pith. sign in

arxiv: 2606.08667 · v1 · pith:YU4ESF3Unew · submitted 2026-06-07 · 💻 cs.CR

X-rated Compliance Theater: An Empirical Evaluation of European Age Verification Systems in Adult Websites

Simone Lavermicocca , Michekle Carminati , Stefano Longari This is my paper

Pith reviewed 2026-06-27 17:55 UTC · model grok-4.3

classification 💻 cs.CR
keywords age verificationadult websitessecurity assessmentprivacy risksEuropean regulationsempirical evaluationbypass attacksregulatory compliance
0
0 comments X

The pith

Age verification systems on adult websites in Europe fail against low-cost attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper conducts an empirical security assessment of age verification mechanisms required on adult websites by European regulations. It maps the ecosystem, models adversaries, and tests deployments across four countries using methods like document checks and biometrics. The central finding is that these systems exhibit systemic weaknesses, allowing bypasses with simple attacks despite the privacy risks of collecting identity data. A reader would care because the regulatory push for age verification to protect minors introduces new security and privacy vulnerabilities without delivering robust protection. The authors also provide guidelines to address the exposed risks.

Core claim

Regulation-mandated age-verification mechanisms on adult websites show systemic weaknesses across mechanisms and integrations under realistic threat assumptions, failing against low-cost, widely accessible attacks, based on testing in four countries covering document-based verification, biometric age estimation, indirect signals, and website workflows.

What carries the argument

Empirical testing methodology that combines ecosystem mapping, adversary modeling, and hands-on evaluation of verification processes outsourced to third parties.

Load-bearing premise

The tested mechanisms, websites, and adversary models represent typical regulation-mandated deployments and practical real-world threats.

What would settle it

A test showing that the described low-cost attacks fail to bypass age verification on representative adult websites would falsify the claim of systemic weaknesses.

Figures

Figures reproduced from arXiv: 2606.08667 by Michekle Carminati, Simone Lavermicocca, Stefano Longari.

Figure 1
Figure 1. Figure 1: Prevalence of age verification (AV) by traffic decile. [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of age estimation attacks methodology. [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Overview of document upload attacks methodology. [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Overview of indirect channels attacks methodology. [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Overview of account attacks methodology. [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Overview of cookie replay attacks methodology. [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Overview of VPN attacks methodology. Virtual private networks (VPNs) are an effective one-step evasion strategy when age verification is enforced only by jurisdiction. By choosing an exit node in a country where the service does not mandate age verification or applies a less restrictive regime, users can often access the full service without completing any verification. Methodology. We access each of the 1… view at source ↗
Figure 7
Figure 7. Figure 7: Overview of page tampering attacks methodology. [PITH_FULL_IMAGE:figures/full_fig_p012_7.png] view at source ↗
read the original abstract

Age verification is rapidly emerging as a central regulatory instrument for protecting minors online, with several jurisdictions mandating its deployment for access to adult and pornographic content. This regulatory direction raises significant privacy concerns, as it risks binding sensitive content access to identity-related attributes. It also introduces security risks, since age-verification mechanisms are often outsourced to third-party providers with limited transparency into the robustness of their verification processes. In this work, we conduct, to the best of our knowledge, the first exploratory security assessment of regulation-mandated age-verification mechanisms deployed by adult websites. Rather than treating age verification as a purely regulatory question, we empirically examine whether current deployments provide security guarantees commensurate with the privacy risks of relying on sensitive identity-related data. Our methodology combines ecosystem mapping, adversary modeling, and empirical testing across four countries, covering document-based verification, biometric age estimation, indirect signals, and website-workflow integration. Our results reveal systemic weaknesses across mechanisms and integrations under realistic threat assumptions, including failures against low-cost, widely accessible attacks. Finally, we derive concrete guidelines and design directions for mitigating the security and privacy risks exposed by current age-verification deployments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper conducts an exploratory empirical security assessment of regulation-mandated age-verification mechanisms on adult websites across four European countries. It combines ecosystem mapping, adversary modeling, and testing of document-based, biometric, and indirect verification methods plus their website integrations. The central claim is that these deployments exhibit systemic weaknesses against low-cost, widely accessible attacks, with privacy and security risks that exceed the guarantees provided; the authors conclude with mitigation guidelines.

