Most of the coverage of age verification has been about the leaks. We have written about one of them ourselves: when a third-party vendor lost the government IDs of 70,000 Discord users, that was the predictable failure of a system built to hold identity documents at scale (we set out why in our earlier post on the Discord and Persona breaches). That post is about the breach. This one is about what comes before the breach, and what is being built around it. Because the breaches are the visible part. The quieter and more consequential development is the law itself, and the surveillance infrastructure it is steadily normalising.
Here is the state of play, plainly. Roughly half of US states have now enacted or are advancing laws that require online platforms, adult sites first, then online gaming, then social media, to verify the ages of their users. More of these laws take effect in 2026. They are not all identical, but they share a structure, and the structure is the problem. To know that a user is over a given age, a platform has to do one of two things: ask for a government-issued ID, or take a scan of the user's face. There is no third option that satisfies the law. You cannot confirm an age without first establishing an identity.
§ 01The substitution nobody voted for
The case for these laws is made in the language of child safety, and that case is sincere. Nobody reasonable wants children stumbling into pornography or being groomed in a gaming lobby. The intention is good. But intention is not architecture, and the architecture these laws require has a property their authors rarely discuss in public: it does not check ages, exactly. It checks identities, and infers ages from them.
When a law says "verify that this user is over eighteen," and the only practical way to comply is "collect this user's driving licence or scan their face," then in effect the law has mandated identity collection by every covered service. A pornography site that previously knew nothing about you now holds, or has handed to a contractor who holds, a copy of your government ID. A social network that you joined under a pseudonym now has your face on file, matched to your account. The age check is the stated purpose. Mass identity collection is the actual mechanism.
This is the substitution nobody voted for. Legislators voted to protect children. What they built, because of how the technology works, is a requirement that adults prove who they are in order to read, watch, or speak online. Civil-liberties advocates have been clear about this for some time. As NBC News reported, those advocates warn that the effect of these laws is to surveil adults, and a court in Virginia has already cited the First Amendment in pushing back against the approach.
§ 02Every covered service becomes a honeypot
Consider what a covered platform now has to be, given the law. It has to hold, for at least some window of time, a population's worth of government IDs and facial scans. Not a handful. Everyone who wants to use the service. That is a database of legal identities, tied to accounts, indexed and queryable. In security terms there is a word for a store of high-value data that an attacker would very much like to reach. It is a honeypot, and these laws turn ordinary websites into honeypots by operation of statute.
The logic here is not complicated, and it is worth stating without drama. Mass identity collection guarantees mass identity leakage. Not because any one company is careless, though some are, but because the aggregate of thousands of services each holding millions of identity records, over years, produces breaches as a statistical certainty. The Discord incident was not a freak event. It was an early, visible instance of a pattern that these laws make universal. When you require everyone to collect identity, you have, in the same act, required identity to be lost. The breach is not the exception to the policy. The breach is the policy, played forward in time.
§ 03People can feel the shape of this
One of the more interesting things about age verification is that ordinary people, who do not read security blogs and have never heard the word "honeypot," have nonetheless reacted to it as if they understood the trade exactly. The instinct is correct even where the vocabulary is absent.
In the United Kingdom, where age-verification rules came into force, the public response was immediate and legible. A petition to repeal the rules gathered around 500,000 signatures within days. At the same time, downloads of some VPN services spiked by more than 1,000 percent, as people reached for the most obvious available tool to put themselves outside the reach of the checks. You do not download a VPN to protect a child. You download it to protect yourself. The surge is a measurement of how many adults experienced the new rules not as a safety feature but as a thing to evade.
Advocates warn that age-verification laws, in practice, surveil adults rather than protect children, and a Virginia court has cited the First Amendment in pushing back.
NBC News, "Age verification laws: advocates express concerns" ↗The corporate response told a similar story from the other side. In February 2026, Discord delayed the rollout of its own age-assurance system after sustained user backlash, with many of those users pointing directly at the breach of a third-party customer-service company that had already exposed 70,000 government IDs. A company does not delay a compliance feature it is keen to ship unless the cost of going ahead, in trust and in risk, has become visibly too high. Both reactions, the petition and the postponement, are people and institutions registering the same fact: an age check is the visible surface, and an identity database is what lies underneath it.
§ 04Surveillance arrives as a feature, not a coup
It is worth being precise about why this matters beyond any single leak. Surveillance infrastructure rarely arrives announced as surveillance. It arrives as a feature with a sympathetic name, attached to a problem nobody wants to be seen defending. Child safety is the ideal vehicle. Who stands against it? And so the machinery gets built, service by service, statute by statute, each step defensible in isolation, until the cumulative result is a web in which using the internet as an adult means continuously proving your identity to private companies who keep the proof.
As one analysis of the trend put it, the same tools being deployed for child safety double as instruments of internet-wide surveillance, and the privacy concerns this raises, covered in detail by reporting on the new social-media rules, are not hypothetical. They are the direct, foreseeable consequence of asking every service to hold what only a passport office used to hold.
None of this is an argument that children should not be protected. It is an argument that the chosen method protects them by surveilling everyone else, and that there are designs which avoid the trade entirely. The right response to "we must collect identity to keep people safe" is not louder collection. It is to ask whether identity needs to be collected at all.
§ 05The only data that cannot leak is the data you never collect
This is where our own position is, we think, simple to the point of being almost boring. OpenDescent asks for no government ID. It asks for no phone number. It asks for no email. There is no sign-up form with a field for any of these, because there is no central account at all. Your identity is a cryptographic key generated on your own device, and we explain why a key beats an assigned identifier in our post on why we will never ask for your phone number.
The consequence is direct. If a service holds no identity, there is nothing to verify, nothing to collect, and nothing to leak. We cannot lose your ID in a breach, because we never asked for it. We cannot be compelled to hand over a face-scan database, because no such database exists. We cannot be turned into a honeypot, because there is no central store to fill. This is what we mean when we say privacy at OpenDescent is architecture rather than policy. A policy is a promise a company makes about what it will do with the data it holds. Architecture is the simpler and more durable guarantee that there is no data to hold in the first place.
We are not pretending this solves the underlying policy fight. Whether and how to protect children online is a serious question, and reasonable people will disagree about the answers. But on the narrow question of identity, the engineering is settled and has been for years. A system can prove things about a person, including that they hold a particular key, without that system ever storing who the person is. The internet does not have to be built as a sequence of identity checkpoints. It can be built so that there is nothing at the checkpoint to inspect.
If you would rather not file your identity with one more company, OpenDescent gives you private, end-to-end encrypted messaging with no ID, no phone number, and no email. Nothing to verify, because there is nothing to collect.
§ 06What to keep in view
The thing to watch, as more of these laws take effect through 2026, is the quiet drift in what is considered normal. A few years ago, the idea of uploading a passport to read a website or join a chat would have struck most people as absurd. With each statute and each rollout, it becomes a little more ordinary, a little more expected, a little harder to refuse. That normalisation is the surveillance, more than any single database is. The databases come and go and leak. The expectation, once it settles, is what stays.
Normal people doing normal things, reading, talking, joining a group, should not have to surrender their legal identity to do them. That is not a fringe position. It is the default we all lived under until very recently, and it is worth keeping. The technology to keep it exists. The question is only whether we choose to build on it, or keep building checkpoints instead.