Governments are moving towards mandatory online age verification. The UK's Online Safety Act requires “highly effective age assurance” for adult content and pornography sites. More than a dozen US states have passed similar laws covering pornography and social media platforms. Australia has legislated a social media ban for under-16s.
At Aztec Labs, we have serious disagreements with this direction. The evidence on the success of these blunt measures is mixed at best, and building surveillance infrastructure in the name of child safety creates infrastructure that tends to find new, troubling uses over time. We will continue to advocate against mandates that create surveillance infrastructure, regardless of their stated purpose.
However, if governments continue to march in this direction, there are verification systems that result in far less data collection and harm than others, and making the case for those systems is exactly why we engaged with this consultation.
Flaws in current approaches
Every age verification method currently deployed is either trivially bypassed or requires users to hand over far more personal data than the question demands.
Self-declaration is dead on arrival. Document-based checks, where users photograph their passport for remote review, create centralised databases of government IDs (as one example, in October 2025, photographs of government IDs belonging to approximately 70,000 Discord users were exposed after a breach at a verification vendor). Biometric age estimation degrades in accuracy at the boundaries that matter most, around 13 to 25, and requires users to submit a selfie to a third-party server.
Every centralised store of sensitive identity data is a target. This is the structural consequence of systems designed to collect more than they need.
Our position
Aztec Labs submitted a formal response to the UK government's consultation on children's online safety, led by our General Counsel Andre Omietanski.
We are sceptical of mandatory minimum ages for social media. Restrictions are easier to legislate than to enforce, and the data infrastructure built to enforce them will not stay narrowly scoped. We said this plainly in our submission.
If the government proceeds, the architecture of the systems it mandates matters more than the policy language that surrounds them. A system where verification happens on the user's device and no personal data is ever transmitted can deliver what the government promises. Most of the systems under active consideration cannot.
A better approach exists
Zero-knowledge proofs allow a user to prove a specific fact without disclosing any underlying personal information. Proving you are over 18 does not require revealing your date of birth, your name, or any other detail, as the proof is generated directly on the user's device. The service provider simply receives a cryptographic confirmation. Nothing else is transmitted off the user's device.
ZKPassport, which Aztec Labs acquired in May 2026, has been doing exactly this at scale. It reads the NFC chip built into passports and government IDs from over 130 countries, using the same ICAO standard that underpins airport e-gate systems globally. The proof cannot be forged, shared, or fabricated. No new documents, no new databases, and no new issuance infrastructure are required.
The EU has taken note. The European Union Digital Identity Wallet project, currently in pilot with seven member states, includes an age verification component built using Noir, the open-source zero-knowledge programming language originally developed by Aztec Labs, and open-source circuits from ZKPassport's library. All 27 member states are due to offer EUDI Wallets by end of 2026.
What we are asking for
We are asking the UK government to do three things.
First, adopt privacy by design as a structural requirement. Age assurance methods that transmit or store personal data should not be certified as compliant with the Online Safety Act's data minimisation principles.
Second, recognise zero-knowledge proof-based verification within the existing UK Digital Verification Services trust framework. ZKPassport meets every effectiveness criterion the Consultation identifies: accurate, robust against circumvention, device-level, interoperable, and open-source.
Third, resist the instinct to restrict VPNs. VPNs serve legitimate privacy and security purposes. The answer to circumvention is better verification technology, not restrictions on the tools people use to stay safe online.
The stakes
The UK has an opportunity to set a global standard for how age verification gets done. The cryptographic infrastructure already exists. The technology is production-ready and built in Britain.
The alternative is a nationwide network of centralised identity databases attached to every platform citizens use. That is a security liability, and we think it will prove politically unsustainable once its implications become widely understood.
Read our full consultation response.