This blog also appears in our Age Verification Resource Hub: our one-stop shopΒ for users seeking to understand what age-gating laws actually do, whatβs at stake, how to protect yourself, and why EFF opposes all forms of age verification mandates. Head to EFF.org/Age to explore our resources and join us in the fight for a free, open, private, and yesβsafeβinternet.
EFF is against age gating and age verification mandates, and we hope weβll win in getting existing ones overturned and new ones prevented. But mandates are already in effect, and every day many people are asked to verify their age across the web, despite prominent cases of sensitive data getting leaked in the process.
At some point, you may have been faced with the decision yourself: should I continue to use this service if I have to verify my age? And if so, how can I do that with the least risk to my personal information? This is our guide to navigating those decisions, with information on what questions to ask about the age verification options youβre presented with, and answers to those questions for some of the top most popular social media sites. Even though thereβs no way to implement mandated age gates in a way that fully protects speech and privacy rights, our goal here is to help you minimize the infringement of your rights as you manage this awful situation.
Follow the Data
Since we know that leaks happen despite the best efforts of software engineers, we generally recommend submitting the absolute least amount of data possible. Unfortunately, thatβs not going to be possible for everyone. Even facial age estimation solutions where pictures of your face never leave your device, offering some protection against data leakage, are not a good option for all users: facial age estimation works less well for people of color, trans and nonbinary people, and people with disabilities. There are some systems that use fancy cryptography so that a digital ID saved to your device wonβt tell the website anything more than if you meet the age requirement, but access to that digital ID isnβt available to everyone or for all platforms. You may also not want to register for a digital ID and save it to your phone, if you donβt want to take the chance of all the information on it being exposed upon request of an over-zealous verifier, or you simply donβt want to be a part of a digital ID system
If youβre given the option of selecting a verification method and are deciding which to use, we recommend considering the following questions for each process allowed by each vendor:
- Data: What info does each method require?
- Access: Who can see the data during the course of the verification process?
- Retention: Who will hold onto that data after the verification process, and for how long?
- Audits: How sure are we that the stated claims will happen in practice? For example, are there external audits confirming that data is not accidentally leaked to another site along the way? Ideally these will be in-depth, security-focused audits by specialized auditors like NCC Group or Trail of Bits, instead of audits that merely certify adherence to standards.Β
- Visibility: Who will be aware that youβre attempting to verify your age, and will they know which platform youβre trying to verify for?
We attempt to provide answers to these questions below. To begin, there are two major factors to consider when answering these questions: the tools each platform uses, and the overall system those tools are part of.
In general, most platforms offer age estimation options like face scans as a first line of age assurance. These vary in intrusiveness, but their main problem is inaccuracy, particularly for marginalized users. Third-party age verification vendors Private ID and k-ID offer on-device facial age estimation, but another common vendor, Yoti, sends the image to their servers during age checks by some of the biggest platforms. This risks leaking the images themselves, and also the fact that youβre using that particular website, to the third party.Β
Then, thereβs the document-based verification services, which require you to submit a hard identifier like a government-issued ID. This method thus requires you to prove both your age and your identity. A platform can do this in-house through a designated dataflow, or by sending that data to a third party. Weβve already seen examples of how this can fail. For example, Discord routed users' ID data through its general customer service workflow so that a third-party vendor could perform manual review of verification appeals. No one involved ever deleted users' data, so when the system was breached, Discord had to apologize for the catastrophic disclosure of nearly 70,000 photos of users' ID documents. Overly long retention periods expose documents to risk of breaches and historical data requests. Some document verifiers have retention periods that are needlessly long. This is the case with Incode, which provides ID verification for Tiktok. Incode holds onto images forever by default, though TikTok shouldΒ automatically start the deletion process on your behalf.
Some platforms offer alternatives, like proving that you own a credit card, or asking for your email to check if it appears in databases associated with adulthood (like home mortgage databases). These tend to involve less risk when it comes to the sensitivity of the data itself, especially since credit cards can be replaced, but in general still undermine anonymity and pseudonymity and pose a risk of tracking your online activity. Weβd prefer to see more assurances across the board about how information is handled.
Each site offers users a menu of age assurance options to choose from. Weβve chosen to present these options in the rough order that we expect most people to prefer. Jump directly to a platform to learn more about its age checks:
Meta β Facebook, Instagram, WhatsApp, Messenger, Threads
Inferred Age
If Meta can guess your age, you may never even see an age verification screen. Meta, which runs Facebook, Threads, Instagram, Messenger, and WhatsApp, first tries to use information youβve posted to guess your age, like looking at βHappy birthday!β messages. Itβs a creepy reminder that they already have quite a lot of information about you.
If Meta cannot guess your age, or if Meta infers you're too young, it will next ask you to verify your age using either facial age estimation, or by uploading your photo ID.Β
Face Scan
If you choose to use facial age estimation, youβll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that βas soon as an age has been estimated, the facial image is immediately and permanently deleted.β Though itβs not as good as not having that data in the first place, Yotiβs security measures include a bug bounty program and annual penetration testing. Researchers from Mint Secure found that Yotiβs app and website are filled with trackers, so the fact that youβre verifying your age could be not only shared to Yoti, but leaked to third-party data brokers as well.Β
You may not want to use this option if youβre worried about third parties potentially being able to know youβre trying to verify your age with Meta. You also might not want to use this if youβre worried about a current picture of your face accidentally leakingβfor example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you'd be concerned with identifying your location or embarrassing you in the background in case the image leaks.
