Tag Archives: age verification

Veriff on Age Verification With Birth Certificates

In the past, if you needed to check the age of a younger teenager or a child who didn’t have a driver’s license, you had two options:

  • Estimate their age.
  • Hope they had a passport.

While many (not all) people have a birth certificate, Veriff reminds us that digital age verification with a birth certificate is difficult.

“Processing civil documents at scale was once a legitimate operational nightmare. Birth certificates vary dramatically in format across states and countries, making manual extraction slow, inconsistent, and error-prone.”

Why the nightmare?

To examine the reasons for the birth certificate operational nightmare, let’s limit ourselves to the United States for the moment.

Driver’s licenses and similar IDs are challenging enough because they are issued by over 50 separate states and territories, and in several different formats (different driver license categories, non driver license IDs, plus special formats for minors and people below legal drinking age). So you’re talking about potentially thousands of formats.

But at least those are renewed every few years.


Birth certificate of a B.H. Obama II. From https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/birth-certificate-long-form.pdf

Birth certificates are often NOT renewed (although you could conceivably request a new copy). So as a state changes its birth certificate formats over the decades, it could go through multiple different formats. And in a few cities such as New York City, they issued their own birth certificates independently of the state.

To complicate things further, the security on birth certificates is rudimentary, or perhaps non-existent for older birth certificates. Compare to driver’s licenses which are always incorporating new security features. (And older driver’s licenses without those security features are no longer valid or accepted.)

In short, validating birth certificates is significantly harder than validating driver’s licenses, which is hard enough.

Can we verify birth certificates today?

Veriff says it’s becoming possible.

“Modern automated extraction technology changes that reality. What was once a processing bottleneck is now a scalable, deployable component of a serious compliance strategy.”

How?

“Unlike a standardized driver’s license with a predictable layout and a scannable barcode, birth certificates are heavily unstructured….Modern unstructured document technology eliminates this bottleneck. Advanced extraction tools use intelligent models to read and pull key details from complex civil documents, regardless of the layout. By accurately capturing the date of birth, parent or guardian information, and place of birth, these tools turn a clunky manual review process into a fast, scalable verification workflow.”

Apply enough processing power and enough smarts and you can solve anything.

Third/Fourth Party Risk Management and Age Verification

Let’s say a bar wants to check the ages of its patrons, but does not want to use the patron’s physical ID card (in my country, usually a driver’s license).

But a bar cannot perform digital age verification on its own. The bar has to contract with some other entity that knows how to do this.

This freaks some people out…massively.

“New cybersecurity research indicates that one of the world’s leading age verification providers collects and shares highly sensitive personal data—including facial photos and device fingerprints—with third parties.”

The research, conducted by the Georgia Institute of Technology and UC Irvine, focused on one of the big age verification vendors, Yoti.

“The research team determined that the process Yoti uses to verify a person’s age broadcasts the person’s personal information to third- and fourth-party companies….

“According to the researchers, the data is…sent to credit card companies, IP geolocation services, and data brokers. The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user’s facial image, IP address, and device fingerprint to credit card companies.”

Yet to my knowledge the researchers did not propose an alternative.

Other than having each entity develop its own age verification system. Perhaps someone like Meta could do that, but Frank’s Bar certainly couldn’t.

Age verification is not unique in terms of data sharing. Third Party and Fourth Party Risk Management vendors encounter these issues all the time. And yes, sometimes companies that have other companies’ data are hacked. That’s why they use TPRM in the first place.

Image source: GET Group NA, https://apps.apple.com/us/app/get-mobile-verify/id1501552424.

And don’t forget that if you don’t use digital age verification, you’re going to use physical age verification, where the guy behind the bar learns EVERYTHING about you. I don’t think that’s necessarily better.

It’s time to think through the consequences of abandoning technology.

The Apple App Store, Texas, and Developers

Microsoft isn’t the only company that works with developers, developers, developers, developers, and developers. And in Apple’s case, governments are dictating the terms.

“Due to a recent court ruling lifting an injunction on Texas law SB 2420, new Apple Accounts in Texas are now subject to the law, which introduced age assurance requirements for app marketplaces and developers. As previously announced, this includes age assurance and parent or guardian consent on behalf of minors under the age of 18 for downloads, Apple In-App Purchases, and significant changes associated with an app. Parents or guardians will also be able to revoke their consent for any app they previously approved for their child.”

