We’ve released our work “Papers, Please: A First Look at Age Verification”, the first study to examine the deployment and privacy impact of online age verification in the US. It was recently accepted to IEEE Security and Privacy, and cited in U.S. congressional testimony by the Center for Democracy and Technology.

Our goal in this post is not to replace the paper, but to explain why we chose to study age verification, the problems we uncovered, and discuss where we believe the ecosystem should move from here.

Why study age verification?

Since 2022 twenty-five US states covering more than 40% of the US population have adopted laws compelling websites with content “harmful to minors” to verify their users’ ages. Many websites that comply with these laws rely on third-party services, outsourcing the age verification process.

However, despite wide deployment, little is known about how these services are shaping the web and affecting user privacy or dividing the US’s infrastructure. Age verification suites are inherently privacy invasive. As a necessity, they must collect certain signals about the user, which may include their age, birthdate, credit card information, citizenship, location, or other sensitive information. Despite years of attempted regulation, content on the Internet in the US has been largely unobstructed, avoiding the balkanization seen in the EU and elsewhere. Now, with age verification, this has changed.

Do sites with users in New York require age verification, even though the state currently lacks a mandate? Such a spill-over effect — as seen with GDPR cookie banners – would indicate that the laws in nearby states are affecting uncovered users that didn’t vote for them.

And, of course, there’s efficacy — does age verification actually stop underage users from accessing covered content? Assuming that users can’t bypass the service itself, it could be that sites rationally choose to disobey the law and serve content anyway.

It’s worth noting that the laws themselves differ nontrivially by state, and have unclear inclusion criteria (we went ahead and categorized them). Different states have varying allowed methods of verification, criteria for being required to include age verification (e.g. nebulous “1/3” of the site), and define differently who is allowed to sue. Worse, different states may or may not have criteria for carving out cloud providers — so certain states could technically decide that cloudflare or amazon is responsible for content that their providers host.

Our Study

1. We crawled the top 1M websites from three US states: Texas, Georgia, and New York as of August 2025. Both Texas and Georgia have similar laws requiring age verification, New York does not.
2. We developed a set of static analysis tools to detect if a site was using any of 30 known third-party age verification suites.
3. We compared the prevalence of age verification suites on sites that do and do not label themselves as serving adult content.
4. We reverse engineered Yoti, the most used age verification provider, to learn more about its security and privacy behavior.

It is worth noting that our work is a lower bound — it could be that age verification occurred on more sites (e.g. via a login flow not seen by our crawlers).

What did we find?

• Age verification providers were found on over 1500 websites in both Georgia and Texas, two states with age verification mandates. About 30 of these websites are among the top 1000 websites.
• Age verification providers are in use in over 500 websites in New York, despite the absence of age verification mandates in that state. The vast majority of these sites appear to be legally covered entities in other states, indicating a spill-over effect.
• Despite the spill-over effect, compliance is still low — of sites that self-identify as serving primarily adult content, we only detect 13.7% and 14.8% using age verification in GA and TX respectively.
• The market is highly concentrated on a few providers. The top third-party age verification providers were Yoti, VerifyMyAge, and Incode, with Yoti used in over 60% of covered sites.
• We found that Yoti’s age verification methods collect a surprising amount of information, such as browser and device metadata. We believe that it is likely this information could be used to fingerprint a device.
• Yoti’s credit card-based age estimation reveals the first-party website that the user is attempting to access to Stripe.¹
• Information about the user is shared with a variety of “fourth parties” beyond Yoti — including those that perform IP geolocation, process credit card information, or validate the user’s provided documents.
• Yoti makes a number of claims that rely on client-side cryptography, including the immutability of captured images, which do not appear to hold up. We show that it is possible for a motivated attacker to bypass Yoti’s self-identified security goals; in fact, beyond using some sort of hardware-level attestation of captured images usually unavailable to browsers, we know of no way to achieve Yoti’s security claims.