Significance. If the empirical results hold and the sampled mechanisms prove representative, the work would offer timely evidence on the practical limitations of age-verification systems introduced by recent regulations. The first-of-its-kind exploratory mapping of real deployments and the focus on integration-level failures are strengths that could inform both policy and engineering practice in privacy-sensitive domains.

major comments (2)
  1. [Abstract / Methodology] Abstract and Methodology: The headline claim of 'systemic weaknesses across mechanisms and integrations under realistic threat assumptions' requires that the four-country sample of document-based, biometric, and indirect mechanisms is representative of actual regulation-mandated deployments. No explicit sampling frame, coverage statistics against national regulator lists, or justification that the chosen low-cost adversary models match production threat surfaces is provided, which directly undermines the generalizability of the systemic conclusion.
  2. [Results] Results section: The abstract states that results 'reveal systemic weaknesses... including failures against low-cost, widely accessible attacks,' yet the provided description contains no quantitative data, attack success rates, or verification of specific test vectors. Without these details, it is not possible to assess whether the observed failures are load-bearing for the security claims or merely anecdotal.
minor comments (2)
  1. [Abstract] The abstract refers to 'four countries' without naming them or providing a table summarizing the mechanisms tested per jurisdiction; adding this would improve clarity.
  2. [Introduction / Methodology] Terminology such as 'indirect signals' and 'website-workflow integration' is introduced without a concise definition or reference to prior work on age-verification taxonomies.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our exploratory empirical assessment. We address the major comments point-by-point below, clarifying the study's scope while committing to revisions that strengthen transparency without overstating representativeness.

read point-by-point responses

  1. Referee: [Abstract / Methodology] Abstract and Methodology: The headline claim of 'systemic weaknesses across mechanisms and integrations under realistic threat assumptions' requires that the four-country sample of document-based, biometric, and indirect mechanisms is representative of actual regulation-mandated deployments. No explicit sampling frame, coverage statistics against national regulator lists, or justification that the chosen low-cost adversary models match production threat surfaces is provided, which directly undermines the generalizability of the systemic conclusion.

    Authors: We position the work explicitly as exploratory (see abstract: 'first exploratory security assessment'), not a statistically representative survey of all deployments. The four-country sample was chosen for diversity of mechanisms (document, biometric, indirect) and regulatory contexts where mandates are active; selection prioritized publicly accessible adult sites implementing the required flows. We agree that an explicit sampling frame and limitations discussion would improve clarity. In revision we will add a methodology subsection detailing selection criteria, data sources for ecosystem mapping, and explicit caveats on generalizability. The low-cost adversary models are justified in the paper as matching realistic, unsophisticated attackers (e.g., using consumer devices and publicly available forgery techniques) rather than nation-state capabilities. revision: partial

  2. Referee: [Results] Results section: The abstract states that results 'reveal systemic weaknesses... including failures against low-cost, widely accessible attacks,' yet the provided description contains no quantitative data, attack success rates, or verification of specific test vectors. Without these details, it is not possible to assess whether the observed failures are load-bearing for the security claims or merely anecdotal.

    Authors: The full Results section contains per-mechanism test descriptions, specific attack vectors applied, and observed outcomes. However, the abstract summarizes at a high level without numbers. We will revise the abstract to include concise quantitative indicators (e.g., attack success rates across categories) drawn from the detailed results, making the claims more concrete while preserving the exploratory framing. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical evaluation with no derivations or self-referential logic

full rationale

This is an empirical security assessment paper that performs ecosystem mapping, adversary modeling, and direct testing of deployed age-verification mechanisms across sampled websites. The abstract and methodology describe data collection and attack testing without any equations, fitted parameters, predictions derived from inputs, uniqueness theorems, or self-citations that bear the central claim. The strongest claim (systemic weaknesses under realistic threats) rests on the empirical results from the chosen sample and test vectors rather than reducing to a definitional or fitted tautology. No load-bearing step matches any of the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Empirical security evaluation with no mathematical components, free parameters, or postulated entities.

pith-pipeline@v0.9.1-grok · 5738 in / 902 out tokens · 21155 ms · 2026-06-27T17:55:44.945334+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

75 extracted references · 22 canonical work pages

  1. [1]

    Technical Report PIPEDA Report of Findings #2016- 005, Office of the Privacy Commissioner of Canada; Office of the Australian Information Commissioner,

    Joint investigation of ashley madison by the privacy com- missioner of canada and the australian privacy commis- sioner and acting australian information commissioner. Technical Report PIPEDA Report of Findings #2016- 005, Office of the Privacy Commissioner of Canada; Office of the Australian Information Commissioner,

    2016

  2. [2]

