OpinionMandatory Age Verification: A Hidden Surveillance Concern

While both KOSA and Chat Control scaled back their most contentious provisions, they retained mandatory age verification, a subtle method that transforms anonymous browsing into identifiable tracking for everyone, according to Billions CEO Evin McMullen.

By Evin McMullen|Edited by Cheyenne Ligon Jul 9, 2026, 1:00 p.m. 5 min readMake preferred on ShareShare this articleCopy linkX (Twitter)LinkedInFacebookEmailMake preferred on

On June 29, two significant internet legislation initiatives were simultaneously advanced. The House in Washington approved the Kids Internet and Digital Safety Act, which is based on a revised Kids Online Safety Act, with a vote of 267 to 117. Meanwhile, in Brussels, negotiators engaged in what was termed the final trilogue on Chat Control 2.0, the EU's ongoing regulation aimed at child protection. Both initiatives faced extensive criticism and notably, both retreated.

The authors of the US bill abandoned KOSA's contentious “duty of care” provision, which critics argued would effectively turn platforms into censors. Similarly, EU negotiators removed the requirement for client-side scanning of private messages, a measure that would have undermined encryption for all users. Civil liberties advocates are rightly celebrating these partial victories.

However, it is crucial to note what remains intact in both cases: age verification. This quietly implemented measure, which has not garnered much opposition, significantly alters the internet experience for both adults and children.

Evin McMullen is co-founder and CEO of Billions Network, a company focused on developing privacy-preserving verifiable identities for individuals and AI agents.

At the heart of this debate lies a misleading binary that influential tech leaders have worked to normalize over the years: the notion that a secure and functional digital society requires sacrificing personal privacy. Larry Ellison of Oracle has openly endorsed a future characterized by constant AI surveillance, suggesting that this will encourage "citizens to behave appropriately." Bill Gates has emerged as a leading advocate for universal digital IDs, which he views as crucial infrastructure—though critics argue that this increasingly resembles the very surveillance systems it was intended to prevent. Both figures treat identification as a necessary cost of modern life, which it should not be.

This child-safety narrative obscures a significant issue. To verify a user's age, platforms must check the age and often the identity of every user, including adults. As noted by the Electronic Frontier Foundation this month, this process converts anonymous browsing into identifiable tracking, creating large, centralized databases of sensitive identity information, which are vulnerable to breaches, subpoenas, or sale. For many platforms forced to gather this data, it represents not an asset but a burden: a daunting obligation to safeguard information that their systems were not designed to handle, increasing the risk every time a new user logs in.

This situation is not merely theoretical. The UK serves as a cautionary example. Under the Online Safety Act, the Office of Communications (Ofcom) has initiated over 90 investigations and begun issuing fines, requiring users to provide government IDs or undergo facial recognition scans to access standard content. A single vendor reportedly manages age verification for about 60% of sites that require it, creating a concentration of identity documents that would alarm any security professional. While the stated aim is to protect children, the result is an identity-surveillance framework that impacts the entire population.

What is critical to understand—and what is largely absent from legislative discussions—is that verifying age does not necessitate collecting identity information. We have long had methods to confirm a fact about a person without exposing their identity. Using a zero-knowledge proof, an individual can demonstrate that they are over 18 or over 13 to a website without disclosing any personal details: no name, no birth date, and no documents to store. The proof is validated and then discarded, eliminating the creation of a data repository since no identity is retained.

The EU has made some progress in this area, having developed an age-verification application designed to allow users to prove they are over 18 “without sharing any other personal information.” This is the correct approach. The challenge, however, lies in the fact that laws requiring verification often do not specify the methods to be employed. They mandate the outcome—an age restriction—but leave the means to whichever vendor is the least expensive and most intrusive. The US KIDS Act encourages platforms to implement age checks without stipulating that these must be privacy-respecting. Consequently, the market gravitates toward ID uploads and facial scans, as they are the simplest options, leading to the default establishment of surveillance rather than a design-driven approach.

This is the crucial issue that must be addressed, yet it is overlooked because the discussion is framed incorrectly. Legislators present the choice as one between safety and freedom, while critics frame it as a matter of protection versus privacy. Both accept a flawed premise: that ensuring children are kept out of adult spaces necessitates identifying the adults. This is simply not the case. The real decision lies between two methods of age verification: one that minimizes data retention and forgets the user immediately after verification, and one that maximizes data and retains information indefinitely. Only the latter constitutes surveillance, and currently, it is the easiest path to follow.

The opportunity to advocate for the former method is now, as these bills are still in motion. The KIDS Act is heading to a doubtful Senate, while Chat Control 2.0 aims for political consensus in July. The principle that platforms should distinguish between adults and children has been largely accepted. What remains unresolved is whether this capability will rely on privacy-preserving methods or on extensive identity documentation uploads. This is a technical choice with significant implications for civil liberties, and it is currently being made, largely by default.

There is an additional compelling reason to resolve this issue correctly and promptly. The traditional classification of internet traffic as “bot or human” is beginning to fail: a verified third category is emerging—AI agents acting with authorization on behalf of individuals, organizations, and governments—who will soon require proof of their permissions without revealing their identities. The “Know Your Agent” concept will necessitate the same privacy-preserving frameworks we are currently discussing for human age verification. Making the right decision for human age checks will set a precedent for everything that follows. Conversely, a poor decision will embed surveillance into the identity framework of the internet for both humans and machines.