RC RANDOM CHAOS

Age verification does not verify age

The KIDS Act conditions access on collecting identity artifacts, converting every covered service into a standing target the control itself does not protect.

· 9 min read
Age verification does not verify age

The KIDS Act would require age checks to get online. That is the mechanism. Protecting children is the stated objective. The mechanism and the objective are not the same thing, and the distance between them is where this design breaks. A law does not become a control because of what it intends. It becomes a control based on what it forces systems to do. What this forces systems to do is collect identity at the point of access.

Age is not a property a system can read directly. It is a claim that must be verified against a signal tied to a person. To confirm a user meets or misses an age threshold, a covered service must obtain that signal, evaluate it, and act on it. The specific signal the KIDS Act would mandate is not confirmed. The verification method is not confirmed. Which party retains the data is not confirmed. What is confirmed is the structure: access is conditioned on verification, verification depends on data, and data must be collected and held somewhere to be checked. Every one of those steps is a surface, and every surface is something that can fail or be abused.

My position is direct. A mandate to verify age at the point of access converts every covered service into an identity collection point. That is not a downstream risk or an implementation detail. It is the immediate, necessary consequence of the requirement as described. The conversation calls this age verification. In control terms it is identity verification with an age field on top. Treat it as what it operates as, not as what it is labeled.

The assumption underneath the bill is that age can be gated without building identity infrastructure. That assumption does not hold. Gating access on a verified attribute means a user must present something that proves the attribute, and the service must process it. A self-asserted checkbox is not verification, because it enforces nothing and the bill is premised on enforcement. Anything stronger than self-assertion requires a credential, a document, a biometric, or a third-party attestation. Which of those the KIDS Act would require is not confirmed. The category is fixed regardless: it is an identity artifact, and an identity artifact has to be collected to be evaluated.

The second assumption is that adding a verification step reduces harm. The observable behavior of the system contradicts that. The step does not remove the existing weakness in how identity is managed across the internet. It adds a new mandatory point where identity data is gathered and held. The pre-existing condition is weak identity management: inconsistent verification, fragmented credential storage, no continuous validation of who is on the other end of a session. The bill does not address that condition. It builds on top of it. You do not strengthen a boundary by adding more places where the boundary must be crossed and recorded.

The third assumption is that friction lands on the bad actor. It lands on the legitimate user. The legitimate user is the one who shows up, presents a real credential, and submits to the check every time access is required. The actor who intends to bypass the gate is not constrained by a check that depends on data that can be forged, purchased, replayed, or stolen. Whether the KIDS Act specifies anti-fraud or liveness requirements is not confirmed. Absent an explicit, enforced standard, the verification step filters compliant users and is permeable to motivated ones. A control that obstructs the honest party and not the hostile party is not protecting the asset. It is taxing access.

What changes the moment age checks become mandatory is the shape of the attack surface. Today identity data is fragmented, which is itself a weakness but also a limit on blast radius. A mandate to verify age at access concentrates identity collection into a defined, predictable set of points: the services required to perform the check, or the verifiers they depend on. Concentrated identity data is a higher-value target than scattered identity data. That is not speculation. It is a logically necessary result of aggregation. You raise the payoff of a single successful compromise, and you increase the number of places holding the kind of data attackers want most.

This is the honeypot condition, and it is created by the design, not by the attacker. A mandatory, internet-wide requirement to verify identity means a large population of users must hand identity artifacts to a large number of endpoints under legal compulsion. The exact scope of data each endpoint would collect is not confirmed. The retention period is not confirmed. The security obligations placed on collectors are not confirmed. What is confirmed is that compelled collection at scale produces stores of identity data that did not previously have to exist, and those stores become standing targets the day they are populated. Where the law requires data to exist, the data will exist, and where it exists it will be reached.

The failure is not that age verification is hard to build. It is that the bill solves the wrong problem and worsens the real one. The real problem is that identity is the boundary across the internet and that boundary is already weakly enforced. A mandate that multiplies identity collection points does not enforce the boundary. It enlarges the area that must be defended and raises the reward for breaching it. The distraction is the framing. Calling this age verification keeps attention on who gets in and away from the fact that the system now holds far more of what attackers came for, in more places, by law.