    URL: https: //web.archive.org/web/20251213025934/https: //www.priv.gc.ca/en/opc-actions-and-decis ions/investigations/investigations-into-b usinesses/2016/pipeda-2016-005/

    Accessed 11 December 2025. URL: https: //web.archive.org/web/20251213025934/https: //www.priv.gc.ca/en/opc-actions-and-decis ions/investigations/investigations-into-b usinesses/2016/pipeda-2016-005/

    arXiv 2025

  3. [3]

    Decalogue of principles: Age verification and protec- tion of minors from inappropriate content

    Agencia Española de Protección de Datos (AEPD). Decalogue of principles: Age verification and protec- tion of minors from inappropriate content. Regulatory guidance / principles, December 2023. Accessed 2025- 12-12. URL: https://www.aepd.es/guides/decal ogue-principles-age-verification-minors-p rotection.pdf

    2023

  4. [5]

    Developers say the darnedest things: Privacy compliance processes fol- lowed by developers of child-directed apps.Proc

    Noura Alomar and Serge Egelman. Developers say the darnedest things: Privacy compliance processes fol- lowed by developers of child-directed apps.Proc. Priv. Enhancing Technol., 2022(4):250–273, 2022. URL: https://doi.org/10.56553/popets-2022-0108 , doi:10.56553/POPETS-2022-0108

    work page doi:10.56553/popets-2022-0108 2022

  5. [6]

    Online age gating: An interdisciplinary evalua- tion

    Noah Apthorpe, Brett Frischmann, and Yan Shvartzsh- naider. Online age gating: An interdisciplinary evalua- tion. SSRN preprint, 2025. URL: https://papers.s 15 srn.com/sol3/papers.cfm?abstract_id=493732 8

    2025

  6. [7]

    Technical guidelines on age verification for the protection of persons under 18 from online pornog- raphy

    ARCOM. Technical guidelines on age verification for the protection of persons under 18 from online pornog- raphy. Regulatory technical reference (France), 2024. URL: https://www.arcom.fr/en/find-out-more/ legal-area/legal-resources/technical-guide lines-age-verification-protection-persons -under-18-online-pornography

    2024

  7. [8]

    Delibera n

    Autorità per le Garanzie nelle Comunicazioni. Delibera n. 96/25/CONS: Modalità tecniche e di processo per l’accertamento della maggiore età degli utenti, April

  8. [9]

    123/2023, converted by Legge n

    Regulatory instrument implementing Article 13- bis of Decreto-legge n. 123/2023, converted by Legge n. 159/2023. URL: https://www.agcom.it/compe tenze/consumatori/interventi-regolamentari -tutela-degli-utenti-finali-attuazione-del -nuovo/tutela-minori-age-verification

    2023

  9. [10]

    Technical reference framework on age verification for the protection of mi- nors against online pornography

    Autorité de régulation de la communication audiovi- suelle et numérique (ARCOM). Technical reference framework on age verification for the protection of mi- nors against online pornography. Regulatory techni- cal reference, 11 October 2024. Accessed 2025-12-12. URL: https://www.arcom.fr/se-documenter/es pace-juridique/textes-juridiques/referent iel-techni...

    2024

  10. [11]

    When PETs mis- behave: A contextual integrity analysis

    Ero Balsa and Yan Shvartzshnaider. When PETs mis- behave: A contextual integrity analysis. arXiv preprint,

  11. [12]

    URL: https://arxiv.org/abs/2312.02509 , arXiv:2312.02509

    arXiv

  12. [13]

    Age verification for online porn: more harm than good?Porn Studies, 6(2):228–237, 2019

    Pandora Blake. Age verification for online porn: more harm than good?Porn Studies, 6(2):228–237, 2019. doi:10.1080/23268743.2018.1555054

    work page doi:10.1080/23268743.2018.1555054 2019

  13. [14]

    Technical report: Ageverif

    Paul Bouchaud. Technical report: Ageverif. Technical report, AI Forensics, October 2025. Accessed 11 De- cember 2025. URL: https://aiforensics.org/up loads/AgeVerif.pdf

    2025

  14. [15]

    Design and implementation of theidemixanonymous creden- tial system

    Jan Camenisch and Els Van Herreweghen. Design and implementation of theidemixanonymous creden- tial system. In Vijayalakshmi Atluri, editor,Proceed- ings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, November 18-22, 2002, pages 21–30. ACM, 2002. doi:10.1145/586110.586114

    work page doi:10.1145/586110.586114 2002

  15. [16]

