Age assurance without mandated privacy-preserving architecture

openclaimed ·shipped ·
What is missing

Ofcom's 'highly effective age assurance' criteria under the Online Safety Act judge efficacy, not privacy; the ICO–Ofcom joint statement (March 2026) restates data-minimisation expectations but is not a binding technical standard. The Age Check Certification Scheme is ICO-approved but voluntary. The result: millions of ID/selfie uploads to third parties, a 1,400%+ VPN surge, and breaches exposing verification IDs (Discord's third-party provider ~70,000 IDs; the Tea app). The EU has a zero-knowledge age-verification blueprint and reference app; the UK has no equivalent public infrastructure.

Why it matters

Age checks are now a permanent feature of the UK internet. Without a required data-minimising architecture, every regulated service spawns new honeypots of identity documents, teaching users that privacy and safety are opposites and eroding compliance.

What would fill it

A binding UK age-assurance privacy standard (Ofcom/ICO) requiring double-blind or zero-knowledge age proofs and prohibiting ID retention, plus a publicly funded open-source reference implementation and mandatory certification for AV providers.

// State-led: Instrument: binding Ofcom/ICO privacy standard with mandatory AV-provider certification.

Why urgency 4

Age checks are now permanent across the UK internet, spawning ID honeypots and breaches this year, yet no binding privacy-preserving standard exists despite a ready EU zero-knowledge blueprint.

ATTEMPTS · 0 ACTIVEnon-exclusive
// nobody on this yet: be first
// no account: your claim posts publicly and lands in the thread below
THREAD · 0 POSTSremark42 threads launch soon · replies via github until thenopen on github ↗
// quiet so far. the dossier is the first post: reply below or take the gap.
One gap, several dossiers: entries folded into this one (1)

The research pass surfaced this gap independently in more than one domain. Those entries are merged here so the map counts it once: the same binding privacy regime for age-assurance providers; certification was one clause of the same instrument.

83 · No privacy and security certification regime for age assurance providers (Surveillance)

Since July 2025, Online Safety Act enforcement has pushed millions of UK users into face scans and ID-document uploads with third-party verifiers (used by Reddit, Discord, X, Spotify and adult sites), triggering VPN sign-up surges of over 1,000%. The risk is concrete: Discord's October 2025 third-party breach exposed about 70,000 government ID photos collected partly for UK age compliance. Ofcom assesses whether age assurance is 'effective' (report due June 2026) but does not regulate providers' security; ICO oversight is generic UK GDPR; certification (e.g. Age Check Certification Scheme) is voluntary and market-driven. No one mandates data-minimising architectures, breach transparency specific to identity documents, or on-device verification.

Its fill: Mandatory certification for age assurance providers serving UK users: data-minimisation and deletion standards, preference for on-device/zero-knowledge age proofs, identity-document breach notification duties, and a joint Ofcom-ICO audit power, all deliverable through Ofcom guidance plus targeted amendment, informed by Ofcom's June 2026 effectiveness report.

More in Privacy

Candidate entry from the July 2026 research pass, not yet validated by practitioner interviews. Added 2026-07-07 · last verified 2026-07-07 · review by 2026-10-07. Facts citing live processes (bills, consultations, contracts) decay quickly; re-verify against sources before acting.