Two Movies Playing on the Same Screen: Digital Age Verification and Data Breaches
Remember the 1991 Steve Martin comedy L.A. Story? There is a hilarious scene at an ATM with two lines of people. One line has regular folks withdrawing cash. Right next to it is a second line of polite criminals waiting to rob them. When it is their turn, one robber steps up and says something like, "Good evening, I'll be your robber tonight," as casually as a waiter taking your order at a restaurant.
That absurd setup feels eerily familiar today. Governments and tech companies keep pushing for stronger online age checks and identity verification to protect kids, limit access to adult content, or reduce social media harms. By early 2026, over half of U.S. states have passed or enacted laws requiring age verification for certain sites or platforms. More proposals keep coming, including biometric scans or digital IDs.
Yet headlines scream about fresh data breaches almost daily. Just in recent months:
- A massive incident tied to Conduent reportedly exposed personal and health data of over 25 million Americans (with some calling it potentially the largest in U.S. history).
- The IDMerit KYC data exposure (disclosed in February 2026) left an unsecured database containing about 1 billion sensitive personal records across 26 countries, including full names, addresses, national IDs, dates of birth, phone numbers, emails, and verification logs. Researchers discovered it in late 2025, but it was publicly reported this year.
- Telecom giant Odido in the Netherlands leaked details (names, addresses, bank accounts, passports) of around 688,000 customers after a failed extortion attempt.
- Smaller but still serious breaches hit schools, retailers, and more, adding millions of stolen records to the dark web.
We hand over more sensitive information (IDs, faces, addresses, even biometrics) to prove who we are online. Meanwhile, that same data ends up stolen, leaked, or sold to criminals. It is the same ridiculous split-screen reality: one side demands you prove your age and identity to log in or browse, while the other side makes your identity a prize for hackers.
The question is not just whether these verification systems work. It is whether piling on more personal data with various companies is worth the risk when breaches keep happening at this scale.
Age Restricted Purchase Fallacy
One common argument for online age verification is that it is no different from showing ID to buy alcohol or tobacco in person. But there is a huge difference in how these interactions play out.
In a store, you flash your physical ID to the clerk, they check your age, and hand it right back. The whole process ends there, with no copy made or data stored long-term. Online verification is far more invasive: it often requires uploading a digital copy of your ID plus a live selfie or video to prove it is really you holding it. What happens to that data afterward? The consumer usually has no real way to know or confirm.
Many sites claim they delete the information immediately after verification, but real-world breaches show those promises do not always hold up. For example, the Tea Dating Advice app suffered a major data breach in July 2025 when hackers accessed an unsecured legacy storage system on Google's Firebase platform. This exposed about 72,000 images, including roughly 13,000 selfies and government-issued IDs from users who signed up before February 2024, even though the app had shifted to new systems and claimed to handle verification data more securely.
Another stark case: In late September 2025, hackers compromised a third-party customer support provider used by Discord for age-related inquiries and verification. The breach lasted about 58 hours and potentially exposed sensitive details from support tickets, including government-issued ID photos (passports or driver's licenses) from around 70,000 users who had submitted them in regions requiring age checks.
The sad reality is we could list example after example of sensitive personal information being collected for "safety" reasons, only to get exposed later. This data (IDs, faces, addresses) can be misused in countless harmful ways, from identity theft to targeted scams. It is nothing like the quick, low-risk in-person retail check.
Don't Do It
More and more experts are starting to warn about the inherent dangers of age verification. Recently, a "Joint statement of security and privacy scientists and researchers on Age Assurance" was issued and signed by 371 security and privacy academics across 29 countries.
While acknowledging serious online harms to children, the letter strongly opposes rushed or broad deployment of these systems, arguing they risk causing more harm than good. Key concerns include:
- Ineffectiveness and easy circumvention: Checks can be bypassed using VPNs, borrowed or fake accounts, props, deepfakes, or AI tools, as seen in real-world examples (e.g., COVID certificate fraud).
- Privacy and security risks: They force collection of sensitive data (biometrics, IDs, behavior), heighten breach exposure, enable tracking and profiling, and could restrict privacy tools like VPNs.
- Discrimination and inequality: They exclude vulnerable groups (elderly, non-digital ID holders, immigrants, those without compatible smartphones or devices), widening digital divides and favoring centralized systems.
- Broader harms: They drive users to unregulated or malicious alternatives (increasing scams and malware), create false security, undermine open internet principles, and potentially enable censorship or centralized control.
- Technical infeasibility: No global trust infrastructure exists; AI-based methods are biased or error-prone (especially for minorities); deployment is complex and unproven at scale.
The letter calls for a moratorium on deployments until scientific consensus emerges on efficacy, benefits, harms, and feasibility. It urges study of existing implementations (e.g., in the UK or Australia) and exploration of alternatives like better algorithm regulation, parental controls, or safer platform design without mandatory provider-side age checks.
Do No Harm
The legal prescriptive guidance on age verification vary widely, and they are not nearly as strict and consistent as the Know Your Customer rules that financial institutions must follow, and even those do not fully prevent data from being stolen. To date, no government has issued zero-knowledge IDs that would let you prove your age without handing over sensitive personal information.
We need to demand a better solution and start using the parental controls that are already built into phones, apps, and devices today. There is no easy fix for online harms to kids, but creating even more potential harms for everyone does not seem like the right answer.
Remember: we may not have anything to hide, but everything to protect.