    Impersonation- as-a-service: Characterizing the emerging criminal in- frastructure for user impersonation at scale

    Michele Campobasso and Luca Allodi. Impersonation- as-a-service: Characterizing the emerging criminal in- frastructure for user impersonation at scale. In Jay Lig- atti, Xinming Ou, Jonathan Katz, and Giovanni Vigna, editors,CCS ’20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9-13, 2020, pages 1665–168...

    work page doi:10.1145/3372297.3417892 2020

  16. [17]

    Video injection attacks on remote digital identity verification solution using face recognition

    Kévin Carta, Claude Barral, Nadia El Mrabet, and Sté- fane Mouille. Video injection attacks on remote digital identity verification solution using face recognition. In 13th International Multi-Conference on Complexity, In- formatics and Cybernetics, pages 92–97, 2022

    2022

  17. [18]

    How video injection attacks can even challenge state-of-the-art face presentation attack detection systems

    Kévin Carta, A Huynh, S Mouille, N El Mrabet, C Bar- ral, and S Brangoulo. How video injection attacks can even challenge state-of-the-art face presentation attack detection systems. InProceedings IMCIC-International Multi-Conference on Complexity, Informatics and Cy- bernetics, pages 105–112, 2023

    2023

  18. [19]

    Algebraic macs and keyed-verification anonymous cre- dentials

    Melissa Chase, Sarah Meiklejohn, and Greg Zaverucha. Algebraic macs and keyed-verification anonymous cre- dentials. In Gail-Joon Ahn, Moti Yung, and Ninghui Li, editors,Proceedings of the 2014 ACM SIGSAC Confer- ence on Computer and Communications Security, Scotts- dale, AZ, USA, November 3-7, 2014, pages 1205–1216. ACM, 2014.doi:10.1145/2660267.2660328

    work page doi:10.1145/2660267.2660328 2014

  19. [20]

    Limitations and pitfalls of integrating PETs in online age verification

    Sylavin Chatel, Christian Knabenhans, Wouter Lueks, Mathilde Raynal, Carmela Troncoso, and Adám Vécsi. Limitations and pitfalls of integrating PETs in online age verification. IAB/W3C Workshop on Age-Based Restrictions on Content and Services (agews), IETF,

  20. [21]

    URL: https://www.ietf.org/slides/slid es-agews-limitations-and-pitfalls-of-integ rating-pets-in-online-age-verification-00. pdf

  21. [22]

    A VS-Raster

    Commission for the Protection of Minors in the Me- dia (KJM). “A VS-Raster” (Age Verification Systems Benchmark Criteria), valid since 12.05.2022 (English). Regulatory criteria / benchmark, 2022. Accessed 2025- 12-12. URL: https://www.kjm-online.de/filea dmin/user_upload/KJM/Themen/Technischer_Ju gendmedienschutz/AVS-Raster_gueltig_seit_1 2.05.2022-ENG.pdf

    2022

  22. [23]

    Why parents help their children lie to facebook about age: Unintended consequences of the ’children’s online privacy protection act’.First Monday, 16(11),

    danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey. Why parents help their children lie to facebook about age: Unintended consequences of the ’children’s online privacy protection act’.First Monday, 16(11),

  23. [24]

    URL: https://doi.org/10.5210/fm.v16i1 1.3850,doi:10.5210/FM.V16I11.3850

    work page doi:10.5210/fm.v16i1

  24. [25]

    Privacy pass: By- passing internet challenges anonymously.Proc

    Alex Davidson, Ian Goldberg, Nick Sullivan, George Tankersley, and Filippo Valsorda. Privacy pass: By- passing internet challenges anonymously.Proc. Priv. Enhancing Technol., 2018(3):164–180, 2018. URL: 16 https://doi.org/10.1515/popets-2018-0026 , doi:10.1515/POPETS-2018-0026

    work page doi:10.1515/popets-2018-0026 2018

  25. [27]

    Deepfacelive

    DeepfakeVFX.com. Deepfacelive. https://www.de epfakevfx.com/downloads/deepfacelive/ , 2025. Accessed: 2025-12-05

    2025

  26. [28]

    Hack of age verification company shows privacy danger of social media laws, June 2024

    Electronic Frontier Foundation. Hack of age verification company shows privacy danger of social media laws, June 2024. Accessed 11 December 2025. URL: https: //web.archive.org/web/20251230134049/https: //www.eff.org/deeplinks/2024/06/hack-age-v erification-company-shows-privacy-danger-s ocial-media-laws

    arXiv 2024

  27. [29]

