Skip to content
Paula Livingstone writing · projects · tools

Writing

Age Without Identity

Research 5 min read

An under-16 social media ban need not become a national identity layer for the internet. The fear that age checks are digital ID through the back door is well founded, but only if we ask the wrong question. The right one is not who this person is, but whether a platform can know only that they are over 16. Privacy-preserving credentials and zero-knowledge proofs answer it: a narrow, unlinkable, session-bound proof that reveals no name, no face, no document. The standard should be brutal and simple: prove the attribute, not the person.

I was thinking about the recent announcements around banning under-16s from social media, and the almost immediate outcry that this could become digital ID through the back door.

That concern is not stupid. In fact, it is exactly the right suspicion to have. Whenever a government says, “we only need to check one small thing,” the obvious question is: what machinery must be built to check it? If every citizen has to prove something about themselves before accessing ordinary parts of the internet, then we are no longer merely discussing child protection. We are discussing infrastructure. And infrastructure, once built, tends not to remain confined to its original purpose.

The crude version of age verification is easy to imagine. Upload a passport. Upload a driving licence. Submit a selfie. Let a platform, or a third-party verifier, inspect the evidence and decide whether the user may proceed. That solves one problem by creating a much larger one. It turns social media access into an identity-document transaction. It creates databases of names, dates of birth, images, document numbers, account linkages and behavioural trails. It gives platforms, vendors and possibly governments exactly the kind of identity exhaust that a free society should be extremely reluctant to generate.

But there is a better question hidden underneath the argument.

The question is not: “How can a platform discover who this person is?”

The question is: “How can a platform know only that this person is over 16?”

Those are radically different questions.

Proving an attribute, not a person

A properly designed system would not require the platform to learn a person’s name, address, exact date of birth, passport number, school, parent, face, or government identifier. It would require only a narrow proof: this user satisfies the predicate “age is at least 16.” Nothing more.

That is where privacy-preserving credentials and zero-knowledge proofs become interesting. The model is straightforward. A trusted issuer, perhaps a passport authority, bank, mobile provider, school identity provider, or certified age-assurance service, checks the person’s age once. It then issues a signed digital credential to the user’s wallet or device. Later, when the user tries to access a social media service, the platform does not ask for the credential itself. It asks for proof of one derived fact: over 16, yes or no.

The user’s device then generates a cryptographic proof that says, in effect: “I hold a valid credential from a trusted issuer, and the date of birth inside that credential makes me at least 16.” The proof does not reveal the date of birth. It does not reveal the name. It does not reveal the document. It does not even need to reveal which credential was used. The platform receives only a yes/no age result and proof that the result was honestly derived from a trusted source.

This is the distinction that matters. Digital ID means identifying the person. Age assurance should mean verifying a narrow attribute. If the platform learns who you are, the design has already failed. If the issuer learns every site you visit, the design has already failed. If every platform sees the same reusable identifier and can collude to track you across the web, the design has already failed. A privacy-preserving age system must be unlinkable, minimal and bound to a single session.

Binding the proof to the moment

That last point matters. The proof should not be a reusable token that can be copied and passed around. It should be bound to the specific site, the specific login challenge, and the specific moment in time. Otherwise a 17-year-old could simply generate a proof and hand it to a 13-year-old. A better design ties the credential to a private key held in the user’s device, ideally protected by secure hardware. The platform still does not know the user’s identity, but it knows that the proof came from the rightful holder of the credential and was generated for this session.

This is not magic, and it is not a complete social solution. Children will still try to evade controls. Platforms will still have commercial incentives to retain users. Governments will still be tempted to expand whatever powers they are given. But technically, the false choice is unnecessary. We do not have to choose between no age checks at all and a national identity layer for the internet.

The line worth defending

The right standard should be brutal and simple: prove the attribute, not the person.

If the state wants platforms to exclude under-16s, then the burden should fall on the state and the platforms to implement that requirement without building a general-purpose identity checkpoint. The proof should be local, minimal, unlinkable and non-revealing. The platform should receive no more than: “over 16: true.” The issuer should not know where the proof was used. Other platforms should not be able to correlate the same user. The system should not create a permanent identity trail.

That is the line worth defending.

An under-16 social media ban may or may not be good policy. That is a separate argument. But if such a rule is imposed, it must not become the excuse for normalising identity presentation as the price of ordinary internet access. Age assurance can be designed as a privacy-preserving predicate proof. If instead it becomes passport upload, face scan, database lookup, or state-backed login, then the critics will have been right: it will not be child protection alone. It will be digital ID through the back door.