pith. sign in

arxiv: 2605.05513 · v1 · submitted 2026-05-06 · 💻 cs.CR · cs.CY

Age Verification in the Web -- Holy Grail to Control Access to Restricted Content

Wojciech Wodo , Maksymilian Gorski , Lucjan Hanzlik This is my paper

Pith reviewed 2026-05-08 15:59 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords age verificationprivacy preservingPrivacy PassPrivacy Access Tokensweb securitycryptographyminors protectiondigital services
0
0 comments X

The pith

Age verification can use open cryptographic standards like Privacy Pass to protect minors without compromising privacy or requiring apps.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines existing age verification approaches in the UK, Australia, and proposed EU solutions, highlighting their privacy and security shortcomings. It proposes an alternative based on Privacy Pass and Privacy Access Tokens that lets users obtain age proofs from chosen providers and present them to websites using cryptography. This method avoids installing special software and keeps personal data from being shared broadly. A sympathetic reader would care because it offers a way to enforce age restrictions on harmful content while respecting user privacy and reducing reliance on government or single-provider systems.

Core claim

By adapting Privacy Pass and Privacy Access Tokens, the authors establish a system where users can acquire anonymous age verification tokens from trusted issuers and redeem them at content sites without revealing identity or age details, thereby enabling privacy-conscious access control for restricted material.

What carries the argument

Privacy Pass and Privacy Access Tokens adapted with cryptographic techniques to issue and verify age attestations without specialized software.

If this is right

  • Enables selection of multiple trusted providers, lowering data breach risks.
  • Supports flexible assurance levels for different types of restricted content.
  • Achieves compliance with regulations like the Digital Services Act without centralized sensitive data storage.
  • Allows verification directly in browsers without additional installations.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Integration with browser APIs could make verification seamless for everyday web use.
  • The approach might extend to verifying other attributes, such as location or identity, in a privacy-preserving manner.
  • Widespread use could shift policy towards supporting decentralized verification standards over proprietary apps.

Load-bearing premise

Existing Privacy Pass and Privacy Access Token standards can be directly adapted for reliable age verification without introducing new security flaws or depending on unavailable trusted providers.

What would settle it

A successful attack where a minor forges an adult age token or where the verification process leaks user age or identity information to the content provider.

Figures

Figures reproduced from arXiv: 2605.05513 by Lucjan Hanzlik, Maksymilian Gorski, Wojciech Wodo.

Figure 1
Figure 1. Figure 1: UE Age Verification App - Journey of a Proof of Age Attestation User [8] On July 14, 2025, the Commission released an age verification blueprint al￾lowing users to confirm they are over 18, without sharing their personal data. This privacy-focused and user-friendly solution is fully compatible with future EU Digital Identity Wallets and adaptable for other age thresholds, such as 13+. A second blueprint, p… view at source ↗
Figure 2
Figure 2. Figure 2: Privacy Pass Development Timeline by Cloudflare [19] Building on Cloudflare’s implementation of Privacy Pass, Apple designed and deployed its own version of anonymous tokens, called the Private Access Tokens (PATs)24. PATs work in tandem with the device’s secure enclave, enabling attes￾tation that users are not machines while binding the credential to the device. In 2022, Apple devices began offering Priva… view at source ↗
Figure 3
Figure 3. Figure 3: Privacy Pass Token Lifecycle by Cloudflare [19] 3.1 Sketch of our Proposal Our proposal incorporates the use of established, standardized technology, i.e., the Privacy Pass [5] architecture for the issuance and redemption of age verifica￾tion attributes in the form of anonymous tokens. In the age verification scenario, tokens can be issued to the user who, instead of solving a CAPTCHA challenge, completes … view at source ↗
Figure 4
Figure 4. Figure 4: Proposed Anonymous Age Verification Token Issuance Flow Diagram does not learn the message during the signing protocol) and unforgeability (i.e., a malicious client cannot generate a valid signature without interacting with the issuer). From the blindness property, follows the unlinkability of the tokens, meaning that the issuer is unable to match a signing transaction to an honestly signed token when pres… view at source ↗
read the original abstract