    The digital loophole: Evaluating the effective- ness of child age verification methods on social me- dia

    Fatmaelzahraa Eltaher, Rahul Krishna Gajula, Luis Miralles-Pechuán, Christina Thorpe, and Susan McK- eever. The digital loophole: Evaluating the effective- ness of child age verification methods on social me- dia. In Roberto Di Pietro, Karen Renaud, and Paolo Mori, editors,Proceedings of the 11th International Conference on Information Systems Security an...

    work page doi:10.5220/0013248300003899 2025

  28. [30]

    Research report: Mapping age assurance typologies and requirements

    European Commission. Research report: Mapping age assurance typologies and requirements. Technical re- port, Publications Office of the European Union, 2024. English research report surveying typologies and regu- latory requirements.doi:10.2759/455338

    work page doi:10.2759/455338 2024

  29. [31]

    Guidelines on measures to en- sure a high level of privacy, safety and security for mi- nors online pursuant to Article 28(4) of Regulation (EU) 2022/2065

    European Commission. Guidelines on measures to en- sure a high level of privacy, safety and security for mi- nors online pursuant to Article 28(4) of Regulation (EU) 2022/2065. Commission communication / decision,

    2022

  30. [32]

    URL: https://eur-lex.europa.eu/legal-content/EN/ TXT/PDF/?uri=OJ%3AC_202505519

    C(2025) 4764 final, Brussels, 14 July 2025. URL: https://eur-lex.europa.eu/legal-content/EN/ TXT/PDF/?uri=OJ%3AC_202505519

    2025

  31. [33]

    Statement 1/2025 on age assurance

    European Data Protection Board. Statement 1/2025 on age assurance. EDPB Statement, 2025. URL: https: //www.edpb.europa.eu/our-work-tools/our-d ocuments/statements/statement-12025-age-a ssurance_en

    2025

  32. [34]

    Online age verification and children’s rights

    European Digital Rights (EDRi). Online age verification and children’s rights. Technical report, EDRi, October

  33. [35]

    Position paper, published in Brussels, 4 October

  34. [36]

    URL: https://web.archive.org/web/2026 0114050620/https://edri.org/wp-content/upl oads/2023/10/Online-age-verification-and-c hildrens-rights-EDRi-position-paper.pdf

    2026

  35. [37]

    European Parliament and Council of the European Union. Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018 amending Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual ...

    2018

  36. [38]

    European Parliament and Council of the European Union. Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Direc- tive 2000/31/EC (Digital Services Act). Official Journal of the European Union, October 2022. Available via EUR-Lex. URL: https://eur-lex.europa.eu/eli...

    2022

  37. [39]

    Regulation (eu) 2024/1183 amending regulation (eu) no 910/2014 as regards establishing the european digital identity framework

    European Union. Regulation (eu) 2024/1183 amending regulation (eu) no 910/2014 as regards establishing the european digital identity framework. Official Journal of the European Union, 2024. URL: https://eur-lex .europa.eu/eli/reg/2024/1183/oj

    2024

  38. [40]

    zk- cookies: Continuous anonymous authentication for the web, 2025

    Alexander Frolov, Hal Triedman, and Ian Miers. zk- cookies: Continuous anonymous authentication for the web, 2025. URL: https://eprint.iacr.org/2025 /1938

    2025

  39. [41]

    Garcia and Ricardo L

    Diogo C. Garcia and Ricardo L. de Queiroz. Face- spoofing 2d-detection based on moiré-pattern analysis. IEEE Trans. Inf. Forensics Secur., 10(4):778–786, 2015. doi:10.1109/TIFS.2015.2411394

    work page doi:10.1109/tifs.2015.2411394 2015

  40. [42]

    De- centralized anonymous credentials

    Christina Garman, Matthew Green, and Ian Miers. De- centralized anonymous credentials. InProceedings of the Network and Distributed System Security Sympo- sium (NDSS), 2014

    2014

  41. [43]

    Segregate-and-Suppress

    Eric Goldman. The “Segregate-and-Suppress” Ap- proach to Regulating Child Safety Online.Stanford Technology Law Review, 28:173, April 2025. Santa Clara Univ. Legal Studies Research Paper No. 5208739. URL: https://ssrn.com/abstract=5208739 , doi:10.2139/ssrn.5208739. 17

    work page doi:10.2139/ssrn.5208739 2025

  42. [44]