For those who say that these local government laws are too complex for vendors to implement…the vendors are figuring it out. Apple is specifically providing a Declared Age Range API for developer use.

And for those who don’t remember Microsoft’s commitment to developers

Why Does California Support Two Separate Digital Wallets For Its Mobile Driver’s License?

This morning I was attending a NIST webinar on mobile driver’s license use at financial institutions, and began looking at the services I could access in April 2026 with my California mobile driver’s license—financial and otherwise.

Of course I already knew that I could use my California mDL at the Transportation Security Administration checkpoint at Ontario International Airport. In fact, the mDL in my Apple Wallet (obtained in 2024) recorded the fact that I used my mDL at the airport on August 31, 2025.

Google Gemini.

But today I learned that some services are NOT available with the mDL in my Apple Wallet, but ONLY while using the “CA DMV Wallet” app.

So I downloaded the app, which I last used in my initial unsuccessful attempt to obtain an mDL. (I finally used Apple’s facility to get one.) I assumed that since I already had my mDL in my Apple Wallet, it would automatically show up in the app.

You know what happens when you assume. My buddy Google Gemini pointed it out to me.

“It’s a common point of confusion, but the Apple Wallet and the CA DMV Wallet app are actually two separate “containers” for your digital ID. Because California uses a secure, decentralized system, your mDL doesn’t automatically sync between them. Even if it’s already in your Apple Wallet, you have to go through a separate enrollment process to “provision” it into the DMV’s official app.”

Which meant that I had to enroll again and get another decentralized mDL, which I did. (After some difficulty; it took four separate attempts to capture my facial image, which was only successful when I went into a very dark room.)

Now that my mDL is in this second wallet, I could go ahead an enroll in the TruAge program for age verification at a private retailer.

Google Gemini.

As I type this, TruAge hasn’t processed my application.

And now for a word from our sponsor

Mobile driver’s licenses are a digital form of “something you have,” which is a factor of identity verification and authentication.

Would you like to learn about all six of the identity verification and authentication factors? (Not three. Not five.)

Learn more about the six identity factors.

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket., Click on the image to purchase.

I Like Wildebeests. 4Chan Likes Hamsters. But There Are Serious Jurisdictional Issues Involved.

In a recent article, Biometric Update’s Joel R. McConvey manages to be silly and serious simultaneously. The topic? 4Chan’s non-compliance with Ofcom’s age control rules.

The silliness originated with 4Chan, not McConvey.

“In keeping with its generally adversarial stance, 4chan says it won’t follow Ofcom’s rules because “the United Kingdom lost the American Revolutionary War,” and as such UK speech law doesn’t apply to companies based in the U.S.”

Preston Byrne of 4Chan apparently incorporated a picture of a hamster in his response to Ofcom. Byrne explains why on X:

“I told Ofcom in Oct that their letters, which were not properly served, would be shredded for my pet hamster’s enclosure.”

But there are obviously serious issues involved: in a dispute involving multiple nations, which laws govern? In this case, the apparent conflicting laws are the United States’ First Amendment, which 4Chan maintains lets it say whatever it wants regardless of the ages of the people involved, and the United Kingdom’s Ofcom regulations, which Ofcom maintains lets it regulate any website accessible in the UK, including 4Chan.

Of course, there’s a way to handle these demands from competing jurisdictions: block the age-insistent jurisdiction from accessing the website at all. As of November 28, 2025, Pornhub is inaccessible from the following states (unless you use a VPN, wink, wink): Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Mississippi, Missouri, Montana, Nebraska, North Carolina, North Dakota, Oklahoma, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, and Wyoming.

So 4Chan, Wikipedia, Meta, or anyone else who objects to UK age assurance regulations could simply block people in the UK from accessing its website. Google blocked Spanish access to Google Noticias (Google News) for years.

But it doesn’t appear that 4Chan is going to do that, instead opting for a “come over here and collect your stupid fines” stance.

Knowledge of Age Without Birthdate Does Not Provide Complete Privacy

In the past, I have gone on ad nauseam about how mobile driver’s licenses are more private than physical driver’s licenses. Here is how I stated it in July 2024:

“When you hand your physical driver’s license over to a sleazy bartender, they find out EVERYTHING about you, including your name, your birthdate, your driver’s license number, and even where you live.

