With the aim of protecting minors from smartphone addiction, governments and security agencies are moving forward with universal identity verification laws. The risk is enormous: opening the door to greater control and the digitization of mass surveillance.
Security agencies (like Interpol and Europol) and conservative groups have been losing the battle for control of the Internet since the mid-nineties. They've just found a way to win it: through the argument of "cell phone addiction" and child protection.
As of March 17, 2026, Brazil has enacted Law 15.211/2025, known as the Digital ECA. It prohibits self-declaration (the simple button saying "I am over 18") and requires app stores and operating systems to verify age, under penalty of up to fifty million reais or service blocking for non-compliance. In Argentina, there are several projects and NGO requests underway. Australia, Denmark, France, Spain, the UK, and several states in the United States: all have moved forward with some version.
Security agencies and conservative groups have been losing the battle for control of the Internet since the mid-nineties. They've just found a way to win it: through the argument of "cell phone addiction" and child protection.
Public conversation is dominated by concerns over harm to children and adolescents on digital platforms. Despite discussions about its scope and obvious factors that are overlooked, such harm is likely. The stated intention of lawmakers is to protect them, and in many cases, it is genuine. However, the technical architecture being created under this premise almost always ends up compromising anonymity. The exception that was announced as proof that it could be done differently, a European app with supposedly adequate privacy standards, was hacked within two minutes by editing a configuration file the day after its launch (I will elaborate on this later). And officials, instead of abandoning the idea, are doubling down.
If the whole system worked as promised, what would be lost?
In 2021, a massive data breach at RENAPER (the National Registry of Persons) exposed data from tens of millions of Argentine citizens. The promise of "your data is safe" in this country, and others in the region, can mean the difference between safety or repression and murder. In 2024, according to Voces del Sur, there were 3,700 documented assaults against journalists in 17 countries in the region; 49% came from state actors. Fourteen journalists were killed. This is the institutional reality upon which universal identification on the Internet is proposed.
Almost any implementation of age verification that touches a state database (Mi Argentina, an API from RENAPER, or future digital ID systems) leaves a central record of which citizen verified their age to access which application and when. That verification record, cross-referenced with other data, can be used to infer what is being accessed: patient forums, porn platforms, sexual health apps, LGBT communities, you name it. And the promise of "this system will not use that data" in the exclusive hands of the State is worth exactly what the decree supporting it is worth. If the application changes, if the architecture is modified by internal resolution, or if a court order demands it, the rules change without anyone needing to hack anything. This has happened before: in 1942, the U.S. government used data from the 1940 civil census (collected with an explicit promise of confidentiality) to discriminate against 120,000 people of Japanese descent. There was no hacking. The only thing that changed was the purpose for which the data was used.
And all of this occurs in an institutional context that should not be overlooked. In April, Peter Thiel visited Buenos Aires; rumors circulated about contracts for Palantir to manage information from Argentine public agencies. We discussed it at 421 before, and the point is this: the question is no longer whether state data exists. It’s who operates it, under what rules, and with what rhetoric. Names matter. When universal identification is called "protection," surveillance is termed "security," and a "backdoor for the good guys" is a vulnerability for everyone, the battle is fought in language rather than architecture.
The friction that currently exists to identify someone on the internet (the fact that it requires investigation, guarantees, court orders) is what protects against abuses in a functional democracy. A society where identification is the default state and maintaining anonymity is the exception that must be justified is a qualitatively different society. It not only increases surveillance: it institutionalizes it.
Juan Brodersen
The push against anonymity on the internet is not a new fight. In the mid-nineties, the Clinton administration attempted to impose a backdoor for the government in encrypted systems (the Clipper Chip); the industry, cryptographers, and the public forced its withdrawal. In 2014, when Apple default-encrypted iPhones, FBI director James Comey launched the Going Dark campaign: he claimed that encryption made it impossible to investigate crime. In 2016, the FBI demanded Apple’s help to unlock the iPhone of the San Bernardino attacker; Apple refused. More recently, EARN IT in the United States and Chat Control in the European Union proposed scanning encrypted communications in the name of child abuse; but they have yet to be approved. Hundreds of cryptographers signed open letters explaining the same old story: backdoors "only for the good guys" are mathematically impossible.