    Hack brief: 412 million accounts exposed in friendfinder network breach, November 2016

    Andy Greenberg. Hack brief: 412 million accounts exposed in friendfinder network breach, November 2016. Accessed 11 December 2025. URL: https://web.ar chive.org/web/20251001092436/https://www.wi red.com/2016/11/hack-brief-412m-accounts-b reached-friendfinder-sex-sites/

    arXiv 2016

  43. [45]

    Online age verifica- tion: government legislation, supplier responsibilization, and public perceptions.Children, 11(9):1068, 2024

    Chelsea Jarvie and Karen Renaud. Online age verifica- tion: government legislation, supplier responsibilization, and public perceptions.Children, 11(9):1068, 2024. doi:10.3390/children11091068

    work page doi:10.3390/children11091068 2024

  44. [46]

    Digital child protection in social networks: age verification and age-tiered regulation in europe

    Franziska Köhler-Dauner, Lena Peter, Emily Sitarski, Katrin Chauviré-Geib, Ann-Christin Haag, and Jörg M Fegert. Digital child protection in social networks: age verification and age-tiered regulation in europe. Child and Adolescent Psychiatry and Mental Health, 19(1):143, 2025

    2025

  45. [47]

    Kfoury, Jorge Crichigno, and Elias Bou-Harb

    Hareesh Mandalapu, Aravinda Reddy P. N., Raghaven- dra Ramachandra, Krothapalli Sreenivasa Rao, Pabitra Mitra, S. R. Mahadeva Prasanna, and Christoph Busch. Audio-visual biometric recognition and presentation at- tack detection: A comprehensive survey.IEEE Access, 9:37431–37455, 2021. doi:10.1109/ACCESS.2021. 3063031

    work page doi:10.1109/access.2021 2021

  46. [48]

    Tracking sex: The implications of widespread sexual data leakage and tracking on porn websites.New Media Soc., 22(11), 2020

    Elena Maris, Timothy Libert, and Jennifer Henrichsen. Tracking sex: The implications of widespread sexual data leakage and tracking on porn websites.New Media Soc., 22(11), 2020. doi:10.1177/14614448209246 32

    work page doi:10.1177/14614448209246 2020

  47. [49]

    Data protection and it security issues with age verification app “yoti”, June 2025

    Mint Secure GmbH. Data protection and it security issues with age verification app “yoti”, June 2025. Ac- cessed 11 December 2025. URL: https://mint-sec ure.de/dataprotection-it-security-risks-w ith-ageverificationapp-yoti/

    2025

  48. [50]

    Digi- tal identity guidelines

    National Institute of Standards and Technology. Digi- tal identity guidelines. Technical Report Special Pub- lication SP 800-63-4, NIST, 2025. URL: https: //nvlpubs.nist.gov/nistpubs/SpecialPubli cations/NIST.SP.800-63-4.pdf

    2025

  49. [51]

    The legal and policy landscape of age assurance online for child safety and well-being

    OECD. The legal and policy landscape of age assurance online for child safety and well-being. Technical paper, OECD Publishing, June 2025. URL: https://web.ar chive.org/web/20260101103457/https://www.oe cd.org/en/publications/the-legal-and-polic y-landscape-of-age-assurance-online-for-c hild-safety-and-well-being_4a1878aa-en.ht ml,doi:10.1787/4a1878aa-en

    work page doi:10.1787/4a1878aa-en 2025

  50. [52]

    Adult users’ attitudes to age verification on adult sites

    Ofcom. Adult users’ attitudes to age verification on adult sites. Technical report, Ofcom (UK Commu- nications Regulator), October 2022. URL: https: //web.archive.org/web/20260109060342/https: //www.ofcom.org.uk/siteassets/resources/do cuments/research-and-data/online-research/ vsp/attitudes-to-age-verification/2022-adu lt-attitudes-to-age-verification-ad...

    arXiv 2022

  51. [53]

    Guidance on highly effective age assurance and other part 5 duties

    Ofcom. Guidance on highly effective age assurance and other part 5 duties. Regulatory guidance, 2025. Accessed 2025-12-12. URL: https://web.archive. org/web/20251202114005/https://www.ofcom.or g.uk/siteassets/resources/documents/consul tations/category-1-10-weeks/statement-age -assurance-and-childrens-access/guidance-o n-highly-effective-age-assurance-and...

    arXiv 2025

  52. [54]