Upload ID
If Yotiβs age estimation decides your face looks too young, or if you opt out of facial age estimation, your next recourse is to send Meta a photo of your ID. Meta sends that photo to Yoti to verify the ID. Meta says it will hold onto that ID image for 30 days, then delete it. Meanwhile, Yoti claims it will delete the image immediately after verification. Of course, bugs and process oversights exist, such as accidentally replicating information in logs or support queues, but at least they have stated processes. Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting leaked through errors or hacking, but it also lets Meta see the information needed to tie your profile to your identityβwhich you may not want. If you donβt want Meta to know your name and where you live, or rely on both Meta and Yoti to keep to their deletion promises, this option may not be right for you.
Google β Gmail, YouTubeΒ
Inferred Age
If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all. Google first uses information it already knows to try to guess your age, like how long youβve had the account and your YouTube viewing habits. Itβs yet another creepy reminder of how much information these corporations have on you, but at least in this case they arenβt likely to ask for even more identifying data.
If Google cannot guess your age, or decides you're too young, Google will next ask you to verify your age. Youβll be given a variety of options for how to do so, with availability that will depend on your location and your age.
Googleβs methods to assure your age include ID verification, facial age estimation, verification by proxy, and digital ID. To prove youβre over 18, you may be able to use facial age estimation, give Google your credit card information, or tell a third-party provider your email address.
Face Scan
If you choose to use facial age estimation, youβll be sent to a website run by Private ID, a third-party verification service. The website will load Private IDβs verifier within the pageβthis means that your selfie will be checked without any images leaving your device. If the system decides youβre over 18, it will let Google know that, and only that. Of course, no technology is perfectβshould Private ID be mandated to target you specifically, thereβs nothing to stop it from sending down code that does in fact upload your image, and you probably wonβt notice. But unless your threat model includes being specifically targeted by a state actor or Private ID, thatβs unlikely to be something you need to worry about. For most people, no one else will see your image during this process. Private ID will, however, be told that your device is trying to verify your age with Google and Google will still find out if Private ID thinks that youβre under 18.
If Private IDβs age estimation decides your face looks too young, you may next be able to decide if youβd rather let Google verify your age by giving it your credit card information, photo ID, or digital ID, or by letting Google send your email address to a third-party verifier.
Email Usage
If you choose to provide your email address, Google sends it on to a company called VerifyMy. VerifyMy will use your email address to see if youβve done things like get a mortgage or paid for utilities using that email address. If you use Gmail as your email provider, this may be a privacy-protective option with respect to Google, as Google will then already know the email address associated with the account. But it does tell VerifyMy and its third-party partners that the person behind this email address is looking to verify their age, which you may not want them to know. VerifyMy uses βproprietary algorithms and external data sourcesβ that involve sending your email address to βtrusted third parties, such as data aggregators.β It claims to βensure that such third parties are contractually bound to meet these requirements,β but youβll have to trust it on that oneβwe havenβt seen any mention of who those parties are, so youβll have no way to check up on their practices and security. On the bright side, VerifyMy and its partners do claim to delete your information as soon as the check is completed.
Credit Card Verification
If you choose to let Google use your credit card information, youβll be asked to set up a Google Payments account. Note that debit cards wonβt be accepted, since itβs much easier for many debit cards to be issued to people under 18. Google will then charge a small amount to the card, and refund it once it goes through. If you choose this method, youβll have to tell Google your credit card info, but the fact that itβs done through Google Payments (their regular card-processing system) means that at least your credit card information wonβt be sitting around in some unsecured system. Even if your credit card information happens to accidentally be leaked, this is a relatively low-risk option, since credit cards come with solid fraud protection. If your credit card info gets leaked, you should easily be able to dispute fraudulent charges and replace the card.
Digital ID
If the option is available to you, you may be able to use your digital ID to verify your age with Google. In some regions, youβll be given the option to use your digital ID. In some cases, itβs possible to only reveal your age information when you use a digital ID. If youβre given that choice, it can be a good privacy-preserving option. Depending on the implementation, thereβs a chance that the verification step will βphone homeβ to the ID provider (usually a government) to let them know the service asked for your age. Itβs a complicated and varied topic that you can learn more about by visiting EFFβs page on digital identity.
Upload ID
Should none of these options work for you, your final recourse is to send Google a photo of your ID. Here, youβll be asked to take a photo of an acceptable ID and send it to Google. Though the help page only states that your ID βwill be stored securely,β the verification process page says ID βwill be deleted after your date of birth is successfully verified.β Acceptable IDs vary by country, but are generally government-issued photo IDs. We like that itβs deleted immediately, though we have questions about what Google means when it says your ID will be used to βimprove [its] verification services for Google products and protect against fraud and abuse.β No system is perfect, and we can only hope that Google schedules outside audits regularly.