Age verification before accessing restricted content is critical to protecting minors from exposure to harmful material such as pornography, gambling, violence, hateful speech, and substance purchases like alcohol and tobacco. Currently, the absence of reliable age-checking mechanisms allows children extensive access to such adult content, posing significant risks to their worldview and mental development. While regulatory efforts like the European Union's Digital Services Act promote using Digital Wallets or Age Verification Apps, relying solely on government-based solutions raises concerns about data sensitivity and privacy risks. Effective age verification must therefore be trustworthy, user-friendly, privacy-preserving, and offer flexible assurance levels. We analyze currently implemented (UK or Australia) and proposed (UE) solutions from different angles, pointing out the weaknesses and threats, and come up with an alternative. Our proposal addresses these challenges by leveraging open standards - such as Privacy Pass and Privacy Access Tokens - and cryptographic techniques to enable secure, privacy-conscious age verification without requiring specialized software installation. This approach empowers users to select trusted providers from multiple options, reducing the risk of data breaches and ensuring a safer digital environment for minors.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper analyzes weaknesses in implemented (UK, Australia) and proposed (EU) age verification mechanisms for restricting access to adult content, then sketches an alternative that combines open standards such as Privacy Pass and Privacy Access Tokens with cryptographic techniques. The central claim is that this approach delivers trustworthy, privacy-preserving age verification without client software installation, lets users select among multiple trusted providers, and thereby reduces data-breach risks while protecting minors.

Significance. If a concrete, provably secure instantiation of the sketched protocol were supplied and shown to avoid new linkage or forgery attacks while relying only on already-deployed or realistically deployable issuers, the work would offer a credible privacy-centric alternative to government-mandated digital-wallet schemes and could inform ongoing regulatory discussions under the DSA and similar frameworks.

major comments (2)
  1. [Proposed approach (following analysis of existing solutions)] The manuscript supplies only a high-level sketch of the proposed adaptation of Privacy Pass and Privacy Access Tokens; no concrete protocol, attribute-binding mechanism, threat model, or security reduction is given. This omission is load-bearing for the claim that the approach “enables secure, privacy-conscious age verification” without introducing new attack surfaces (e.g., issuer collusion, token replay across sites, or age forgery).
  2. [Abstract and proposal description] The assumption that existing Privacy Pass / Privacy Access Token issuers can be directly reused or extended for reliable age-attribute issuance is stated without supporting availability, trust, or deployment arguments. The central claim therefore rests on an unexamined premise that such trusted parties already exist or can be created without new security or operational obstacles.
minor comments (2)
  1. [Abstract] The abstract and introduction repeatedly use the acronym “UE” for the European Union; the conventional abbreviation “EU” should be adopted for consistency.
  2. [Introduction and proposal] No references are supplied for the specific regulatory texts (Digital Services Act) or for the Privacy Pass and Privacy Access Token RFCs that the proposal relies upon; adding these citations would improve traceability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the thoughtful and detailed review. The comments correctly identify that our proposal remains at a high level and that certain deployment assumptions require further justification. We address each major comment below and outline the changes we will make in revision.

read point-by-point responses

  1. Referee: The manuscript supplies only a high-level sketch of the proposed adaptation of Privacy Pass and Privacy Access Tokens; no concrete protocol, attribute-binding mechanism, threat model, or security reduction is given. This omission is load-bearing for the claim that the approach “enables secure, privacy-conscious age verification” without introducing new attack surfaces (e.g., issuer collusion, token replay across sites, or age forgery).

    Authors: We agree that the current manuscript presents the adaptation only as a high-level sketch. Our primary contribution is the analysis of existing regulatory and deployed systems together with the identification of an open-standard direction that avoids new client software. In the revised version we will add a dedicated protocol section that specifies the message flows, attribute binding via blinded tokens extended with age-range commitments, a concise threat model covering issuer collusion, replay, and forgery, and informal security arguments with references to the existing Privacy Pass security analysis. A full formal reduction lies outside the scope of this work and would constitute a separate paper; we will therefore mark the addition as a partial revision that strengthens the presentation without claiming a complete proof. revision: partial

  2. Referee: The assumption that existing Privacy Pass / Privacy Access Token issuers can be directly reused or extended for reliable age-attribute issuance is stated without supporting availability, trust, or deployment arguments. The central claim therefore rests on an unexamined premise that such trusted parties already exist or can be created without new security or operational obstacles.