    U-prove crypto- graphic specification v1

    Christian Paquin and Greg Zaverucha. U-prove crypto- graphic specification v1. 1. Technical report, Microsoft Corporation, 2011. URL: https://www.microsoft. com/en-us/research/wp-content/uploads/2016/ 02/U-Prove20Cryptographic20Specification20 V1.1.pdf

    2011

  53. [55]

    Digital age of consent and age verification: Can they protect children?IEEE Softw., 39(3):50–57, 2022

    Liliana Pasquale, Paola Zippo, Cliona Curley, Brian O’Neill, and Marina Mongiello. Digital age of consent and age verification: Can they protect children?IEEE Softw., 39(3):50–57, 2022. doi:10.1109/MS.2020.30 44872

    work page doi:10.1109/ms.2020.30 2022

  54. [56]

    Biometric bound cre- dentials for age verification, 2025

    Norman Poh and Daryl Burns. Biometric bound cre- dentials for age verification, 2025. URL: https: //doi.org/10.48550/arXiv.2509.07465 , arXiv: 2509.07465,doi:10.48550/ARXIV.2509.07465

    work page doi:10.48550/arxiv.2509.07465 2025

  55. [57]

    Women-only US dating advice app tea suspends messaging following breaches, July 2025

    Raphael Satter. Women-only US dating advice app tea suspends messaging following breaches, July 2025. Updated July 29, 2025. URL: https://www.reuters. com/sustainability/boards-policy-regulatio n/women-only-us-dating-advice-app-tea-sus pends-messaging-following-breaches-2025-0 7-29/

    2025

  56. [58]

    Exploring Privacy in ID-Based Age Verification Architectures

    Sarah Scheffler and Shuang Liu. Exploring Privacy in ID-Based Age Verification Architectures. IAB/W3C Workshop on Age-Based Restrictions on Content Ac- cess (agews), August 2025. Version 00. URL: https: //datatracker.ietf.org/doc/slides-agews-p aper-exploring-privacy-in-id-based-age-ver ification-architectures/

    2025

  57. [59]

    Joint Statement of Security and Privacy Scientists and Re- searchers on Age Assurance

    Security and Privacy Scientists and Researchers. Joint Statement of Security and Privacy Scientists and Re- searchers on Age Assurance. https://csa-scienti st-open-letter.org/ageverif-Feb2026 , March

  58. [60]

    Accessed May 21, 2026

    Open letter; signatures closed March 9, 2026, 18 with 438 signatories from 32 countries. Accessed May 21, 2026

    2026

  59. [61]

    A survey on face presentation attack detection mechanisms: hitherto and future perspectives.Multim

    Deepika Sharma and Arvind Selwal. A survey on face presentation attack detection mechanisms: hitherto and future perspectives.Multim. Syst., 29(3):1527–1577,

  60. [62]

    URL: https://doi.org/10.1007/s00530-0 23-01070-5,doi:10.1007/S00530-023-01070-5

    work page doi:10.1007/s00530-0

  61. [63]

    Exploring the CAM4 data breach: Security vulnerabili- ties and response strategies

    Jacob Sorn, Patrick Carroll, Zachary Pang, Suman Bhu- nia, Mohammad Salman, and Paulo Alexandre Regis. Exploring the CAM4 data breach: Security vulnerabili- ties and response strategies. In24th IEEE International Symposium on Cluster, Cloud and Internet Computing, CCGrid 2024 - Workshops, Philadelphia, PA, USA, May 6-9, 2024, pages 174–179. IEEE, 2024. UR...

    work page doi:10.1109/ccgridw63211.2024.00028 2024

  62. [64]

    Mandatory age verification for pornogra- phy access: Why it can’t and won’t ’save the children’

    Zahra Stardust, Abdul Karim Obeid, Alan McKee, and Daniel Angus. Mandatory age verification for pornogra- phy access: Why it can’t and won’t ’save the children’. Big Data Soc., 11(2), 2024. doi:10.1177/20539517 241252129

    work page doi:10.1177/20539517 2024

  63. [65]

    Face flashing: a secure liveness detection protocol based on light reflections, 2018

    Di Tang, Zhe Zhou, Yinqian Zhang, and Kehuan Zhang. Face flashing: a secure liveness detection protocol based on light reflections, 2018. URL: https://www.ndss -symposium.org/wp-content/uploads/2019/02/n dss2018_03B-5_Tang_paper-updated.pdf

    2018

  64. [66]

    Reddit and Discord’s UK age verification can be defeated by Death Stranding’s photo mode, 2025

