism: mandatory age verification. To confirm a user is old enough, a platform has to check the age, and usually the identity, of everyone who arrives, including adults. As the EFF put it this month, that turns anonymous browsing into identified browsing and manufactures exactly what a privacy regime is supposed to prevent: large centralized pools of sensitive identity data sitting on servers, waiting to be breached, subpoenaed or sold.
Why it matters
Britain is the preview. Under the Online Safety Act, Ofcom has opened more than 90 investigations and started issuing fines, and users now hand over government IDs or submit to face scans to reach ordinary content. A single vendor reportedly powers age checks for roughly 60% of the sites that require them, a concentration of identity documents that would make any security engineer wince. The stated goal is protecting children; the built artifact is an identity-surveillance layer for the entire population.
The technology to avoid that outcome already exists. Using a zero-knowledge proof, a user can demonstrate they are over 18 to a website that learns nothing else: not their name, not their date of birth, not a document the platform has to store. The EU's own age-verification app is explicitly designed for exactly that. The trouble is that the laws mandating verification rarely mandate that architecture.
Frequently asked questions
-
What did KOSA and Chat Control 2.0 drop this week, and what did they keep?
Both bills retreated on their most-criticized provisions: KOSA's "duty of care" clause and the EU's mandatory client-side scanning of private messages. Both kept mandatory age verification, which is the mechanism that forces platforms to confirm the age, and often the identity, of every user including adults.
-
Why is age verification described as a privacy problem?
Confirming a user is old enough requires checking the age, and usually the identity, of everyone who arrives, including adults. That turns anonymous browsing into identified browsing and creates large centralized pools of sensitive identity data that can be breached, subpoenaed or sold.
-
How does Britain's Online Safety Act serve as a preview?
Ofcom has opened more than 90 investigations and started issuing fines under the Act, and users now hand over government IDs or submit to face scans to reach ordinary content. A single vendor reportedly powers age checks for roughly 60% of the sites that require them.
-
Can age be verified without collecting identity?
Yes. A zero-knowledge proof lets a user demonstrate they are over 18 to a website that learns nothing else, including name, date of birth, or any stored document. The EU's own age-verification app is explicitly designed this way, but most age-check laws mandate the outcome and leave the method open.
-
What is the connection between age verification and AI agents?
AI agents will need to prove what they are permitted to do without unmasking the human or organization behind them, a "Know Your Agent" requirement. The privacy-preserving architecture being debated for human age checks now is the same one that will set the pattern for agent identity going forward.
CoinDesk