The mechanism of failure is specific. The control enforces access by requiring an identity artifact at the boundary, then makes the integrity of that boundary depend on data the control itself does not protect. To evaluate age, the service must receive the artifact. To act on it, the service or a verifier it relies on must process it. Whether the artifact is retained, for how long, and by which party is not confirmed. What is confirmed by the structure is that the boundary is now a function of an artifact in transit and, in at least one location, an artifact at rest. The gate does not validate a person. It validates that an accepted artifact was presented.

An artifact that proves an attribute is a static signal unless the verification step enforces liveness and anti-fraud at the moment of presentation. Whether the KIDS Act mandates that enforcement is not confirmed. Absent it, the signal is detachable from the person it describes. A document, a credential, or a third-party attestation, the three categories any enforced check reduces to, can each be held and presented by a party who is not the subject. The check confirms possession of the artifact. It does not confirm the identity of the session. This is the break. Identity is the boundary, and a possession test is not identity. It is a test of who holds a copy.

Because enforcement depends on the artifact, the artifact must be collected, and collection at every covered service converts the enforcement layer into a storage layer. The control cannot function without the data, and the data is not defended by the control. That is the failure condition stated plainly. The thing the gate needs in order to operate is the same thing an attacker needs in order to defeat it, and the design places that thing inside every endpoint required to run the check. Whether each endpoint stores it locally or forwards it to a shared verifier is not confirmed. Either path produces a store of identity artifacts that the enforcement mechanism does not secure, and either path makes that store load-bearing for access across the covered services.

The pattern is not specific to age and not specific to this bill. Any control that enforces a boundary by collecting a static identity artifact, at scale, under compulsion, converts the boundary into a data store, and the data store becomes the target. The reward for a successful breach moves from access to harvest. An attacker who defeats one collection point does not gain entry to one account. The attacker gains the artifacts of every user that point was compelled to verify. The number of users and the volume of data per user are not confirmed. The direction is fixed. Compelled collection raises the value of each point above what its own service is worth.

This is the same mechanism whether the artifact is a document, a credential, or a third-party attestation. In each case the gate trusts presentation over continuous validation, and presentation is reproducible. A signal that can be presented can be replayed. A signal that can be replayed can be obtained once and used repeatedly. The bill does not change the property that makes the artifact useful to the legitimate user, which is that it travels with a claim and can be shown on demand. That same property is what makes it useful to the party who obtains it without authorization. The control does not separate those two cases, because it cannot read intent. It reads the artifact.

Two conditions follow directly. First, a control whose enforcement depends on data it does not protect is not a control. It is a collection requirement with an access gate attached. Second, where a law requires the data to exist, the data exists, and standing data at scale is reached. Not confirmed is how each collector would secure what it holds, the retention it would apply, or the obligations placed on it. The pattern does not require those details. It requires only that the artifacts exist in defined, predictable locations under legal compulsion. Predictable, high value, compelled into existence. That is the shape of a target, and the design produces it as output, not as misuse.

Call it what it operates as. This is identity verification with an age field, and the data it collects is breach liability from the point of collection, not from the point of compromise. The stated objective is protecting children. The mechanism delivers a mandatory, internet-wide identity collection layer built on top of identity management that is already weakly enforced. The objective and the mechanism do not meet. A control that obstructs the compliant user and is permeable to the motivated one does not protect the asset. Whether the bill specifies anti-fraud, liveness, retention limits, or collector security obligations is not confirmed. Absent those as enforced standards, the gate filters honest traffic and passes hostile traffic that holds a valid artifact.

What must now be true is straightforward and is not satisfied by this design. Identity must be validated continuously against the session, not collected once as an artifact and trusted on presentation. The boundary that is failing across the internet is identity management, and this mandate does not enforce that boundary. It enlarges the area that must be defended and raises the reward for crossing it. Adding collection points to a weak identity model does not strengthen the model. It multiplies the number of places where the weak model now holds the exact data an attacker came for.

The honeypot is not a risk introduced by attackers. It is the deliverable of the requirement. Compelled collection at scale produces stores of identity artifacts that did not have to exist, in a defined set of locations, secured by obligations that are not confirmed. If a system holds that data, it will be targeted. If the law requires the data to be held, it will be held, and it will be reached. The framing of age verification keeps the discussion on who gets in. The condition that matters is what the system now stores, in how many places, by law. That is the exposure. Name it as exposure, and treat the data as compromised the day it is collected, because the design has already decided where it lives.

See also: NordVPN for tunneled traffic when operating outside controlled networks.


#ad Contains an affiliate link.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.