Speaking at a tech conference in Austin, Texas, Signal CTO Ehren Kret, criticized lawmakers for mandating age verification for technology platforms without accompanying privacy safeguards.
Governments in the United States, Europe, and other regions are moving forward with legislation requiring online platforms to verify users’ ages, following years of policies aimed at limiting data collection and strengthening privacy protections.
The European Union’s General Data Protection Regulation (GDPR), enacted in 2018, imposed strict requirements on companies to minimize data collection, improve storage practices, and comply with user requests for deletion. The law required significant compliance efforts across the technology sector.
Lawmakers are now pursuing measures designed to restrict minors’ access to online platforms, with mandatory age verification emerging as a central component. These proposals would require platforms to collect and process identity-related data to confirm users meet age requirements.
Ehren Kret, the CTO of Signal, an encrypted messaging platform known for its privacy-maximizing architecture, argues that these new age verification requirements directly contradict previous demands from regulators to protect privacy.
“The biggest thing that policymakers are missing at the moment,” Kret said, “and you’ve seen this with some of the ID leaks that have already occurred, is that they’re not actually requiring people [to] separate identification from verification.”
Kret made his comments at “Don’t Be Evil,” an annual tech conference hosted by the Austin-based company FUTO, which specializes in open source, self-hosted software designed to give consumers the opportunity to host their own data rather than surrender it to a third party company’s servers.
“If you’re going to build this [age verification] system in the first place,” Kret said, “you ought to at least require as well that it be private for people, because otherwise you’re just requiring half of it without the other half.”
More than a dozen countries have passed or are considering laws that would impose age verification requirements on social media platforms. In the United States, several states have introduced legislation, including California’s AB 1043, which proposes age verification at the operating system level.
Tech companies are already building the infrastructure to comply with such demands – Apple has already rolled out operating system-level verification in the UK.
Many of the proposals do not specify how verification systems should operate or what safeguards should be applied to the data collected. Kret said that current approaches may result in systems that link user identity directly to online activity.
Kret pointed to existing cryptographic methods, including zero-knowledge proofs, as a way to confirm eligibility without exposing additional personal data.
“Why would you require a system and then not also require that it is privacy-preserving as it can be?” he said. “Because it is not that hard to build.”
Zero-knowledge proofs allow one party to verify a claim — such as whether a user is over a certain age — without revealing underlying identity information. Kret said such systems could be implemented using established techniques.
“You can build a Zero Knowledge Proof system, and it’s relatively straightforward,” Kret said. “It just requires reading a few papers that have been around for 40 years at this point.”
Kret also cited Signal’s donation infrastructure as an example of separating identity from verification, describing a system in which users can prove participation without revealing which individual made a payment.
“All it shows is a receipt that proves you were one of the set of people who paid, but gives no idea which one,” Kret said.
The expansion of age verification requirements has raised broader questions about anonymity online. If identity verification becomes a prerequisite for access to digital services, anonymous participation could be reduced.
Data security concerns have also been highlighted. In a recent case, a breach involving a third-party verification provider exposed approximately 70,000 users’ government identification documents following an age verification rollout by Discord.
Lawmakers have emphasized protecting minors online, while proposals continue to focus on requiring verification systems, with fewer details on implementation standards or privacy safeguards.
Experts note that once identity-based verification systems are widely deployed, they may be difficult to modify or reverse due to the scale of infrastructure involved and the volume of data collected. The potential for leaks such as the Discord breach, meanwhile, threaten permanent exposure of people’s personal information on the dark web.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.
COMMENTS
Please let us know if you're having issues with commenting.