“When you use a digital mobile driver’s license, bartenders ONLY learn what they NEED to know—that you are over 21.”

Which is extremely limited information.

But some age verification systems may provide your age in years, without necessarily revealing your exact date of birth.

That single number—whether it is 17, 27, or 57—reveals a lot more than we realize.

Let’s say that we know that Jill is 57 years old. This means that she was born in either 1968 or 1969. If Jill has lived her entire life in the United States, we immediately know several things about her with some certainty.

  • First, we know that she is part of Generation X, which means she may exhibit skepticism rather than corporate loyalty, and a comfort level with email rather than Telegram or what we now refer to as “voice calls.”
  • Second, we know the types of experiences she probably had in her childhood and teenage years. She probably played with Star Wars toys as a kid. She knew a little bit about Billy Carter, the funny Presidential brother. She feared for the lives of the hostages in Iran.
  • Third, we know the types of experiences she didn’t have. She never saw a cigarette commercial on TV. If she watched Star Trek, she saw it on an “independent” station, not on NBC during prime time. She never feared for the lives of the Israeli Olympians in Munich.

It’s not a lot to go on, and it may not be 100% accurate if Jill grew up in a household that viewed television as demonic.

But it’s enough for a product marketer to shape age-sensitive product marketing.

This isn’t true for all products. Biometric system marketing, for example, isn’t affected by the age of the government procurement officer who is buying the biometric system.

But if your product appeals to some ages more than others, knowing the ideal age of your target audience personas shapes your content. If your target audience is just out of college, “I can’t believe I ate the whole thing” is meaningless to them.

Why Did Apple Implement iPhone/iPad Age Verification in the United Kingdom?

There has been ongoing debate on whether age verification should be implemented at the website level or at the operating system level…or not at all.

In the United Kingdom, Apple is opting for OS level age verification, according to the BBC.

“Apple is rolling out age checks for iPhone and iPad users in the UK that will ask them to verify if they are adults to access “certain services” such as 18-plus apps.

“After customers accept the latest iOS 26.4 software update, they will be asked to verify their age, which they can do by providing a credit card or scanning their ID, according to an Apple support page.

“Those who do not confirm how old they are or are underage will have web content filters turned on automatically.”

Specifically, according to Apple:

“When creating a new Apple Account or using Apple services, you may see a prompt asking you to confirm that you’re an adult. This is required by law in some countries and regions.”

Regarding that last sentence, is OS level age verification REQUIRED? Silkie Carlo of Big Brother Watch says no:

“Carlo told the BBC she believed Apple had “crossed the Rubicon” with its new software update which she described as “more like ransomware”, and which she said essentially left millions of Brits owning a “child’s device”, unless they complied with the age checks.

“And she said while she believed children’s online safety was vital, it required more thoughtful tech responsibility and not “sweeping, draconian shock demands by foreign companies for all of our IDs and credit cards”.”

Note the appeal to resist the “American” company, which raises questions about whether Apple’s collection of this information potentially violates United Kingdom privacy laws if the data is sent to Cupertino.

For the record, Ofcom currently only requires age verification for pornographic sites, not for everything.

So why did Apple do it if UK law doesn’t require it?

Two reasons:

  • Future proofing. While the UK and other jurisdictions do not require age verification at the OS level now, they may require it at some point. If so, Apple has already implemented it in the UK (for iPhones and iPads) and can implement it elsewhere.
  • CYA. A jury in California awarded damages after finding that Meta and Google were responsible for a woman’s anxiety and depression, suffered because of her social media use as a child. Apple doesn’t want to face a similar lawsuit.

Incidentally, it’s interesting to note that these and other stories pair “Meta” and “Google.” Does no one refer to “Alphabet” (Google’s parent company) any more?

When Companies Can’t Target Prospects Under Age 16

If you’re on a platform such as Facebook, you sometimes receive advertisements that are VERY specific. Such as, “This is the perfect drink holder for California white males over the age of 50!” It’s almost as if they know everything about you…because they do.

Unless you implement privacy restrictions and don’t allow platform advertisers to reference your personal information.

Of course, if the advertiser isn’t able to narrowcast directly to you, the advertiser will broadcast to everybody.

And Facebook will start showing you advertisements in Chinese.

