Last month, I watched a 67-year-old man upload a photo of his driver’s license to verify his age on a website. The site wanted to confirm he was over 18. He wasn’t buying anything sketchy – just trying to access a bourbon review forum that got caught up in Louisiana’s new age verification law. That image of his ID, complete with his address and personal details, got processed by a third-party verification company he’d never heard of.
This is the reality we’re sliding into. What started as a well-intentioned effort to protect kids online has become a massive data collection operation that most people don’t understand until it’s too late.
Your ID Is Worth More Than You Think
Here’s what nobody tells you about age verification: your government-issued ID is digital gold. It contains everything a data broker dreams about – your full name, address, date of birth, and often your height, weight, and a biometric photo that facial recognition systems can use forever.
When you upload that ID to verify your age, you’re not just proving you’re over 18. You’re handing over the keys to your identity to companies that operate in the shadows. Most people have no idea who Yoti, Jumio, or Onfido are, but these companies are processing millions of IDs every month.
The data doesn’t just disappear after verification either. Despite what their privacy policies claim, these companies are building massive databases of verified identities. They’re connecting your real identity to your browsing habits, creating profiles that make Facebook’s data collection look quaint.
The Surveillance State We’re Building by Accident
Age verification is creating something we never voted for: a comprehensive tracking system for adult internet use. Think about what happens when these laws spread. Every adult website, every forum that discusses “mature” topics, every platform that hosts user-generated content will demand your ID.
Suddenly, there’s a digital paper trail of everywhere you go online. Your curiosity about cryptocurrency forums, your questions on relationship subreddits, your late-night Wikipedia deep dives – all tied to your real identity and stored in corporate databases with questionable security.
The UK is already heading this direction. Their Online Safety Act requires age verification for any site with “harmful” content, which includes basically everything more controversial than a cooking blog. France wants to implement similar measures. Several US states are copying each other’s legislation word for word.
We’re sleepwalking into a world where anonymous browsing becomes impossible, and most people don’t realize it’s happening.
The Security Holes Nobody Talks About
Age verification companies love to brag about their security, but their business model depends on storing exactly the data that criminals want most. Government IDs are the holy grail of identity theft. They’re not like credit card numbers that you can cancel and replace – your driver’s license number is yours for life in many states.
Jumio got breached in 2019. Onfido had security researchers find vulnerabilities in their systems multiple times. These aren’t fly-by-night operations – they’re the big players that major platforms trust with your data.
But here’s the real kicker: when these companies get breached, you’ll probably never know. They’re not like banks or credit card companies that have to notify you immediately. Most age verification companies aren’t even regulated like financial institutions, despite handling equally sensitive data.
The verification process itself creates additional risks. That photo of your ID travels across multiple servers, gets processed by artificial intelligence systems, and often gets stored “temporarily” in cloud systems that span multiple countries with different privacy laws.
The Consent Theater Problem
Every age verification system makes you click “I consent” before uploading your ID. This is theater. Real consent requires understanding what you’re agreeing to, and these privacy policies are deliberately incomprehensible.
Take Yoti’s privacy policy – it’s over 5,000 words of legal jargon that essentially says “we can use your data for whatever we want and share it with whoever we think needs it.” They reserve the right to process your information for “fraud prevention,” “regulatory compliance,” and my personal favorite: “legitimate business interests.”
What are those legitimate business interests? They don’t say. Could be advertising. Could be selling aggregated data to market research companies. Could be building facial recognition databases for law enforcement. You’ll never know, because you already consented.
The worst part is that this consent isn’t really optional. When a state law requires age verification to access a website, you can’t meaningfully consent to data collection. You either give up your privacy or you give up access to the site. That’s not consent – that’s coercion.
What Your Data Actually Funds
Age verification companies aren’t running charities. They’re venture capital-backed businesses that need to show growth and profits. Your ID data is their product, even if they never sell it directly.
These companies are building comprehensive identity verification services for other industries. The facial recognition system that verifies you’re 18 on a website today becomes the employee screening tool tomorrow. The address verification that confirms your ID today becomes the credit check system next year.
They’re also perfect acquisition targets for data brokers, surveillance companies, and yes, government agencies. When a company like Clearview AI can scrape billions of photos from social media to build facial recognition databases, imagine what they’d pay for a database of verified government IDs tied to browsing habits.
The Alternatives Nobody Implements
The frustrating thing about this whole mess is that privacy-preserving age verification exists. Zero-knowledge proof systems can verify you’re over 18 without revealing your exact age, name, or address. Digital credentials could let you prove your age without uploading photos of your ID to random companies.
But these solutions require cooperation between tech companies, government agencies, and privacy advocates. They’re more expensive to implement than just outsourcing verification to the highest bidder. Most importantly, they don’t generate valuable data that can be monetized later.
So we’re stuck with the surveillance option, dressed up as child protection, powered by our collective privacy ignorance.
The next time a website asks for your ID to verify your age, remember: you’re not just proving you’re an adult. You’re helping build the infrastructure for a world where anonymous internet use becomes impossible. That might be a trade-off you’re willing to make, but at least make it knowingly.