The pattern is always the same. The justification is a real and serious harm. The proposed tool is general: surveillance or weakening encryption for everyone, not just for the suspected. Critics point this out; proponents adjust their rhetoric; they return with the same idea under another name. Universal age verification is the 2026 version of these excessive solutions.
When universal identification is called "protection," surveillance is termed "security," and a "backdoor for the good guys" is a vulnerability for everyone, the battle is fought in language rather than architecture.
The actors currently pushing for age verification are diverse. Security agencies and online decency groups have not gone away; they found a wrapper that public opinion approves. But there is another, less commented actor: the platforms themselves. In May 2025, Meta, Spotify, Match Group, and Garmin formed a joint lobby to push age verification onto Apple and Google at the app store level. Each has different calculations. Some (Meta, YouTube) already operate internal age inference systems based on analyzing the behavior of each account: one more data point for profiling users and training models. Others simply want the legal problem to fall on someone else. The convergence against privacy does not require conspiracy. It requires many actors, for different reasons, to arrive at the same point.
On April 15, 2026, the President of the European Commission, Ursula von der Leyen, presented the European age verification app as "technically ready" and "completely anonymous." She announced its pilot phase in seven countries, compared it to the COVID certificate app, and stated that platforms "no longer have excuses." The Commission published the source code on GitHub.
What the European app promises is genuinely different from what currently exists on the market and is the battle horse of age verification advocates. When a site asks you to verify your age, you're likely to end up uploading a photo of your ID and a selfie to a private company like Persona or Yoti, which processes that data on their servers. The extent of that processing is far worse and less secure than most people imagine: in February of this year, researchers downloaded 53 megabytes of source code from a poorly configured Persona server, the company that provides identity verification for OpenAI, LinkedIn, and others. The code analysis showed that the system runs 269 checks on each person, cross-references faces against a database of politicians and world leaders, scans online content for links to fourteen categories of crime, and reports to a parallel platform connected to the U.S. Treasury. Facial biometrics are retained for up to three years. Documents, even longer. That's the reality.
In contrast, the European app has an interesting architecture. An official document is read via NFC on the phone. Processing occurs in the device's secure enclave. Credentials are single-use and rotate, making it difficult for different sites to build the same profile by cross-referencing information. It was also designed with double-blind: the verifier of your age doesn't know which site you're visiting; the site doesn't know who verified you. The specification also includes a cryptographic layer in Annex B that would allow proof of being over 18 without revealing your age or identity. This is the promise of zero-knowledge cryptography, zero-knowledge proof or ZKP: the math has allowed it for years. Politics, until now, has not used it.
I wrote an analysis of the prototype on the same day. I acknowledged the advancement over the Persona model. I saw some potential for the European app, in a strict configuration and for a limited purpose: to confirm that an adult is an adult, just once, and then let parental control operate at the operating system level of the device, without transmitting a single piece of data to the platforms.
I should have waited a bit longer before writing it.
Twenty-four hours after the announcement, security consultant Paul Moore demonstrated that the public implementation of the app contained flaws that allowed anyone with physical access to a rooted device to breach local defenses in under two minutes. The ZKP layer mentioned in the specification was still not integrated and was only listed as "experimental."
The official response came five days later at a press conference. The spokesperson for the European Commission stated that the public repository is a demo, that the code will be updated, and that opening the code is precisely to allow the community to find flaws. The problematic part is not that the demo has issues. The problematic part is that this demo was announced seven days earlier as a technically ready solution, presented to the world as a model to copy, and the only political consequence of the hacking was to insist on the same path. Most countries will not wait for the final version or discuss the technical details before imitating it.
And even in the best imaginable scenario (NFC + ZKP + double-blind, all functioning), institutional incentives pull in another direction. In Australia, it was discovered that, in the absence of strict guidelines, providers were anticipating regulatory needs and building capabilities for law enforcement to track individual verifications. No one had asked them to do this, but the political incentives are already there, and companies are preparing. And they take the opportunity to collect data.
Let's sum up what we have: good cryptography that exists in theory but is not implemented, a long list of leaks, converging interests of states, platforms, and conservative groups, unforced errors by governments and companies, and a documented pattern of functions that grow beyond their original purpose. The cost imposed on civil society to solve a problem that admits less invasive solutions is, when examined closely, disproportionate. Errare humanum est, perseverare autem diabolicum, wrote Seneca. To err is human. To persist in error, when the damages are foreseeable and alternatives exist, raises suspicions.