Qiaobi.

And if you complain to Facebook and ask why you’re seeing Chinese ads, Facebook will simply reply, “We are prohibited from using your personal information. Since there are a billion Chinese, we take a guess that you’re Chinese and show you those ads.”

Which brings us to age and social media.

The Under 16s Are Blocklisted

Back when Marky Mark created The Facebook, he initially targeted college-age users. But as time went on, Facebook and its competitors started aiming for younger ages.

This makes sense. Advertisers want to target consumers who are suspectible to changing their minds and are not set in their ways. So while a super kewl soft drink manufacturer isn’t going to target me, it is going to target 18 year olds…and 16 year olds…and 14 year olds…and 12 year olds.

A recent DKC report stated that 42% of all household spending is influenced by 8- to 14-year-olds, and that this age group is DIRECTLY spending over $100 billion per year.

So you can bet that advertisers are clamoring to purchase ad time on Facebook, TikTok, and the other social media services to get a pipeline to the brains of these 8 to 14 year olds…whoops, 12 to 14 year olds, since most social media services require you to be at least 12 years old to have an account.

But what if access to that entire age group is cut off entirely?

We’re seeing all over the world that jurisdictions are enacting or trying to enact bans on the use of social media for people under 16 years of age. The latest country to propose such a move is Indonesia:

“Authorities in the country, which is Southeast Asia’s largest economy, said Friday they expect social media platforms to deactivate the accounts of under-16s from March 28, starting with YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live and Roblox.”

In other words, all the popular sites that teens love.

And in certain jurisdictions, the companies will implement age verification and age estimation technology to ensure that kids don’t like about their ages to get in.

Assuming these prohibitions stand, this causes a huge problem for B2C marketers that target teens: how do you market to them when the direct pipelines to this age group are cut off?

I’m just thankful that Bredemarket and its clients sell to adults. You don’t really see 13 year olds buying biometric technology.

Unintended Consequences of Age Assurance…and What Happens Next (VPNs vs. Zero Trust)

More and more jurisdictions are mandating age assurance (either age verification or age estimation) to access online services. Perhaps racy content, perhaps gambling content, or in some cases even plain old social media. But in a technical sense these age assurance mechanisms are a network problem…and you can just route yourself around a problem.

Your jurisdiction doesn’t allow you to visit the Sensuous Wildebeests website? Just install a virtual private network (VPN) to pretend that you’re in a different jurisdiction that allows access.

Problem solved…for now.

But Secrets of Privacy indicates what’s next:

“After the Online Safety Act triggered a 6,000+% surge in VPN usage, the House of Lords tabled an amendment to ban children from using VPNs. Under the proposal, VPN providers would have to verify the age of all UK users. The government has said it will “look very closely” at VPN usage.”

For more information on this proposal, see TechRadar.

Google Gemini.

And this is just one of many examples of government examination, and perhaps regulation, of VPN use.

But as Secrets of Privacy points out, there’s one big problem. VPN users aren’t only kids trying to dodge the law, or individuals trying to protect their privacy. There’s one very big class of VPN users who would NOT appreciate government regulation.

“VPNs are fundamental to modern business IT, which makes a “ban” hard to envision. Every corporation with remote workers uses them. Diverse industries, such as banking, law, finance, and ecom giants all depend on VPN technology. You can’t ban VPNs without breaking the backbone of modern IT systems.”

Google Gemini.

Of course, some argue that VPNs are an outmoded security mechanism. Here’s what Fortinet says:

“VPNs were developed when networks were different than they are now. Before the advent of cloud applications, resources were isolated within a secure corporate network perimeter. Now, modern networking infrastructures are being deployed that can quickly adapt and scale to new business requirements, which means applications and data are no longer contained within the corporate data center. Instead they reside across distributed multi-cloud and hybrid data center networks.

“This change has led to a rapid expansion of the attack surface, and in the face of this changing cybersecurity environment, Zero Trust Network Access (ZTNA) has received more attention as an alternative to VPNs for remote access.”

Of course, VPNs will fade away at the same time the password dies…in other words, not any time soon. And while Secrets of Privacy speculates about a two-tier solution in which corporations can use VPNs but individuals cannot…we’ll see.

Do you have trust, or zero trust, that VPNs will be regulated in ALL jurisdictions in the future?

Ask questions.