    Authors: The manuscript relies on the fact that Privacy Pass is an IETF-standardized, already-deployed protocol with multiple public issuers. We will insert a new subsection that (i) lists currently operating issuers and their trust models, (ii) explains how an age-range attribute can be issued by the same or additional trusted entities (e.g., accredited age-verification services) without altering the core token issuance interface, and (iii) discusses operational considerations such as issuer diversity to mitigate single-point risks. While we maintain that no fundamentally new cryptographic or trust obstacles are introduced beyond those already present in Privacy Pass deployments, we acknowledge that concrete availability and governance details were insufficiently elaborated and will supply the requested supporting arguments. revision: yes

Circularity Check

0 steps flagged

No circularity; proposal rests on external open standards

full rationale

The manuscript analyzes existing age-verification schemes, identifies weaknesses, and proposes an alternative that directly invokes the already-published Privacy Pass and Privacy Access Token standards plus generic cryptographic techniques. No equations, fitted parameters, or self-citations are used to derive the claimed security or privacy properties; the central claim is therefore an assertion about the applicability of independent, externally defined primitives rather than a reduction to the paper's own inputs. No load-bearing step reduces by construction to a prior result authored by the same team.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The proposal rests on the security and adaptability of pre-existing open standards rather than new fitted parameters or invented entities.

axioms (1)
  • domain assumption Cryptographic primitives underlying Privacy Pass and Privacy Access Tokens remain secure when extended to age verification.
    Invoked in the proposal description without additional proof or analysis in the abstract.

pith-pipeline@v0.9.0 · 5492 in / 1108 out tokens · 34159 ms · 2026-05-08T15:59:24.296628+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

19 extracted references · 19 canonical work pages

  1. [1]

    and Blazy, O

    Baum, C. and Blazy, O. and Camenisch, J. and Hoepman, J.-H. and Lee, E. and Lehmann, A. and Lysyanskaya, A. and Mayrhofer, R. and Montgomery, H. and Nguyen, N. K. and Preneel, B. and shelat, a. and Slamanig, D. and Tessaro, S. and Thomsen, S. E. and Troncoso, C.: Cryptographers’ feedback on the eu digital identity’s arf. European Digital Identity Wallet G...

    work page 2024

  2. [2]

    British Board of Film Classification (BBFC): BBFC Research Report Commis- sioned by the DCMS: Further Research on Traffic to and Functionality of adult Sites. Tech. rep. (2021), https://assets.publishing.service.gov.uk/media/63972f878 fa8f55303f6e2b6/Further_Research_on_Traffic_to_and_Functionality_of_A dult_Sites.pdf

    work page 2021

  3. [3]

    and Davidson, A

    Celi, S. and Davidson, A. and Valdez, S. and A. Wood, C.: Privacy Pass Issuance Protocols. Tech. Rep. RFC9578, RFC Editor (Jun 2024). https://doi.org/10.174 87/RFC9578, https://www.rfc-editor.org/info/rfc9578

    work page 2024

  4. [4]

    Wood, C.: The Privacy Pass Architecture

    Davidson, A., Iyengar, J., A. Wood, C.: The Privacy Pass Architecture. Tech. Rep. RFC9576, RFC Editor (Jun 2024). https://doi.org/10.17487/RFC9576, https://www.rfc-editor.org/info/rfc9576

    work page doi:10.17487/rfc9576 2024

  5. [5]

    Proceedings on Privacy Enhancing Technologies2018(3), 164–180 (Jun 2018)

    Davidson, A., Goldberg, I., Sullivan, N., Tankersley, G., Valsorda, F.: Privacy Pass: Bypassing Internet Challenges Anonymously. Proceedings on Privacy Enhancing Technologies2018(3), 164–180 (Jun 2018). https://doi.org/10.1515/popets-201 8-0026, https://petsymposium.org/popets/2018/popets-2018-0026.php

    work page doi:10.1515/popets-201 2018

  6. [6]

    Wood, C.: Rsa blind signatures

    Denis, F., Jacobs, F., A. Wood, C.: Rsa blind signatures. Tech. rep., RFC Editor (Oct 2023). https://doi.org/10.17487/rfc9474, https://www.rfc-editor.org/info/r fc9474

    work page doi:10.17487/rfc9474 2023

  7. [7]

    ETSI TS 119 461: Electronic Signatures and Trust Infrastructures (ESI); policy and security requirements for trust service components providing identity proofing of trust service subjects (Feb 2025), https://www.etsi.org/deliver/etsi_ts/11940 0_119499/119461/02.01.01_60/ts_119461v020101p.pdf

    work page 2025

  8. [8]

