Age verification is coming. Free Software can build it right.

In December 2025, Australia became the first country to ban under-16s from social media. Ten platforms, Instagram, TikTok, YouTube, Reddit, X, and the rest, had to block minors or face fines of around 32 million USD. People lost their accounts overnight.
The UK is debating its own version right now. The House of Lords already voted in favor of an Australia-style ban. France, Spain, Greece, Norway, Denmark, Turkey, Indonesia, Brazil: the list keeps growing every month. If you build anything that touches users on the internet, age verification is going to be a new task on your Jira/Asana/whatever dashboard. It isn't an "if" situation; it's a matter of "when".

A few weeks ago, Brazil's internet steering committee invited me to a closed session with government bodies, the national data protection authority, and representatives from operating system vendors, to work through what our age verification law actually means for OSes in practice. A few weeks ago, I wrote about a new child protection law passed in Brazil and how some people were creating FUD around it. (the translated version here on DEV). I went in to argue one narrow technical point and left convinced that the technical fight is the whole fight. Below are the arguments I made there, stripped of the local legal weeds, because I feel that this is a global problem, not just something happening in Brazil.

TL;DR: almost every age verification law is being implemented the wrong way. And the wrong way is the default unless engineers and Free Software activists start pushing back.

The wrong way is winning by default

What happens when a platform gets an age verification mandate and a legal deadline? The lawyers ask one question: what's the cheapest thing we can do that a regulator won't punish us for? And the cheapest, safest answer is almost always: ask for an ID.

Upload your passport. Scan your face. Type your government number. Give us a credit card. The platform gets a yes-or-no answer to a legal question, and as a bonus, it now holds a verified identity document tied to a real human. That document is an asset. It will be stored, analyzed, eventually breached, and in the worst cases, sold.

The EFF has been saying this for two years, and they are right: these laws keep pushing the debate toward identity, which is the wrong way. You just want to prove you are old enough to read a +18 fanfic, and you end up handing your data to a 3rd party company that had a data breach last spring.

Proving your age shouldn't also require proving your identity. Those are two completely different problems. Age is a boolean. Identity is not.

When a service needs to know if you are old enough, it needs exactly one bit of information. Over 18: yes or no. That's it. It does not need your name, your birth date, your document, or your face. It needs a true/false statement.

We already have the cryptography and the technology to deliver exactly that. Verifiable credentials and zero-knowledge proofs let you prove a single attribute, "this person is over 18", without revealing anything else about who that person is. It works today, and standards bodies have been shipping it for years.

The design is almost boring once you see it. The operating system, or some trusted issuer, already knows your age. It hands the app a signed signal: over 18, true. The app reads the signal, makes its decision, and never sees a document. Responsibility for acting on the signal stays with the app. Your privacy stays with you, because nothing about your identity ever leaves your device.

Think of it like an SSH key. You generate it once. It proves one specific thing. You reuse it across machines without ever exposing the secret behind it. An age key could work the same way: a single credential that says "over 18" and nothing more, reusable on your phone and your laptop, readable by any app, traceable to no one.
We win, big tech companies lose.

Open source is in a weird spot here

I say this as someone who has been in the Linux and free software world since the late 90s and saw all "Linux is evil" campaign during the early 00s: A few governments have started carving out exemptions for open-source operating systems. On paper, that sounds like a win. In practice, it is a trap, and some people in the community have already spotted it.

Being exempt from implementing verification does not give you the right to access anything. If the law excuses the OS but still forces every app to verify age under threat of a fine, the app can just block the open platform entirely in that region to avoid the risk. We have seen this movie before. Streaming DRM that delivers half resolution or even nothing on Linux. The exemption that looks like a gift can quietly become a blocker for the common user.

And there's a second-order problem. If open systems are exempt, the easy move is to wave every check through, to "yes-man" the verification. That gives the proprietary side an excuse to harden their mechanisms until open implementations can't pass, even when they want to. Android's Play Integrity is the cautionary tale. Exemption is not a solution. It just moves the bill to a later date, and the bill always comes due.

The free software community is excellent at one thing: pointing out what governments got wrong. Write the thread, give the talk, share the article. I have done all three. What we are bad at is showing up first with what actually works.

Someone is going to set the standard

Here's what changed my mind about the whole debate.
In 2025, the European Union published an open-source age verification blueprint. Privacy-preserving, interoperable, and designed to prove you're over 18 without revealing anything else. The EU's age verification app is fully open source, works on any device, and each member state can adapt it to its own rules.

Let that sink in. The blueprint for privacy-respecting age checks, the kind of free software that has been demanded, got shipped by a government bureaucracy while the community was busy filing objections.

This is the part where I get a little hopeful, which, honestly, isn't my natural mode.

The reference design exists. It is open. It is forkable. Any country willing to invest in it could adapt it, improve it, and ship a national age-assurance layer that proves an attribute without harvesting an identity. Whoever does that well first sets the global default, the same way the EU's cookie law ended up shaping consent banners on every site on earth, for better or worse.

I keep thinking that my own country could be that one. Brazil already ships open-source software across the public sector, runs one of the largest digital-identity stacks in the world, and is writing its own age-verification rules right now, with the regulator on record saying age checks should not become identity checks. Sitting in that session, hearing the data protection authority say out loud that age is not identity, I caught myself thinking the alignment is actually there: the political will, the public infrastructure, and a clean reference design from the EU waiting to be forked. The pieces are on the table, but we need to start using them to build something.

That is not a Brazil-specific argument. Swap in whatever country has open public infrastructure and a regulatory organ that hasn't fully sold out to "just collect the ID" companies. The point is that the good version of this is buildable today, and right now the bad version is winning purely because it's the path of least resistance.

So, what now?

Age verification is not going away. The bans are spreading faster than the standards, and every month, a new parliament copies the last one's worst implementation. If the community continues to just sit and wait, the default outcome is a planet where you have to hand over a government document to access any site, to write any comment. And we have no way to know how this data will be used, and by whom.

The better outcome is technically ready. Boolean signal, zero-knowledge proof, open protocol, widely accepted by any OS/device, just proving your age, and nothing else. We have everything for it to become a reality. What's missing is engineers deciding this is worth building.

So here's my question for you, wherever you build from: when age verification reaches your stack, are you going to ship the lazy version that asks for an ID, or the one that asks for a single bit of truth?

Because both are a choice. Only one of them respects the person on the other side of the screen, and we already talked about respecting the other side of the screen.