    The Verge. Reddit and Discord’s UK age verification can be defeated by Death Stranding’s photo mode, 2025. URL: https://www.theverge.com/report/714402 /uk-age-verification-bypass-death-strandi ng-reddit-discord

    2025

  65. [67]

    Misinfor- mation, fraud, and stereotyping: Towards a typology of harm caused by deepfakes

    Paulina Trifonova and Sukrit Venkatagiri. Misinfor- mation, fraud, and stereotyping: Towards a typology of harm caused by deepfakes. In Rosta Farzan, Claudia López, Daniel Cardoso Llach, Daniele Quercia, Maryam Mustafa, Shuo Niu, and Marisol Wong-Villacrés, edi- tors,Companion Publication of the 2024 Conference on Computer-Supported Cooperative Work and S...

    work page doi:10.1145/3678884.3685938 2024

  66. [68]

    Praktischer Angriff auf Video- Ident: Demonstration inhärenter Schwächen der videobasierten Echtheitsprüfung physischer ID- Dokumente

    Martin Tschirsich. Praktischer Angriff auf Video- Ident: Demonstration inhärenter Schwächen der videobasierten Echtheitsprüfung physischer ID- Dokumente. Technical report, Chaos Computer Club, August 2022. Version 1.2. URL: https: //web.archive.org/web/20251222204421/https: //www.ccc.de/system/uploads/329/original/A ngriff_auf_Video-Ident_v1.2.pdf

    arXiv 2022

  67. [69]

    Keeping children safe online: changes to the Online Safety Act explained, 2025

    UK Government. Keeping children safe online: changes to the Online Safety Act explained, 2025. URL: https: //www.gov.uk/government/news/keeping-child ren-safe-online-changes-to-the-online-saf ety-act-explained

    2025

  68. [70]

    Tech savvy teens bypass online safety barriers, hand over sensitive information, 4 March

    UNICEF Australia. Tech savvy teens bypass online safety barriers, hand over sensitive information, 4 March

  69. [71]

    URL: www.unicef.org.au/me dia-release/tech-savvy-teens-bypass-onlin e-safety-barriers-hand-over-sensitive-inf ormation

    Media release. URL: www.unicef.org.au/me dia-release/tech-savvy-teens-bypass-onlin e-safety-barriers-hand-over-sensitive-inf ormation

  70. [72]

    Online Safety Act 2023

    United Kingdom. Online Safety Act 2023. UK Public General Act 2023 c. 50, 2023. Royal Assent: 26 Oct

    2023

  71. [73]

    URL: https://www.legislation.gov.uk/u kpga/2023/50

    2023

  72. [74]

    Australian teen voices on age verification and age assur- ance measures.Policy & Internet, 17(4):e70019, 2025

    Giselle Woodley, Harrison W See, Brian O’Neill, Lelia Green, Elisabeth Staksrud, and Paul Haskell-Dowland. Australian teen voices on age verification and age assur- ance measures.Policy & Internet, 17(4):e70019, 2025

    2025

  73. [75]

    Easy as child’s play: An empirical study on age verification of adult-oriented android apps

    Yifan Yao, Shawn McCollum, Zhibo Sun, and Yue Zhang. Easy as child’s play: An empirical study on age verification of adult-oriented android apps. In Lujo Bauer and Giancarlo Pellegrino, editors,34th USENIX Security Symposium, USENIX Security 2025, Seattle, WA, USA, August 13-15, 2025, pages 21–39. USENIX Association, 2025. URL: https://www.usenix.org /con...

    2025

  74. [76]

    ’i make up a silly name’: Understanding children’s per- ception of privacy risks online

    Jun Zhao, Ge Wang, Carys Dally, Petr Slovák, Julian Edbrooke-Childs, Max Van Kleek, and Nigel Shadbolt. ’i make up a silly name’: Understanding children’s per- ception of privacy risks online. In Stephen A. Brew- ster, Geraldine Fitzpatrick, Anna L. Cox, and Vassilis Kostakos, editors,Proceedings of the 2019 CHI Con- ference on Human Factors in Computing ...

    2019

  75. [77]

    do not do

    ACM, 2019.doi:10.1145/3290605.3300336. Ethical Considerations This paper adopts an offensive security perspective to evalu- ate deployed age-verification systems on adult websites. Be- cause these systems aim to protect minors while processing highly sensitive personal data, we conducted the study using a stakeholder-based ethics analysis aligned with the...

    work page doi:10.1145/3290605.3300336 2019