We’ve said it before: online age verification is incompatible with privacy. Companies responsible for storing or processing sensitive documents like drivers’ licenses are likely to encounter data breaches, potentially exposing not only personal data like users’ government-issued ID, but also information about the sites that they visit. 

This threat is not hypothetical. This morning, 404 Media reported that a major identity verification company, AU10TIX, left login credentials exposed online for more than a year, allowing access to this very sensitive user data. 

A researcher gained access to the company’s logging platform, “which in turn contained links to data related to specific people who had uploaded their identity documents,” including “the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license,” as well as images of those identity documents. Platforms reportedly using AU10TIX for identity verification include TikTok and X, formerly Twitter. 

Lawmakers pushing forward with dangerous age verifications laws should stop and consider this report. Proposals like the federal Kids Online Safety Act and California’s Assembly Bill 3080 are moving further toward passage, with lawmakers in the House scheduled to vote in a key committee on KOSA this week, and California's Senate Judiciary committee set to discuss  AB 3080 next week. Several other laws requiring age verification for accessing “adult” content and social media content have already passed in states across the country. EFF and others are challenging some of these laws in court. 

In the final analysis, age verification systems are surveillance systems. Mandating them forces websites to require visitors to submit information such as government-issued identification to companies like AU10TIX. Hacks and data breaches of this sensitive information are not a hypothetical concern; it is simply a matter of when the data will be exposed, as this breach shows. 

Data breaches can lead to any number of dangers for users: phishing, blackmail, or identity theft, in addition to the loss of anonymity and privacy. Requiring users to upload government documents—some of the most sensitive user data—will hurt all users. 

According to the news report, so far the exposure of user data in the AU10TIX case did not lead to exposure beyond what the researcher showed was possible. If age verification requirements are passed into law, users will likely find themselves forced to share their private information across networks of third-party companies if they want to continue accessing and sharing online content. Within a year, it wouldn’t be strange to have uploaded your ID to a half-dozen different platforms. 

No matter how vigilant you are, you cannot control what other companies do with your data. If age verification requirements become law, you’ll have to be lucky every time you are forced to share your private information. Hackers will just have to be lucky once. 

A Texas age verification law will rob people of anonymity online, chill access to speech for privacy- and security-minded internet users, and entirely block some adults from accessing constitutionally protected online content, EFF argued in a brief filed with the Supreme Court last week.

EFF joined the Woodhull Freedom Foundation in filing a friend-of-the-court brief urging the U.S. Supreme Court to grant review of—and ultimately overturn—the Fifth Circuit’s decision upholding the Texas law.

Last year, the state of Texas passed HB 1181 in a misguided attempt to shield minors from certain online content. The law requires all Texas internet users, including adults, to complete invasive “age verification” procedures on every website the state deems to be at least one-third composed of sexual material. Under the law, adult users must upload sensitive personal records—such as a driver’s license or other photo ID—to access any content on these sites, including non-explicit content. After a federal district court put the law on hold, the Fifth Circuit reversed and let the law take effect.

The Fifth Circuit’s decision disregards important constitutional principles. The First Amendment protects our right to access protected online speech without substantial government interference. For adults, this is true even if that speech constitutes sexual or explicit content. The government cannot burden adult internet users and force them to sacrifice their anonymity, privacy, and security simply to access lawful speech.

EFF’s position is hardly unique. Courts have repeatedly and consistently held similar age verification laws to be unconstitutional due to these and other harms. As EFF noted in its brief, the Fifth Circuit’s decision is an anomaly and has created a split among federal circuit courts. 

In coming to its decision, the Fifth Circuit relied largely on a single Supreme Court case from 1968, involving a law that required an in-person ID check to buy magazines featuring adult content. But online age verification is nothing like flashing an ID card in person to buy a particular physical item.

For one, HB 1181 blocks access to entire websites, not just individual offending magazines. This could include many common, general-purpose websites, so long as only one-third of the content is conceivably adult content. “HB 1181’s requirements are akin to requiring ID every time a user logs into a streaming service like Netflix, regardless of whether they want to watch a G- or R-rated movie,” EFF wrote.

Second, and unlike with in-person age-gates, the only viable way for a website to comply with HB 1181 is to require all users to upload and submit, not just momentarily display, a data-rich government-issued ID or other document with personal identifying information. In its brief, EFF explained how this leads to a host of serious anonymity, privacy, and security concerns.

For example, HB 1181 may permit the Texas government to log and track user access when verification is done via government-issued ID. As the trial court explained, the law “runs the risk that the state can monitor when an adult views sexually explicit materials” and threatens to force individuals “to divulge specific details of their sexuality to the state government to gain access to certain speech.”

Additionally, a person who submits identifying information online can never be sure if websites will keep that information or how that information might be used or disclosed. EFF noted that HB 1181 does not require all parties who may have access to the data—such as third-party intermediaries, data brokers, or advertisers—to delete that data. This leaves users highly vulnerable to data breaches and other security harms.

Finally, EFF explained that millions of adult internet users would be entirely blocked from accessing protected speech online because they are not in possession of the required form of ID.

There are less restrictive alternatives to mass online age-gating that would still protect minors without substantially burdening adults. The trial court, in fact, outlined several of these alternatives in its decision, based on the factual evidence presented by the parties. The Fifth Circuit completely ignored these findings.

EFF has been a steadfast critic of efforts to censor the internet and burden access to online speech. We hope the Supreme Court agrees to hear this appeal and reverses the decision of the Fifth Circuit.

The First Amendment requires courts to apply a robust balancing test before unmasking anonymous online speakers, EFF explained in an amicus brief it filed recently in a New York State appeal.

In the case on appeal, GSB Gold Standard v. Google, a German company that sells cryptocurrency investments is seeking to unmask an anonymous blogger who criticized the company. Based upon a German court order, the company sought a subpoena that would identify the blogger. The blogger fought back, without success, and they are now appealing.

Like speech itself, the First Amendment right to anonymity fosters and advances public debate and self-realization. Anonymity allows speakers to communicate their ideas without being defined by their identity. Anonymity protects speakers who express critical or unpopular views from harassment, intimidation, or being silenced. And, because powerful individuals or entities’ efforts to punish one speaker through unmasking may well lead others to remain silent, protecting anonymity for one speaker can promote free expression for many others.

Too often, however, corporate or human persons try to abuse the judicial process to unmask anonymous speakers. Thus, courts should apply robust evidentiary and procedural standards before compelling the disclosure of an anonymous speaker’s identity. 

Under these standards, parties seeking to unmask anonymous speakers must first show they have meritorious legal claims, to help ensure that the litigation isn’t a pretext for harassment. Those parties that meet this first step must then also show that their interests in unmasking an anonymous speaker outweigh the speaker’s interests in retaining their anonymity. In this case, the trial court didn’t require the German company to meet this standard, and it could not have in any event.

Courts around the United States have adopted various forms of this test, with EFF often participating as amicus or counsel. We hope that New York follows their lead.