    Techni- cal specifications (2025), https://ageverification.dev/av-doc-technical-specificatio n/docs/architecture-and-technical-specifications/

    European Commission: European Age Verification Solution Specyfication. Techni- cal specifications (2025), https://ageverification.dev/av-doc-technical-specificatio n/docs/architecture-and-technical-specifications/

    work page 2025

  9. [9]

    European Parliament and of the Council: Regulation - EU - 2024/1183 - EN - EUR-Lex (2024), https://eur-lex.europa.eu/eli/reg/2024/1183/oj/eng

    work page 2024

  10. [10]

    Cryptology ePrint Archive, Paper 2024/2010 (2024), https://eprint.iacr.org/2024/2010

    Frigo, M., Shelat, A.: Anonymous credentials from ECDSA. Cryptology ePrint Archive, Paper 2024/2010 (2024), https://eprint.iacr.org/2024/2010

    work page 2024

  11. [11]

    Grother, P.J., Ngan, M.L., Yang, J., Quinn, G.W., Hom, A.: Face analysis technol- ogy evaluation: age estimation and verification. Tech. Rep. NIST IR 8525, National Age Verification in the Web - Access Control to Restricted Content 21 Institute of Standards and Technology (U.S.), Gaithersburg, MD (May 2024). https://doi.org/10.6028/NIST.IR.8525, https://n...

    work page doi:10.6028/nist.ir.8525 2024

  12. [12]

    Standard ISO/IEC 18013-5:2021, International Organization for Standardization, Geneva, Switzerland (Sep 2021)

    International Organization for Standardization: Personal identification — ISO- compliant driving licence — Part 5: Mobile driving licence (mDL) application. Standard ISO/IEC 18013-5:2021, International Organization for Standardization, Geneva, Switzerland (Sep 2021)

    work page 2021

  13. [13]

    Graph.42, 4, Article 139 (jul 2023), 14 pages

    Kerbl, B., Kopanas, G., Leimkuehler, T., Drettakis, G.: 3D Gaussian Splatting for Real-Time Radiance Field Rendering. ACM Transactions on Graphics42(4), 1–14 (Aug 2023). https://doi.org/10.1145/3592433, https://dl.acm.org/doi/10.1145/3 592433

    work page doi:10.1145/3592433 2023

  14. [14]

    Parliament of Australia: Online Safety Amendment (Social Media Minimum Age) Act 2024. No. 127, 2024 (2024), https://www.legislation.gov.au/C2024A00127/a smade/text

    work page 2024

  15. [15]

    legislation.gov.uk, Royal Assent, 26 October 2023

    Parliament of the United Kingdom: Online Safety Act 2023 (2023), https://www. legislation.gov.uk, Royal Assent, 26 October 2023

    work page 2023

  16. [16]

    and Valdez, S

    Pauly, T. and Valdez, S. and A. Wood, C.: The Privacy Pass HTTP Authentication Scheme. Tech. Rep. RFC9577, RFC Editor (Jun 2024). https://doi.org/10.17487 /RFC9577, https://www.rfc-editor.org/info/rfc9577

    work page 2024

  17. [17]

    https://doi.org/10.48550/arXiv.2509.07465, http://arxiv.org/abs/2509.07465, arXiv:2509.07465

    Poh, N., Burns, D.: Biometric Bound Credentials for Age Verification (Sep 2025). https://doi.org/10.48550/arXiv.2509.07465, http://arxiv.org/abs/2509.07465, arXiv:2509.07465

    work page doi:10.48550/arxiv.2509.07465 2025

  18. [18]

    https://doi.org/10.48550/arXiv.2312.02069

    Qian, S., Kirschstein, T., Schoneveld, L., Davoli, D., Giebenhain, S., Nießner, M.: GaussianAvatars: Photorealistic Head Avatars with Rigged 3D Gaussians (Mar 2024). https://doi.org/10.48550/arXiv.2312.02069, http://arxiv.org/abs/2312.020 69, arXiv:2312.02069

    work page doi:10.48550/arxiv.2312.02069 2024

  19. [19]

    CloudFlare Blog Entry (2024), https: //blog.cloudflare.com/privacy-pass-standard/

    Thibault Meunier, Cefan Daniel Rubin, Armando Faz-Hernández: Privacy pass: upgrading to the latest protocol version. CloudFlare Blog Entry (2024), https: //blog.cloudflare.com/privacy-pass-standard/

    work page 2024