If proof is needed that these projects exceed mere protection of minors, just look at what is happening with VPNs.
The British Online Safety Act came into effect in 2025. In the first month of the verification rules being applied, VPN app downloads in the UK surged by 1,400 percent. The Children's Commissioner for England described the situation as "a gap that needs to be closed." The French Minister Delegate for Artificial Intelligence and Digital Affairs stated in April that VPNs are "the next topic" on her agenda.
Calls to ban VPNs are not new. To this day, countries that have maintained massive lockdowns have been regimes clearly identified with information control: China, Russia, Belarus, Iran. The UK, France, the United States, and the European Union are stepping into that zone, step by step, in the name of child protection.
We need to be honest: applying differentiated measures for minors requires some mechanism to distinguish them. But "some" is not the same as "universal identity verification." There is a spectrum between the self-declaration button (which does nothing) and mandatory civil identification (which destroys the privacy of everyone). In the middle, there is room for parental control at the operating system level, where a parent or guardian sets up the device just once, and the platforms are none the wiser (Apple, Google, and projects like GrapheneOS already implement this). Age estimation through behavioral inference, which Meta and YouTube already do, is imperfect but auditable. For the inference to be acceptable, it would need to control the most sensitive aspects: data minimization and the specific use to which it is put. In the process, everything else that the platforms do with their users' information, which is already problematic without anyone asking for anything, would be audited. But the most important, and simplest, point is this: if the problem is that platforms expose minors to harm, the appropriate response is not just to identify minors but to stop designing abusive products. That protects children, other vulnerable populations, and adults, without asking anyone to scan their ID.
The other warning matters because it touches on the flip side of the same problem. An internet where all content must pass through a suitability filter for minors creates terrible incentives. Platforms, exposed to liability for anything a minor might see, adjust algorithms toward the safe side. This is already happening today with automatic moderation: punishing any mention of drugs, suicide, or sexual violence on social media where we drown in euphemisms. The victims are almost always the voices that need visibility the most: political satire, reporting on human rights violations, investigative journalism, harm reduction, comprehensive sexual education. Universal verification does not solve this. It amplifies it.
If the problem is that platforms expose minors to harm, the appropriate response is not just to identify minors but to stop designing abusive products.
So, what can be done concretely? Impose better parental control mechanisms at the device and service level, so parents can decide what's best for their children. Regulate age inference mechanisms and other technical efforts that do not require extra data (like documents), with strict control over the use of that data. Ban dark patterns. Ban advertising targeted at minors. Require transparency about recommendation algorithms. Allow non-algorithmic timelines as an accessible and default option. Brazil's own Digital ECA prohibits dark patterns and behavioral advertising to minors. It's the best part of the law. The UK has had an Age-Appropriate Design Code for years that requires platforms to design with the understanding that minors may be present, without needing to identify each user.
These measures exist and are technically feasible. What they lack is political appeal. A press conference with an app is more marketable than a regulatory resolution on recommendation algorithms.
Soldan
The question isn't whether to protect kids and teenagers or not. The answer is obvious, and no one in this discussion (neither lawmakers nor critics) opposes it.
The question is, what kind of Internet are we leaving for them when they grow up? Anonymity and pseudonymity are not luxuries for hackers or movie activists. They are the conditions under which a teenager seeks information about their gender identity in a family that wouldn’t accept them. Where someone with a diagnosis they prefer not to share enters a patient forum. Where a whistleblower talks to a journalist without fear of being jailed or hunted down. And they are, before any special case, the ordinary possibility of reading something (anything) without that reading being recorded permanently.
If on their eighteenth birthday they find themselves in a system where every access requires identification against a state database, where reading about something leaves a trace, where the difference between "citizen" and "suspect" is defined by an automated module whose criteria no one audits, where the tool to preserve some anonymity is illegal or suspicious because someone associated it with pornography, what we call cognitive sovereignty (the ability to read, think and communicate without every move being recorded) becomes the exception that needs justification.
That is what is being built. Not out of bad faith from each individual lawmaker (many sincerely believe they are doing the right thing) but through a convergence of actors who have had different objectives for decades and found a wrapper that the public opinion does not reject.
The protection that kids need comes from regulating how platforms operate, not from identifying all users. Privacy, anonymity, and cognitive sovereignty that we all need mean preserving those conditions by default, not as exceptions that need justification.