Closing thoughts

1. Incomplete Compliance & Limited Effectiveness. We find that, in GA and TX, less than 15% of sites that self-label as adult venues enforce age verification. While this likely a lower bound estimate, this still indicates that many sites will choose not to engage in the protocol. Further, our analysis of Yoti indicates that their age verification suites may be circumventable.

It is unclear how much these mandates will be capable of restricting access to adult content, even if adoption were universal. On-device protections do not prevent willing or unwilling adult cooperation in bypassing these checks, nor do they prevent providers outside of the affected region from ignoring mandates. It may be that such behavior is incentivized, as privacy concerns and friction in the process may lead users to drive traffic (and therefore revenue) to non-compliant sites.

2. Need for effective privacy regulation. We encourage regulators to consider adopting straightforward requirements on age verification providers to ensure user privacy. Several third and fourth parties are used in Yoti’s age verification suite, and it is likely that our list is incomplete as we lack a complete picture of Yoti’s backend processes. Further, we found that Yoti’s privacy policies made unclear and somewhat conflicting statements about data retention and maintenance.

Mandatory, machine-readable disclosure of all fourth parties receiving data during the verification process, strict minimum data collection and distribution requirements, and strict penalties for failures to meet these standards could help ameliorate some of these concerns.

3. Alternative Proposals Need Time. Although there are proposals for privacy preserving age estimation, these are largely academic proposals and under-deployed. In particular, the Mobile Driver’s License (mDL) standard allows for age verification via zero knowledge proofs, providing no more information to the site than that the user is above a certain age as guaranteed by a trusted state authority.

Further work has been developed to turn mDL into anonymous credentials, sufficient for the web, but we note that deployment of such systems are still in their infancy.

From a privacy perspective, such standards are likely a superior solution to what is commonly deployed today, however it is worth noting that adoption of these systems may increase the risk of censorship.

Poor deployment and design may allow government entities to revoke internet access for arbitrary citizens by invalidating their real-world IDs. The mDL specification, as defined today, does not specify how revocation works, yet must have this option to allow for PKI failures, drivers license expiration, or ID revocation.

Censorship risks extend beyond the sites we ex- amine here: without a significant shift in policy direction, age verification suites may eventually control users’ ability to participate in online speech. State-level mandates become unnecessary if sites adopt universal age verification to avoid regulatory risks. The absence of mandates does not mean the absence of verification—we uncover sites enforcing age verification in New York, where no verification law existed.

With Mississippi and others abroad requiring age verification checks for social media, what does this mean for the future of free and open communication on the web?

4. The SCOTUS Decision had Flaws. In 2025, the Supreme Court upheld Texas’ Age Verification law over free speech concerns in a 6-3 judgment. The Supreme Court’s majority decision — written by Justice Clarence Thomas — found that online age verification does not violate the First Amendment.

The majority decision characterizes online age verification as:

• an effective way to separate minors (who can be restricted) and adults (who have a constitutional right to access affected content),
• a “modest burden” unlikely to restrict speech of adults and similar to methods in place “for decades,” and
• low-risk and unlikely to trigger individual privacy concerns because age verification providers “have every incentive to assure users of their privacy.”

Relying on these assumptions, the court found that age verification laws would only need to justify intermediate scrutiny, a significantly lower bar for restricting speech than the strict scrutiny applied in previous rulings.

This paper demonstrates that the privacy impact of online age verification is nontrivial, and that there are critical differences compared to in-person age checks. Users submit to having their photos, driver’s licenses, and location sent, together with sufficient high-entropy browser data to track them, all to a centralized authority. We leave it up to the security and privacy community to determine whether these privacy concerns represent a “reasonable” or “unreasonable” intrusion on users, but it is clear that a bartender need not gain universal knowledge of all patrons’ PII in an easily copyable and indefinitely retainable format — and share much of this data with various unknowable third parties.