i'm not a fan of id verification on the internet. the web was supposed to be open and anonymous. but i've had to update my priors. unrestricted internet access has harmed more under-16s than it's helped, and the evidence is hard to argue with.
tiktok is a slot machine engineered for compulsive engagement served to children with no defence against it. discord is an unrestricted chat platform where strangers can reach your child privately and persistently. and then there's snapchat, an app built around disappearing images, aggressively marketed to teenagers. we all know what's going on on there. the core mechanic, send something and leave no trace, is not neutral design.
i'm not calling for censorship. but i'm also not naive. i was 13 when a kid pulled out his phone at 7am before school and showed a group of us an execution video he'd found on some gore site. that's not a niche experience. most people my age have a version of that story. the stuff children are casually exposed to online would have been considered deeply disturbing if you'd encountered it anywhere else.
you're not going to stop a determined teenager. vpns exist, and any regulator who thinks blocking vpns is a viable solution is technically incompetent and should be kept far away from infrastructure decisions. but friction matters. if you slow something down by 1%, fewer people do it. that's not a controversial claim, it's just how behaviour works. you don't need to stop everyone. you just need to raise the floor.
the problem is the method.
what's actually happening
ios 26.4 landed in the uk this week with a system-level age check. no third-party modal, no selfie sent to a startup. a settings prompt resolved in under two seconds via face id against your apple account and existing payment method. it just works.
this is in response to the uk's online safety act, which requires age verification for any platform with content harmful to minors. the regulation is legitimate. the implementation across the rest of the web has been a mess.
here's who the internet decided to trust with your government id:
persona — used by reddit and roblox. discord ran a test with them before a PR disaster after a vendor breach leaked users' scanned ids
epic games' kids web services — yes, the fortnite company. bluesky trusts them with your identity
facial ai — easily defeated by holding a photo of someone older in front of your camera. nordvpn saw a 1,000% spike in uk purchases the day the act came into force. proton vpn got 1,400% more signups. the child protection act became the biggest vpn marketing campaign in british history
credit cards — the least-bad option, but excludes anyone without one
each platform picks a different vendor. different retention policies, different security, different breach history. you're not verifying your age. you're scattering copies of your identity across companies you've never heard of.
ssl already solved this
in the early web every site handled its own tls. the fix wasn't asking users to evaluate each site's cryptography. it was a root certificate authority structure. you trust mozilla. mozilla trusts a set of root cas. those cas issue certificates. the site learns nothing about you except that the cert is valid.
identity should work the same way.
i verify my age once, with apple. apple attests to it. when a site needs to know if i'm over 18, it requests an attestation from the os, exactly like a camera or location permission. i get a prompt: "this site is asking to confirm you're over 18." i allow it. the site gets a signed yes. no name, no dob, no face, no id. just a boolean signed by a root it can verify.
navigator.identity.requestClaim({ type: 'age', minimum: 18 })the root attestors would be a small governed set: apple, google, gov.uk verify, eu eid frameworks. you verify once with something you already trust. the claim is minimal, age >= 18 as a boolean. the site never sees your actual age.
the infrastructure for this already exists. apple's declared age range api does exactly this for app store purchases. webauthn proves the os can attest credentials without exposing the underlying secret to the relying party. the w3c verifiable credentials spec was designed for this problem. the pieces are there.
the real risk
the ssl analogy has one failure mode: root cas get compromised. diginotar. comodo. governments leaning on cas for surveillance certificates. for identity the stakes are higher. a bad actor with root access can map exactly who verified their age for what and where.
so it needs zero-knowledge proofs to make attestations unlinkable across sites, even from the issuing root. multiple independent roots with separate governance. user-controlled revocation. no centralised log.
solvable. just harder than what's shipping, which is probably why nobody's done it.
what we have instead
discord chose persona. bluesky chose epic games. everyone else chose whoever had the cheapest api and a compliance checkbox. the uk mandated the outcome with no minimum standard for how to achieve it, so the market produced the cheapest thing that ticks the box.
that's not child protection. that's a surveillance apparatus with a data breach on a timer, dressed up as keeping kids safe.
apple is accidentally building the right thing in the wrong scope. the ios 26.4 ux is correct: system-level, no third party, done in seconds. it just needs to be an open protocol, not an apple product. any browser, any governed root attestor, working across the open web.
the technology exists. the will doesn't. because doing it properly means platforms lose the identity data they're currently hoarding under the cover of compliance.