TikTok
Inferred Age
If TikTok can guess your age, you may never even see an age verification notification. TikTok first tries to use information youβve posted to estimate your age, looking through your videos and photos to analyze your face and listen to your voice. By uploading any videos, TikTok believes youβve given it consent to try to guess how old you look and sound.
If TikTok decides youβre too young, appeal to revoke their age decision before the deadline passes. If TikTok cannot guess your age, or decides you're too young, it will automatically revoke your access based on ageβincluding either restricting features or deleting your account. To get your access and account back, youβll have a limited amount of time to verify your age. As soon as you see the notification that your account is restricted, youβll want to act fast because in some places youβll have as little as 23 days before the deadline passes.
When you get that notification, youβre given various options to verify your age based on your location.
Face Scan
If youβre given the option to use facial age estimation, youβll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that βas soon as an age has been estimated, the facial image is immediately and permanently deleted.β Though itβs not as good as not having that data in the first place, Yotiβs security measures include a bug bounty program and annual penetration testing. However, researchers from Mint Secure found that Yotiβs app and website are filled with trackers, so the fact that youβre verifying your age could be leaked not only to Yoti, but to third-party data brokers as well.
You may not want to use this option if youβre worried about third parties potentially being able to know youβre trying to verify your age with TikTok. You also might not want to use this if youβre worried about a current picture of your face accidentally leakingβfor example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID or your credit card information, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you'd be concerned with identifying your location or embarrassing you in the background in case the image leaks.
Credit Card Verification
If you have a credit card in your name, TikTok will accept that as proof that youβre over 18. Note that debit cards wonβt be accepted, since itβs much easier for many debit cards to be issued to people under 18. TikTok will charge a small amount to the credit card, and refund it once it goes through. Itβs unclear if this goes through their regular payment process, or if your credit card information will be sent through and stored in a separate, less secure system. Luckily, these days credit cards come with solid fraud protection, so if your credit card gets leaked, you should easily be able to dispute fraudulent charges and replace the card. That said, weβd rather TikTok provide assurances that the information will be processed securely.
Credit Card Verification of a Parent or Guardian
Sometimes, if youβre between 13 and 17, youβll be given the option to let your parent or guardian confirm your age. Youβll tell TikTok their email address, and TikTok will send your parent or guardian an email asking them (a) to confirm your date of birth, and (b) to verify their own age by proving that they own a valid credit card. This option doesnβt always seem to be offered, and in the one case we could find, itβs possible that TikTok never followed up with the parent. So itβs unclear how or if TikTok verifies that the adult whose email you provide is your parent or guardian. If you want to use credit card verification but youβre not old enough to have a credit card, and youβre ok with letting an adult know you use TikTok, this option may be reasonable to try.
Photo with a Random Adult?
Bizarrely, if youβre between 13 and 17, TikTok claims to offer the option to take a photo with literally any random adult to confirm your age. Its help page says that any trusted adult over 25 can be chosen, as long as theyβre holding a piece of paper with the code on it that TikTok provides. It also mentions that a third-party provider is used here, but doesnβt say which one. We havenβt found any evidence of this verification method being offered. Please do let us know if youβve used this method to verify your age on TikTok!
Photo ID and Face Comparison
If you arenβt offered or have failed the other options, youβll have to verify your age by submitting a copy of your ID and matching photo of your face. Youβll be sent to Incode, a third-party verification service. In a disappointing failure to meet the industry standard, Incode itself doesnβt automatically delete the data you give it once the process is complete, but TikTok does claim to βstart the process to delete the information you submitted,β which should include telling Incode to delete your data once the process is done. If you want to be sure, you can ask Incode to delete that data yourself. Incode tells TikTok that you met the age threshold without providing your exact date of birth, but then TikTok wants to know the exact date anyway, so itβll ask for your date of birth even after your age has been verified.
TikTok itself might not see your actual ID depending on its implementation choices, but Incode will.Β Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting accidentally leaked through errors or hacking. If you donβt want TikTok or Incode to know your name, what you look like, and where you liveβor if you don't want to rely on both TikTok and Incode to keep to their deletion promisesβthen this option may not be right for you.
Everywhere Else
Weβve covered the major providers here, but age verification is unfortunately being required of many other services that you might use as well. While the providers and processes may vary, the same general principles will apply. If youβre trying to choose what information to provide to continue to use a service, consider the βfollow the dataβ questions mentioned above, and try to find out how the company will store and process the data you give it. The less sensitive information, the fewer people have access to it, and the more quickly it will be deleted, the better. You may even come to recognize popular names in the age verification industry:Β Spotify and OnlyFans use Yoti (just like Meta and Tiktok), Quora and Discord use k-ID, and so on.Β
Unfortunately, it should be clear by now that none of the age verification options are perfect in terms of protecting information, providing access to everyone, and safely handling sensitive data. Thatβs just one of the reasons that EFF is against age-gating mandates, and is working to stop and overturn them across the United States and around the world.
Join EFF
Help protect digital privacyΒ & free speech for everyone
Login
