Do Not Turn Child Protection Into Internet Access Control

Age verification is no longer a narrow mechanism for a few adult websites. Across Europe, the USA, the UK, Australia, and elsewhere, it is expanding into social media, messaging, gaming, search, and other mainstream services.

The real question is no longer whether age checks will spread. It is what kind of internet they are turning into.

The common framing says these systems exist to protect children. That concern is real. Children are exposed to harmful content, manipulative recommendation systems, predatory behavior, and compulsive platform design. Even adults are manipulated, quite succesfully, with techniques that can influence national elections.

Democracy at risk: media warfare and the role of technology in modern elections – Friends of Europe

The think tank for a more inclusive Europe

But from a technical and political point of view, age verification is not just a child-safety feature. It is an access control architecture. It changes the default condition of the network from open access to permissioned access. Instead of receiving content unless something is blocked, users increasingly have to prove something about themselves before a service is allowed to respond.

That shift becomes clearer when age assurance moves down into the operating system. In some US proposals, the model is no longer a one-off check at a website. It becomes a persistent age-status layer maintained by the OS and exposed to applications through a system-level interface. At that point, age verification stops looking like a limited safeguard and starts looking like a general identity layer for the whole device.

This is no longer only a proprietary-platform story either. Even the Linux desktop stack is beginning to absorb this pressure. systemd has reportedly added an optional birthDate field to userdb in response to age-assurance laws. Regulation is beginning to shape the data model of personal computing, so that higher-level components can build age-aware behavior on top.

The main conceptual mistake in the current debate is simple. It confuses content moderation with guardianship. Those are not the same problem.

Content moderation is about classification and filtering. It asks whether some content should be blocked, labeled, delayed, or handled differently. Guardianship is something else. It is the contextual responsibility of parents, teachers, schools, and other trusted adults to decide what is appropriate for a child, when exceptions make sense, and how supervision should evolve over time. Moderation is partly technical. Guardianship is relational, local, and situated in specific contexts.

I am also a parent. I understand the fear behind these proposals because I live with it too. Children do face real online risks. But recognizing that does not oblige us to accept any solution placed in front of us, least of all one that weakens privacy for everyone while shifting responsibility away from families, schools, and the people who actually have to guide children through digital life.

Age-verification laws collapse these two questions into one centralized answer. The result is predictable. A platform, browser vendor, app store, operating-system provider, or identity intermediary is asked to enforce what is presented as a child-protection policy, even though no centralized actor can replace the judgment of a parent, a school, or a local community.

This is the wrong abstraction. It treats an educational and social problem as if it were only an authentication problem.

It also fails on its own terms. The bypasses are obvious: VPNs, borrowed accounts, purchased credentials, fake credentials, and tricks against age-estimation systems. A control that is easy to evade but expensive to impose is not a serious compromise: it is an error or, one may say, a corporate data-grab.

The price is high and paid by everyone. More identity checks. More metadata. More logging. More vendors in the middle. More friction for people who lack the right device, the right papers, or the right digital skills. This is not a minor safety feature. It is a new control layer for the network.

And once that layer exists, it rarely stays confined to age. Infrastructure built for one attribute is easily reused for others: location, citizenship, legal status, platform policy, or whatever the next panic demands. This is how a limited check becomes a general gate.

The better path is simpler: separate the problems.

Moderate content close to the endpoint: in the browser, on the device, on the school network, or through trusted local lists. Keep guardianship where it belongs: with parents, teachers, schools, and communities that can make contextual decisions, authorize exceptions, and adjust over time.

The operating system can help here, but only as a local policy surface under the control of users and guardians. It should not become a universal age-broadcasting layer for apps and remote services. That is the architectural line that matters.

Most of the harms invoked in this debate do not come from the mere existence of content online. They come from recommendation systems, dark patterns, addictive metrics, and business models that reward amplification without responsibility. If the goal is to protect minors, that is where regulation should bite.

Children need protection. The internet does not need a permission system.

If we are serious about reducing harm, we should stop asking how to identify everyone and start asking how to strengthen local control without turning the network into a checkpoint.